CVE-2006-0645 Information

Description

Tiny ASN.1 Library (libtasn1) before 0.2.18 as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4 and (2) GNU Shishi allows attackers to crash the DER decoder and possibly execute arbitrary code via \out-of-bounds access\ caused by invalid input as demonstrated by the ProtoVer SSL test suite.

Reference

http://josefsson.org/cgi-bin/viewcvs.cgi/gnutls/tests/certder.c?view=markup http://josefsson.org/cgi-bin/viewcvs.cgi/libtasn1/NEWS?root=gnupg-mirror&view=markup http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.18-from-0.2.17.patch http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001058.html http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001059.html http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001060.html http://rhn.redhat.com/errata/RHSA-2006-0207.html http://secunia.com/advisories/18794 http://secunia.com/advisories/18815 http://secunia.com/advisories/18830 http://secunia.com/advisories/18832 http://secunia.com/advisories/18898 http://secunia.com/advisories/18918 http://secunia.com/advisories/19080 http://secunia.com/advisories/19092 http://securityreason.com/securityalert/446 http://securitytracker.com/id?1015612 http://www.debian.org/security/2006/dsa-985 http://www.debian.org/security/2006/dsa-986 http://www.gentoo.org/security/en/glsa/glsa-200602-08.xml http://www.gleg.net/protover_ssl.shtml http://www.mandriva.com/security/advisories?name=MDKSA-2006:039 http://www.osvdb.org/23054 http://www.redhat.com/archives/fedora-announce-list/2006-February/msg00043.html http://www.securityfocus.com/archive/1/424538/100/0/threaded http://www.securityfocus.com/bid/16568 http://www.trustix.org/errata/2006/0008 http://www.vupen.com/english/advisories/2006/0496 https://exchange.xforce.ibmcloud.com/vulnerabilities/24606 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A10540 https://usn.ubuntu.com/251-1/