| Name | CVE-2019-17362 |
| Description | In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1951-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libcryptx-perl (PTS) | bullseye | 0.069-1 | fixed |
| bookworm | 0.077-1 | fixed | |
| sid, trixie | 0.084-1 | fixed | |
| libtomcrypt (PTS) | bullseye | 1.18.2-5 | fixed |
| bookworm | 1.18.2-6 | fixed | |
| sid, trixie | 1.18.2+dfsg-7 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libcryptx-perl | source | (unstable) | 0.066-1 | |||
| libtomcrypt | source | jessie | 1.17-6+deb8u1 | DLA-1951-1 | ||
| libtomcrypt | source | (unstable) | 1.18.2-3 |
[buster] - libtomcrypt <no-dsa> (Minor issue)
[stretch] - libtomcrypt <no-dsa> (Minor issue)
https://github.com/libtom/libtomcrypt/issues/507
https://github.com/libtom/libtomcrypt/pull/508
https://github.com/libtom/libtomcrypt/commit/25c26a3b7a9ad8192ccc923e15cf62bf0108ef94
perl-CryptX: https://github.com/DCIT/perl-CryptX/commit/32f1d210ed6300b8e82f46f1b983f7316aa7eaf9 (v0.065)