Arch Linux Security Advisory ASA-201505-5 ========================================= Severity: Critical Date : 2015-05-08 CVE-ID : CVE-2015-3622 Package : libtasn1 Type : arbitrary code execution Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libtasn1 before version 4.5-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 4.5-1. # pacman -Syu "libtasn1>=4.5-1" The problem has been fixed upstream in version 4.5. Workaround ========== None. Description =========== A heap-based buffer overflow flaw was found in the way the libtasn1 library decoded certain DER-encoded input. A specially crafted, DER-encoded input could cause an application using libtasn1 to perform an invalid read, causing the application to crash or, possibly, execute arbitrary code. The heap overflow happens in the function _asn1_extract_der_octet() that is called during decoding of DER-encoded input. Impact ====== A remote attacker is able to use a specially crafted certificate that is leading to arbitrary code execution during decoding. References ========== http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=f979435 https://access.redhat.com/security/cve/CVE-2015-3622