SB2017080321 - Null pointer dereference in libtasn1 (Alpine package)
Published: August 3, 2017
Security Bulletin ID
SB2017080321
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Partial DoS
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Null pointer dereference (CVE-ID: CVE-2017-10790)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the _asn1_check_identifier function in GNU Libtasn1 due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted input, trigger assignment of a NULL value within an asn1_node structure and cause the service to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=69f938f4250b0ba60b9ee4e57d42325791fa0cda
- https://git.alpinelinux.org/aports/commit/?id=a17a05c052b39180e5e9ca9198ab8756ba0fc0aa
- https://git.alpinelinux.org/aports/commit/?id=b2bb01e5559952d7c2535629e34c5a46a8c2b4ff
- https://git.alpinelinux.org/aports/commit/?id=4fbd4bf8096893f9d7e8d2725463113bcfb5e1a9
- https://git.alpinelinux.org/aports/commit/?id=1ed7d3233ead92fd7304cc4d38f8ea503759d5c6
- https://git.alpinelinux.org/aports/commit/?id=8a5dd42758796f36dc30e27352388dede05b3de4
- https://git.alpinelinux.org/aports/commit/?id=8c52e27824a3b43b4825a8bd2cd52735523c7fa0
- https://git.alpinelinux.org/aports/commit/?id=f15fb841bafcbebb3de01e76418ec067ec8e2a0b