CVE-2017-10790

NameCVE-2017-10790
DescriptionThe _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes a NULL pointer dereference and crash when reading crafted input that triggers assignment of a NULL value within an asn1_node structure. It may lead to a remote denial of service attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1038-1, DLA-2255-1, DSA-4106-1
Debian Bugs867398

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libtasn1-6 (PTS)buster4.13-3fixed
buster (security)4.13-3+deb10u1fixed
bullseye4.16.0-2+deb11u1fixed
bookworm4.19.0-2fixed
sid, trixie4.19.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libtasn1-3sourcewheezy2.13-2+deb7u5DLA-1038-1
libtasn1-3source(unstable)(unfixed)
libtasn1-6sourcejessie4.2-3+deb8u4DLA-2255-1
libtasn1-6sourcestretch4.10-1.1+deb9u1DSA-4106-1
libtasn1-6source(unstable)4.12-2.1867398

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1464141
Fixed by: https://gitlab.com/gnutls/libtasn1/commit/d8d805e1f2e6799bb2dff4871a8598dc83088a39

Search for package or bug name: Reporting problems