Vulnerability Details CVE-2006-0645
Tiny ASN.1 Library (libtasn1) before 0.2.18, as used by (1) GnuTLS 1.2.x before 1.2.10 and 1.3.x before 1.3.4, and (2) GNU Shishi, allows attackers to crash the DER decoder and possibly execute arbitrary code via "out-of-bounds access" caused by invalid input, as demonstrated by the ProtoVer SSL test suite.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.044
EPSS Ranking 88.3%
CVSS Severity
CVSS v2 Score 7.5
References
- http://josefsson.org/cgi-bin/viewcvs.cgi/gnutls/tests/certder.c?view=markup
- http://josefsson.org/cgi-bin/viewcvs.cgi/libtasn1/NEWS?root=gnupg-mirror&view=markup
- http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.18-from-0.2.17.patch
- http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001058.html
- http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001059.html
- http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001060.html
- http://rhn.redhat.com/errata/RHSA-2006-0207.html
- http://secunia.com/advisories/18794
- http://secunia.com/advisories/18815
- http://secunia.com/advisories/18830
- http://secunia.com/advisories/18832
- http://secunia.com/advisories/18898
- http://secunia.com/advisories/18918
- http://secunia.com/advisories/19080
- http://secunia.com/advisories/19092
- http://securityreason.com/securityalert/446
- http://securitytracker.com/id?1015612
- http://www.debian.org/security/2006/dsa-985
- http://www.debian.org/security/2006/dsa-986
- http://www.gentoo.org/security/en/glsa/glsa-200602-08.xml
- http://www.gleg.net/protover_ssl.shtml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:039
- http://www.osvdb.org/23054
- http://www.redhat.com/archives/fedora-announce-list/2006-February/msg00043.html
- http://www.securityfocus.com/archive/1/424538/100/0/threaded
- http://www.securityfocus.com/bid/16568
- http://www.trustix.org/errata/2006/0008
- http://www.vupen.com/english/advisories/2006/0496
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24606
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10540
- https://usn.ubuntu.com/251-1/
- http://josefsson.org/cgi-bin/viewcvs.cgi/gnutls/tests/certder.c?view=markup
- http://josefsson.org/cgi-bin/viewcvs.cgi/libtasn1/NEWS?root=gnupg-mirror&view=markup
- http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.18-from-0.2.17.patch
- http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001058.html
- http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001059.html
- http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001060.html
- http://rhn.redhat.com/errata/RHSA-2006-0207.html
- http://secunia.com/advisories/18794
- http://secunia.com/advisories/18815
- http://secunia.com/advisories/18830
- http://secunia.com/advisories/18832
- http://secunia.com/advisories/18898
- http://secunia.com/advisories/18918
- http://secunia.com/advisories/19080
- http://secunia.com/advisories/19092
- http://securityreason.com/securityalert/446
- http://securitytracker.com/id?1015612
- http://www.debian.org/security/2006/dsa-985
- http://www.debian.org/security/2006/dsa-986
- http://www.gentoo.org/security/en/glsa/glsa-200602-08.xml
- http://www.gleg.net/protover_ssl.shtml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:039
- http://www.osvdb.org/23054
- http://www.redhat.com/archives/fedora-announce-list/2006-February/msg00043.html
- http://www.securityfocus.com/archive/1/424538/100/0/threaded
- http://www.securityfocus.com/bid/16568
- http://www.trustix.org/errata/2006/0008
- http://www.vupen.com/english/advisories/2006/0496
- https://exchange.xforce.ibmcloud.com/vulnerabilities/24606
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10540
- https://usn.ubuntu.com/251-1/
Products affected by CVE-2006-0645
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.1.0
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.1.1
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.1.2
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.0
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.1
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.10
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.11
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.12
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.13
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.14
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.15
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.16
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.17
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.2
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.3
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.4
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.5
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.6
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.7
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.8
-
cpe:2.3:a:free_software_foundation_inc.:libtasn1:0.2.9