Ubuntu
libtasn1-6 package

Sync libtasn1-6 4.5-2 (main) from Debian unstable (main)

Bug #1455822 reported by Artur Rona on 2015-05-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libtasn1-6 (Ubuntu)	Fix Released	Wishlist	Unassigned

Bug Description

Please sync libtasn1-6 4.5-2 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: denial of service and possible code execution via
    overflow in _asn1_extract_der_octet.
    - debian/patches/CVE-2015-3622.patch: properly handle length in
      lib/decoding.c.
    - CVE-2015-3622
  * SECURITY UPDATE: denial of service and possible code execution via
    overflow in _asn1_ltostr.
    - debian/patches/CVE-2015-2806.patch: increase size of LTOSTR_MAX_SIZE
      to account for sign and null byte in lib/parser_aux.{c,h}.
    - CVE-2015-2806
  * SECURITY UPDATE: denial of service and possible code execution via
    overflow in _asn1_ltostr.
    - debian/patches/CVE-2015-2806.patch: increase size of LTOSTR_MAX_SIZE
      to account for sign and null byte in lib/parser_aux.{c,h}.
    - CVE-2015-2806

Both patches have been fixed upstream.

Changelog entries since current wily version 4.2-2ubuntu2:

libtasn1-6 (4.5-2) unstable; urgency=medium

* Upload to unstable.

-- Andreas Metzler <email address hidden> Sat, 02 May 2015 14:27:06 +0200

libtasn1-6 (4.5-1) experimental; urgency=medium

* New upstream version.
+ Drop 20_asn1_extract_der_octet-prevent-past-of-boundary-acc.patch.

-- Andreas Metzler <email address hidden> Thu, 30 Apr 2015 19:06:44 +0200

libtasn1-6 (4.4-3) unstable; urgency=medium

  * Upload to unstable.
  * Pull 20_asn1_extract_der_octet-prevent-past-of-boundary-acc.patch from
    upstream GIT to correct an invalid memory access in octet string
    decoding.

-- Andreas Metzler <email address hidden> Mon, 27 Apr 2015 07:19:34 +0200

libtasn1-6 (4.4-2) experimental; urgency=medium

* Really bump shlibs. Closes: #782286

-- Andreas Metzler <email address hidden> Fri, 10 Apr 2015 19:08:24 +0200

libtasn1-6 (4.4-1) experimental; urgency=medium

* New upstream version.

-- Andreas Metzler <email address hidden> Sun, 29 Mar 2015 13:12:15 +0200

libtasn1-6 (4.3-1) experimental; urgency=medium

  * Mark libtasn1-6-dev Multi-Arch: same.
  * New upstream version.
    + Bump shlibs, asn1_decode_simple_ber() added.

-- Andreas Metzler <email address hidden> Tue, 10 Mar 2015 19:09:15 +0100

libtasn1-6 (4.2-3) unstable; urgency=medium

* Pull 20_CVE-2015-2806.diff from upstream 4.4 release to correct a
two-byte stack overflow in asn1_der_decoding. CVE-2015-2806.

-- Andreas Metzler <email address hidden> Sat, 04 Apr 2015 08:04:32 +0200

CVE References

2015-2806

Artur Rona (ari-tczew) on 2015-05-16

Changed in libtasn1-6 (Ubuntu):
importance:	Undecided → Wishlist

Revision history for this message

Daniel Holbach (dholbach) wrote on 2015-05-17:

This bug was fixed in the package libtasn1-6 - 4.5-2
Sponsored for Artur Rona (ari-tczew)

---------------
libtasn1-6 (4.5-2) unstable; urgency=medium