cvrf2cusa/cvrf/2022/cvrf-openEuler-SA-2022-2030.xml

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
	<DocumentTitle xml:lang="en">An update for libtasn1 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS</DocumentTitle>
	<DocumentType>Security Advisory</DocumentType>
	<DocumentPublisher Type="Vendor">
		<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
		<IssuingAuthority>openEuler security committee</IssuingAuthority>
	</DocumentPublisher>
	<DocumentTracking>
		<Identification>
			<ID>openEuler-SA-2022-2030</ID>
		</Identification>
		<Status>Final</Status>
		<Version>1.0</Version>
		<RevisionHistory>
			<Revision>
				<Number>1.0</Number>
				<Date>2022-10-28</Date>
				<Description>Initial</Description>
			</Revision>
		</RevisionHistory>
		<InitialReleaseDate>2022-10-28</InitialReleaseDate>
		<CurrentReleaseDate>2022-10-28</CurrentReleaseDate>
		<Generator>
			<Engine>openEuler SA Tool V1.0</Engine>
			<Date>2022-10-28</Date>
		</Generator>
	</DocumentTracking>
	<DocumentNotes>
		<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">libtasn1 security update</Note>
		<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for libtasn1 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.</Note>
		<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Libtasn1 is the ASN.1 library used by GnuTLS, p11-kit and some other packages.The goal of this implementation is to be highly portable, and only require an ANSI C99 platform.This library provides Abstract Syntax Notation One (ASN.1,as specified by the X.680 ITU-T recommendation) parsing and structures management,and Distinguished Encoding Rules (DER, as per X.690) encoding and decoding functions.

Security Fix(es):

GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.(CVE-2021-46848)</Note>
		<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for libtasn1 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.

openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
		<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Critical</Note>
		<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">libtasn1</Note>
	</DocumentNotes>
	<DocumentReferences>
		<Reference Type="Self">
			<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2030</URL>
		</Reference>
		<Reference Type="openEuler CVE">
			<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-46848</URL>
		</Reference>
		<Reference Type="Other">
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-46848</URL>
		</Reference>
	</DocumentReferences>
	<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
		<Branch Type="Product Name" Name="openEuler">
			<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
			<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
			<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="aarch64">
			<FullProductName ProductID="libtasn1-debugsource-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-debugsource-4.16.0-2.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-4.16.0-2.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debuginfo-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-debuginfo-4.16.0-2.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-devel-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-devel-4.16.0-2.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-4.16.0-2.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-devel-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-devel-4.16.0-2.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debugsource-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-debugsource-4.16.0-2.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debuginfo-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-debuginfo-4.16.0-2.oe1.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debuginfo-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-debuginfo-4.17.0-3.oe2203.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debugsource-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-debugsource-4.17.0-3.oe2203.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-devel-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-devel-4.17.0-3.oe2203.aarch64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-4.17.0-3.oe2203.aarch64.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="noarch">
			<FullProductName ProductID="libtasn1-help-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-help-4.16.0-2.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-help-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-help-4.16.0-2.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-help-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-help-4.17.0-3.oe2203.noarch.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="src">
			<FullProductName ProductID="libtasn1-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-4.16.0-2.oe1.src.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-4.16.0-2.oe1.src.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-4.17.0-3.oe2203.src.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="x86_64">
			<FullProductName ProductID="libtasn1-debugsource-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-debugsource-4.16.0-2.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-4.16.0-2.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debuginfo-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-debuginfo-4.16.0-2.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-devel-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libtasn1-devel-4.16.0-2.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-4.16.0-2.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debuginfo-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-debuginfo-4.16.0-2.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debugsource-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-debugsource-4.16.0-2.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-devel-4.16.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libtasn1-devel-4.16.0-2.oe1.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debuginfo-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-debuginfo-4.17.0-3.oe2203.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-devel-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-devel-4.17.0-3.oe2203.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-debugsource-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-debugsource-4.17.0-3.oe2203.x86_64.rpm</FullProductName>
			<FullProductName ProductID="libtasn1-4.17.0-3" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libtasn1-4.17.0-3.oe2203.x86_64.rpm</FullProductName>
		</Branch>
	</ProductTree>
	<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.</Note>
		</Notes>
		<ReleaseDate>2022-10-28</ReleaseDate>
		<CVE>CVE-2021-46848</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-20.03-LTS-SP1</ProductID>
				<ProductID>openEuler-20.03-LTS-SP3</ProductID>
				<ProductID>openEuler-22.03-LTS</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>Critical</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>9.1</BaseScore>
				<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>libtasn1 security update</Description>
				<DATE>2022-10-28</DATE>
				<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2030</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
</cvrfdoc>