=========================================================================Ubuntu Security Notice USN-2294-1
July 22, 2014
libtasn1-3, libtasn1-6 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Libtasn1 could be made to crash or run programs as your login if it
processed specially crafted data.
Software Description:
- libtasn1-6: Library to manage ASN.1 structures
- libtasn1-3: Library to manage ASN.1 structures
Details:
It was discovered that Libtasn1 incorrectly handled certain ASN.1 data
structures. An attacker could exploit this with specially crafted ASN.1
data and cause applications using Libtasn1 to crash, resulting in a denial
of service. (CVE-2014-3467)
It was discovered that Libtasn1 incorrectly handled negative bit lengths.
An attacker could exploit this with specially crafted ASN.1 data and cause
applications using Libtasn1 to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2014-3468)
It was discovered that Libtasn1 incorrectly handled certain ASN.1 data. An
attacker could exploit this with specially crafted ASN.1 data and cause
applications using Libtasn1 to crash, resulting in a denial of service.
(CVE-2014-3469)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libtasn1-6 3.4-3ubuntu0.1
Ubuntu 12.04 LTS:
libtasn1-3 2.10-1ubuntu1.2
Ubuntu 10.04 LTS:
libtasn1-3 2.4-1ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-2294-1
CVE-2014-3467, CVE-2014-3468, CVE-2014-3469
Package Information:
https://launchpad.net/ubuntu/+source/libtasn1-6/3.4-3ubuntu0.1
https://launchpad.net/ubuntu/+source/libtasn1-3/2.10-1ubuntu1.2
https://launchpad.net/ubuntu/+source/libtasn1-3/2.4-1ubuntu0.2
