Source:
Internal

Info:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569
The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as 
used in GnuTLS before 3.0.16 and other products, does not properly handle 
certain large length values, which allows remote attackers to cause a denial 
of service (heap memory corruption and application crash) or possibly have 
unspecified other impact via a crafted ASN.1 structure. 

Status:
Need to determine if this patch has been sent upstream.

--- libtasn1-2.8/lib/decoding.c.orig	2012-04-06 12:19:39.986443804 +0800
+++ libtasn1-2.8/lib/decoding.c	2012-04-06 12:38:38.607157322 +0800
@@ -55,12 +55,14 @@
  * Extract a length field from DER data.
  *
  * Returns: Return the decoded length value, or -1 on indefinite
- *   length, or -2 when the value was too big.
+ *   length, or -2 when the value was too big to fit in a int, or -4
+ *   when the decoed length value plus @len would exceed @der_len.
+
  **/
 signed long
 asn1_get_length_der (const unsigned char *der, int der_len, int *len)
 {
-  unsigned long ans;
+  int ans;
   int k, punt;
 
   *len = 0;
@@ -83,7 +85,7 @@
 	  ans = 0;
 	  while (punt <= k && punt < der_len)
 	    {
-	      unsigned long last = ans;
+              int last = ans;
 
 	      ans = ans * 256 + der[punt++];
 	      if (ans < last)
@@ -93,10 +95,13 @@
 	}
       else
 	{			/* indefinite length method */
-	  ans = -1;
+           *len = punt;
+           return -1;
 	}
 
       *len = punt;
+      if (ans + *len < ans || ans + *len > der_len)
+       return -4;
       return ans;
     }
 }