CVE-2018-6003

CVE-2018-6003

Name

CVE-2018-6003

Description

An issue was discovered in the _asn1_decode_simple_ber function in decoding.c in GNU Libtasn1 before 4.13. Unlimited recursion in the BER decoder leads to stack exhaustion and DoS.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Third Party Advisory	https://gitlab.com/gnutls/libtasn1/commit/946565d8eb05fbf7970ea366e817581bb5a90910
Issue Tracking	https://bugzilla.suse.com/show_bug.cgi?id=1076832
Issue Tracking	https://bugzilla.redhat.com/show_bug.cgi?id=1535926
Patch	http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=c593ae84cfcde8fea45787e53950e0ac71e9ca97
Third Party Advisory	https://www.debian.org/security/2018/dsa-4106
MLIST	https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
MLIST	https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E

Type

URI

Third Party Advisory

https://gitlab.com/gnutls/libtasn1/commit/946565d8eb05fbf7970ea366e817581bb5a90910

Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=1076832

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=1535926

Patch

http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=c593ae84cfcde8fea45787e53950e0ac71e9ca97

Third Party Advisory

https://www.debian.org/security/2018/dsa-4106

MLIST

https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E

MLIST

https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:gnu:libtasn1::::::::`	libtasn1	>= None	<= 4.12

CPE URI

Source package

Min version

Max version

cpe:2.3:a:gnu:libtasn1:*:*:*:*:*:*:*:*

libtasn1

>= None

<= 4.12

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
libtasn1	edge-main	4.13-r0	None	fixed
libtasn1	edge-main	4.12-r1	None	possibly vulnerable
libtasn1	3.22-main	4.13-r0	None	fixed
libtasn1	3.22-main	4.12-r1	None	possibly vulnerable
libtasn1	3.21-main	4.13-r0	None	fixed
libtasn1	3.21-main	4.12-r1	None	possibly vulnerable
libtasn1	3.20-main	4.13-r0	None	fixed
libtasn1	3.20-main	4.12-r1	None	possibly vulnerable
libtasn1	3.19-main	4.13-r0	None	fixed
libtasn1	3.19-main	4.12-r1	None	possibly vulnerable
libtasn1	3.18-main	4.13-r0	None	fixed
libtasn1	3.17-main	4.13-r0	None	fixed
libtasn1	3.12-main	4.13-r0	None	fixed
libtasn1	3.11-main	4.13-r0	None	fixed
libtasn1	3.10-main	4.13-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

libtasn1

edge-main

4.13-r0

None

fixed

libtasn1

edge-main