[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: GNU Libtasn1 2.12 released
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: Fwd: GNU Libtasn1 2.12 released |
Date: |
Tue, 20 Mar 2012 18:41:21 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111114 Icedove/3.1.16 |
On 03/20/2012 09:20 AM, Tomas Hoger wrote:
>> Note that the bug fixed affects all gnutls versions.
> Nikos, should the above be read as "all gnutls versions include
> libtasn1 versions affected by this problem" or "gnutls uses
> asn1_get_length_der incorrectly too"?
I don't think gnutls uses asn1_get_length_der(). It is libtasn1
that was using asn1_get_length_der() internally in an incorrect
way. Because of that all programs using libtasn1 are vulnerable
including gnutls.
> Have you managed to
> confirm the issue in gnutls and can possibly comment on known
> possible impacts (e.g. TLS client can trigger this on TLS server
> by providing a crafted client certificate during handshake)?
Yes, certificate parsing crashes gnutls with the vulnerable libtasn1.
regards,
Nikos