[arch-security] [ASA-201605-17] libksba: denial of service
Arch Linux Security Advisory ASA-201605-17 ========================================== Severity: Medium Date : 2016-05-12 CVE-ID : CVE-2016-4574 Package : libksba Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libksba before version 1.3.4-1 is vulnerable to denial of service or other unspecified impact. Resolution ========== Upgrade to 1.3.4-1. # pacman -Syu "libksba>=1.3.4-1" The problem has been fixed upstream in version 1.3.4. Workaround ========== None. Description =========== An out-of-bound read access due to incorrect utf-8 strings handling has been in found in the _ksba_dn_to_str() function. This issue is due to an incomplete fix for CVE-2016-4356, caused by an off-by-one error when handling incorrect utf-8 strings. Impact ====== A remote attacker might be able to crash the application using libksba, causing a denial of service, or have other unspecified impact. References ========== https://bugs.archlinux.org/task/49289 http://www.openwall.com/lists/oss-security/2016/05/10/4 https://access.redhat.com/security/cve/CVE-2016-4574
participants (1)
-
Remi Gacogne