Advisories » MGASA-2016-0181

Updated libksba packages fix security vulnerabilities

Publication date: 18 May 2016
Modification date: 18 May 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-4574 , CVE-2016-4579

Description

Updated libksba packages fix security vulnerabilities:

An out-of-bounds read access in _ksba_dn_to_str() in libksba 1.3.3, due to an
incomplete fix for CVE-2016-4356, could result in denial of service
(CVE-2016-4574).

In liksba 1.3.3, the returned length of the object from _ksba_ber_parse_tl()
(ti.length) was not always checked against the actual buffer length, thus
leading to a read access after the end of the buffer, which could result in
denial of service (CVE-2016-4579).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18437
• http://openwall.com/lists/oss-security/2016/05/10/4
• http://openwall.com/lists/oss-security/2016/05/11/10
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4574
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4579

SRPMS

5/core

• libksba-1.3.4-1.mga5