I'm not and never was responsible for this library, even though some
stupid maintainer tool might have told you that. Please refer to the package
changelog and find the one who really contributes to it

Thanks

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-06-06.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57609

bugbot adjusting priority

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-06-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57618

This is an autogenerated message for OBS integration:
This bug (880737) was mentioned in
https://build.opensuse.org/request/show/236130 Factory / libtasn1

Looking into applying these patches, however there have been a lot of other changes since our versions so it's still a work in progress as they need reworking.

However I think for SLE12 we probably should actually just update to the latest version to make the future SLE12 maintenance much easier. Marcus - do you see anything in the submission you made to factory (#236130) that would preclude submitting this to SLE12?

I submitted it this morning for SLE12.

Hmm, the patches mentioned in the Red Hat bug don't apply cleanly, and it's not just a question of jiggling them a bit.  There are changes that *seem* easy enough to apply, but that may leave us with faulty code.

For example, the first one has this:

+++ b/lib/decoding.c
@@ -149,7 +149,7 @@ asn1_get_tag_der (const unsigned char *der, int der_len,
       /* Long form */
       punt = 1;
       ris = 0;
-      while (punt <= der_len && der[punt] & 128)
+      while (punt < der_len && der[punt] & 128)
 	{
 
 	  if (INT_MULTIPLY_OVERFLOW (ris, 128))

Easy enough, substitute "<=" for "<".  But it has that INT_MULTIPLY_OVERFLOW(), while the code in SLE11 doesn't have it:

      /* Long form */
      punt = 1;
      ris = 0;
      while (punt <= der_len && der[punt] & 128)
	{
	  int last = ris;
	  ris = ris * 128 + (der[punt++] & 0x7F);

So, there are other fixes that have been applied between version 1.5 (which is in SLE11) and version 3.3 from SLE12.

I'm almost finished with this:

1. Wrap version 3.5 of libtasn1 so that it exposes the old API/ABI from 1.5, but uses the new implementation internally.

2. Since we expose the same old ABI, the library's .so version doesn't change from what it is in SLE11.

I'm testing this new package and will submit the results if they work.

Finally - this works.  I've submitted this to SLE11 with request id 41117.  Reassigning to security-team.

Resubmitted, with resolved conflicts for osc, with request 41158.

Resubmitted again with id 41219, without unreferenced patches (argh!).

SUSE-SU-2014:0931-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 880735,880737,880738
CVE References: CVE-2014-3467,CVE-2014-3468,CVE-2014-3469
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libtasn1-1.5-1.28.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    libtasn1-1.5-1.28.1
SUSE Linux Enterprise Server 11 SP3 (src):    libtasn1-1.5-1.28.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    libtasn1-1.5-1.28.1

This is an autogenerated message for OBS integration:
This bug (880737) was mentioned in
https://build.opensuse.org/request/show/242449 Factory / libtasn1

relkeased