Mandriva Linux Security Advisory : libtasn1 (MDVSA-2015:116)

medium Nessus Plugin ID 82369

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Updated libtasn1 packages fix security vulnerabilities :

Multiple buffer boundary check issues were discovered in libtasn1 library, causing it to read beyond the boundary of an allocated buffer. An untrusted ASN.1 input could cause an application using the library to crash (CVE-2014-3467).

It was discovered that libtasn1 library function asn1_get_bit_der() could incorrectly report negative bit length of the value read from ASN.1 input. This could possibly lead to an out of bounds access in an application using libtasn1, for example in case if application tried to terminate read value with NUL byte (CVE-2014-3468).

A NULL pointer dereference flaw was found in libtasn1's asn1_read_value_type() / asn1_read_value() function. If an application called the function with a NULL value for an ivalue argument to determine the amount of memory needed to store data to be read from the ASN.1 input, libtasn1 could incorrectly attempt to dereference the NULL pointer, causing an application using the library to crash (CVE-2014-3469).

Solution

Update the affected lib64tasn1-devel, lib64tasn1_6 and / or libtasn1-tools packages.

See Also

http://advisories.mageia.org/MGASA-2014-0247.html

Plugin Details

Severity: Medium

ID: 82369

File Name: mandriva_MDVSA-2015-116.nasl

Version: 1.4

Type: local

Published: 3/30/2015

Updated: 1/14/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:mandriva:business_server:2, p-cpe:/a:mandriva:linux:lib64tasn1-devel, p-cpe:/a:mandriva:linux:lib64tasn1_6, p-cpe:/a:mandriva:linux:libtasn1-tools

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 3/29/2015

Reference Information

CVE: CVE-2014-3467, CVE-2014-3468, CVE-2014-3469

MDVSA: 2015:116