Bugzilla – Bug 880735
VUL-0: CVE-2014-3468: libtasn1: asn1_get_bit_der() can return negative bit length
Last modified: 2014-07-30 11:56:09 UTC
asn1_get_bit_der() can return negative bit length upon parsing ASN.1 input. This could lead to several problems in the code that assumes a correct and positive length count. Fixed upstream in libtasn1 3.6: http://lists.gnu.org/archive/html/help-libtasn1/2014-05/msg00006.html Please submit for SLES 11-SP3, SLES 12, openSUSE 12.3 and openSUSE 13.1. References: https://bugzilla.redhat.com/show_bug.cgi?id=1102323 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468
I'm not and never was responsible for this library, even though some stupid maintainer tool might have told you that. Please refer to the package changelog and find the one who really contributes to it Thanks
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-06-06. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57609
Affected packages: SLE-11-SP3: libtasn1
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-06-09. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/57618
This is an autogenerated message for OBS integration: This bug (880735) was mentioned in https://build.opensuse.org/request/show/236130 Factory / libtasn1
Fixes submitted for SLE 11, SLE 12, openSUSE 12.3 and openSUSE 13.1. I would suggest waiting for the related submission for bnc#880737 before pushing.
This is an autogenerated message for OBS integration: This bug (880735) was mentioned in https://build.opensuse.org/request/show/237601 13.1 / libtasn1 https://build.opensuse.org/request/show/237602 12.3 / libtasn1
SUSE-SU-2014:0931-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 880735,880737,880738 CVE References: CVE-2014-3467,CVE-2014-3468,CVE-2014-3469 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libtasn1-1.5-1.28.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): libtasn1-1.5-1.28.1 SUSE Linux Enterprise Server 11 SP3 (src): libtasn1-1.5-1.28.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libtasn1-1.5-1.28.1
This is an autogenerated message for OBS integration: This bug (880735) was mentioned in https://build.opensuse.org/request/show/242449 Factory / libtasn1
released