21124729 Move libtasn1 from Desktop to Userland consolidation
21124720 Move libgpg-error from Desktop to Userland consolidation
21124683 Move libgcrypt from Desktop to Userland consolidation
Source:
Internal
Info:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468
The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly
report an error when a negative bit length is identified, which allows
context-dependent attackers to cause out-of-bounds access via crafted ASN.1
data.
Status:
Need to determine if this patch has been sent upstream.
--- libtasn1-2.8/lib/decoding.c.orig 2014-06-05 10:36:51.728076396 +0530
+++ libtasn1-2.8/lib/decoding.c 2014-06-05 10:39:39.072295803 +0530
@@ -214,7 +214,7 @@ asn1_get_octet_der (const unsigned char
int *ret_len, unsigned char *str, int str_size,
int *str_len)
{
- int len_len;
+ int len_len = 0;
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
@@ -335,7 +335,7 @@ asn1_get_bit_der (const unsigned char *d
int *ret_len, unsigned char *str, int str_size,
int *bit_len)
{
- int len_len, len_byte;
+ int len_len = 0, len_byte;
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
@@ -346,6 +346,9 @@ asn1_get_bit_der (const unsigned char *d
*ret_len = len_byte + len_len + 1;
*bit_len = len_byte * 8 - der[len_len];
+ if (*bit_len <= 0)
+ return ASN1_DER_ERROR;
+
if (str_size >= len_byte)
memcpy (str, der + len_len + 1, len_byte);
else