SB2019072138 - Input validation error in libtasn1 (Alpine package)
Published: July 21, 2019
Security Bulletin ID
SB2019072138
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2018-1000654)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the _asn1_expand_object_id(p_tree) function when parsing a specially crafted file with asn1Parser binary. An attacker can create a specially crafted file, pass it to the application and consume all available CPU resources on the system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5e3a0aede429cc681fb71653cd4544284ceb58f7
- https://git.alpinelinux.org/aports/commit/?id=69f938f4250b0ba60b9ee4e57d42325791fa0cda
- https://git.alpinelinux.org/aports/commit/?id=a17a05c052b39180e5e9ca9198ab8756ba0fc0aa
- https://git.alpinelinux.org/aports/commit/?id=b2bb01e5559952d7c2535629e34c5a46a8c2b4ff
- https://git.alpinelinux.org/aports/commit/?id=516129f7e77b1c7def4f3d8aa08d8673e4c4d69f