[USN-2294-1] Libtasn1 vulnerabilities

Marc Deslauriers marc.deslauriers at canonical.com
Tue Jul 22 18:08:22 UTC 2014 

==========================================================================
Ubuntu Security Notice USN-2294-1
July 22, 2014

libtasn1-3, libtasn1-6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

Libtasn1 could be made to crash or run programs as your login if it
processed specially crafted data.

Software Description:
- libtasn1-6: Library to manage ASN.1 structures
- libtasn1-3: Library to manage ASN.1 structures

Details:

It was discovered that Libtasn1 incorrectly handled certain ASN.1 data
structures. An attacker could exploit this with specially crafted ASN.1
data and cause applications using Libtasn1 to crash, resulting in a denial
of service. (CVE-2014-3467)

It was discovered that Libtasn1 incorrectly handled negative bit lengths.
An attacker could exploit this with specially crafted ASN.1 data and cause
applications using Libtasn1 to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2014-3468)

It was discovered that Libtasn1 incorrectly handled certain ASN.1 data. An
attacker could exploit this with specially crafted ASN.1 data and cause
applications using Libtasn1 to crash, resulting in a denial of service.
(CVE-2014-3469)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  libtasn1-6                      3.4-3ubuntu0.1

Ubuntu 12.04 LTS:
  libtasn1-3                      2.10-1ubuntu1.2

Ubuntu 10.04 LTS:
  libtasn1-3                      2.4-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2294-1
  CVE-2014-3467, CVE-2014-3468, CVE-2014-3469

Package Information:
  https://launchpad.net/ubuntu/+source/libtasn1-6/3.4-3ubuntu0.1
  https://launchpad.net/ubuntu/+source/libtasn1-3/2.10-1ubuntu1.2
  https://launchpad.net/ubuntu/+source/libtasn1-3/2.4-1ubuntu0.2


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20140722/2e12ec20/attachment.sig>

More information about the ubuntu-security-announce mailing list