SB2017053028 - Fedora EPEL 7 update for mingw-libtasn1
Published: May 30, 2017 Updated: April 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2015-3622)
The vulnerability allows a remote attacker to cause DoS conditions on the target system.The weakness exists due to an error in the _asn1_extract_der_octet function in lib/decoding.c. A remote attacker can send a specially crafted certificate, trigger out-of-bounds heap read and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
2) Input validation error (CVE-ID: CVE-2016-4008)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the _asn1_extract_der_octet() function in lib/decoding.c when parsing certificates. A remote attacker can supply a specially crafted certificate file and crash the affected application.
Successful exploitation of the vulnerability requires that ASN1_DECODE_FLAG_STRICT_DER flag is not used.
3) Buffer overflow (CVE-ID: CVE-2017-6891)
A remote attacker can execute arbitrary code on the target system.The vulnerability exists due to a boundary error in "asn1_find_node()" function (lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 when processing a specially crafted assignments file via the e.g. asn1Coding utility. A remote attacker can trick the victim into opening a specially crafted file, trigger stack-based buffer overflow and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install update from vendor's website.