On 2026-01-08 Moritz Mühlenhoff <[email protected]> wrote: > Source: libtasn1-6 > X-Debbugs-CC: [email protected] > Severity: important > Tags: security
> Hi, > The following vulnerability was published for libtasn1-6. > CVE-2025-13151[0]: > | Stack-based buffer overflow in libtasn1 version: v4.20.0. The > | function fails to validate the size of input data resulting in a > | buffer overflow in asn1_expend_octet_string. [...] Looking at the full announcement https://gitlab.com/gnutls/libtasn1/-/blob/master/doc/security/CVE-2025-13151.md?ref_type=heads CVE-2025-13151: Stack-based buffer overflow in asn1_expand_octet_string function Expanding an "OCTET STRING" element of a structure using the asn1_expand_octet_string function may lead to a one-byte stack overflow that may corrupt adjacent memory in the worst case scenario. Severity: Low Vulnerable versions : All released version of libtasn1 Not vulnerable : libtasn1 4.21.0 [...] Exploitation In order to exploit this, the target program must be using the asn1_expand_octet_string function explicitly with an excessively long name (ASN1_MAX_NAME_SIZE = 64 characters) for both the ASN.1 definition and the target element. Given the ASN.1 definitions are normally part of the application code base, it is highly unlikely to be exploitable. https://codesearch.debian.net/ only finds 4 hits for asn1_expand_octet_string - libtasn1-6 itself, the libtasn copies in grub2 and gnutls, and a commented call in box64. This probably does not warrant a DSA. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
