StarlingX

[Debian] CVE: CVE-2021-46848: libtasn1 : an ETYPE_OK off-by-one

Bug #2002279 reported by Yue Tao on 2023-01-09

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Critical	Zhixiong Chi

GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-42898 fixed 9.1 N L N N H

['libtasn1-6_4.16.0-2_amd64.deb===>libtasn1-6_4.16.0-2+deb11u1_amd64.deb']

Found during December 2022 CVE scan using vulscan

Tags:

Yue Tao (wrytao) on 2023-01-09

Changed in starlingx:
assignee:	nobody → Zhixiong Chi (zhixiongchi)
status:	New → Triaged
importance:	Undecided → Critical
information type:	Public → Public Security
tags:	added: stx.8.0 stx.security

Zhixiong Chi (zhixiongchi) on 2023-01-09

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-01-10: Fix proposed to tools (master)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-01-11: Fix merged to tools (master)

commit e9da987a141f1568b5db198acf4bae269a56d6c5
Author: Zhixiong Chi <email address hidden>
Date: Mon Jan 9 00:20:19 2023 -0800

Debian: libtasn1-6: CVE-2021-46848

Upgrade libtasn1-6 to 4.16.0-2+deb11u1 to fix CVE-2021-46848.
libtasn1-6_4.16.0-2+deb11u1

    TestPlan:
    PASS: downloader
    PASS: build-pkgs -a -c
    PASS: build-image
    PASS: Jenkins Installation.

Closes-Bug: 2002279

Signed-off-by: Zhixiong Chi <email address hidden>
Change-Id: I8ff6d581b06b4f035f53fc01f5349afb5097a9c8

Changed in starlingx:
status:	In Progress → Fix Released

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Bug watches keep track of this bug in other bug trackers.