Bug 1187913 (CVE-2019-25049)

Summary:	VUL-1: CVE-2019-25049: libressl: out-of-bounds read in asn1_item_print_ctx()
Product:	[openSUSE] openSUSE Distribution	Reporter:	Robert Frohl <rfrohl>
Component:	Security	Assignee:	Jan Engelhardt <jengelh>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Minor
Priority:	P5 - None
Version:	Leap 15.2
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/303347/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Robert Frohl 2021-07-01 10:53:56 UTC

CVE-2019-25049

LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in asn1_item_print_ctx
(called from asn1_template_print_ctx).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-25049
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13920
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25049
https://github.com/libressl-portable/portable/commit/17c88164016df821df2dff4b2b1291291ec4f28a
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libressl/OSV-2020-1965.yaml

Comment 1 Robert Frohl 2021-07-01 10:54:54 UTC

fixed In Factory, still open for Leap 15.2

Comment 2 Robert Frohl 2021-07-01 10:57:16 UTC

(In reply to Robert Frohl from comment #1)
> still open for Leap 15.2

sorry, thats wrong. All fixed, closing

Comment 3 OBSbugzilla Bot 2021-07-01 12:20:06 UTC

This is an autogenerated message for OBS integration:
This bug (1187913) was mentioned in
https://build.opensuse.org/request/show/903393 15.2 / libressl