Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALJHwhQTKMaC6kp33J+1nmBPUqL7-Ppzb1V=7B+ffNfDyWsdoQ@mail.gmail.com>
Date: Fri, 13 May 2016 00:01:56 +1000
From: Wade Mealing <wmealing@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-0758 - Linux kernel - Flaw in ASN.1 DER decoder for x509
 certificate DER files.

An issue with ASN.1 DER decoder was reported that could lead to memory
corruptions, possible privilege escalation, or complete local denial
of service via x509 certificate DER files.

Tags with indefinite length can be used to corrupt the _dp and _len
pointers in asn1_find_indefinite_length() in lib/asn1_decoder.c

The vulnerable code:

...
next_tag:
        if (unlikely(datalen - dp < 2)) {
                if (datalen == dp)
                        goto missing_eoc;
                goto data_overrun_error;
        }
...
        n = len - 0x80;
        if (unlikely(n > sizeof(size_t) - 1))
                goto length_too_long;
        if (unlikely(n > datalen - dp))
                goto data_overrun_error;
        for (len = 0; n > 0; n--) {
                len <<= 8;
                len |= data[dp++];
        }
        dp += len;
        goto next_tag;
...

The dp can be corrupted and the check at next_tag is not sufficient to
prevent this.

Red Hat would like to thank Philip Pettersson of Samsung for reporting
this issue to Red Hat.

Thanks,

Wade Mealing
Red Hat Product Security Team


References:

Upstream fix:
https://lkml.org/lkml/2016/5/12/270

Red hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1300257

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.