CVE-2025-13151 is described in the CVE database as: Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.
-------- Forwarded Message -------- Subject: libtasn1-4.21.0 released [stable] Date: Thu, 08 Jan 2026 14:48:27 +0100 From: Simon Josefsson via Announcements and Requests for Help from the GNU project and the Free Software Foundation <[email protected]> Reply-To: Simon Josefsson <[email protected]> To: [email protected] CC: [email protected] This is to announce libtasn1-4.21.0, a stable release. GNU Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding/decoding. GNU Libtasn1 is used by GnuTLS to handle X.509 structures. There have been 34 commits by 5 people in the 49 weeks since 4.20.0. See the NEWS below for a brief summary. Thanks to everyone who has contributed! The following people contributed changes to this release: Andrew Hamilton (1) Daiki Ueno (4) Masatake YAMATO (1) Simon Josefsson (27) Vijay Sarvepalli (1) Happy Hacking, /Simon [on behalf of the libtasn1 maintainers] ================================================================== Here is the GNU libtasn1 home page: https://www.gnu.org/software/libtasn1/ Here are the compressed sources and a GPG detached signature: https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.21.0.tar.gz https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.21.0.tar.gz.sig Here is minimal source-only "git archive" sources: https://ftp.gnu.org/gnu/libtasn1/libtasn1-v4.21.0-src.tar.gz https://ftp.gnu.org/gnu/libtasn1/libtasn1-v4.21.0-src.tar.gz.sig Here are Sigsum Proofs: https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.21.0.tar.gz.proof https://ftp.gnu.org/gnu/libtasn1/libtasn1-v4.21.0-src.tar.gz.proof Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the SHA256 and SHA3-256 checksums: SHA256 (libtasn1-4.21.0.tar.gz) = HYpESiI8xUZCQHdzRuEl3lHY5qvwuLrHQqyEYJFn3Ic= SHA3-256 (libtasn1-4.21.0.tar.gz) = XtNk+w/VLnMrJZlT3CZQy/Mgwm/cmWTdX6ZBb49ETwk= SHA256 (libtasn1-v4.21.0-src.tar.gz) = BvfQ93s42ztrF6PVTVkIdOXlib6oCBMpqKOs++w9/iE= SHA3-256 (libtasn1-v4.21.0-src.tar.gz) = l6gEY3JXjHxWYVIPk8F8H6P6qWWdUbVmZPvGRewQnsU= Verify the base64 SHA256 checksum with cksum -a sha256 --check from coreutils-9.2 or OpenBSD's cksum since 2007. Verify the base64 SHA3-256 checksum with cksum -a sha3 --check from coreutils-9.8. Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify libtasn1-4.21.0.tar.gz.sig The signature should match the fingerprint of the following key: pub ed25519 2019-03-20 [SC] B1D2 BD13 75BE CB78 4CF4 F8C4 D73C F638 C53C 06BE uid Simon Josefsson <[email protected]> If that command fails because you don't have the required public key, or that public key has expired, try the following commands to retrieve or refresh it, and then rerun the 'gpg --verify' command. gpg --locate-external-key [email protected] gpg --recv-keys 51722B08FE4745A2 wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=libtasn1&download=1' | gpg --import - As a last resort to find the key, you can try the official GNU keyring: wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg gpg --keyring gnu-keyring.gpg --verify libtasn1-4.21.0.tar.gz.sig Use the .proof files to verify the Sigsum proof. These files are like signatures but with extra transparency: you can cryptographically verify that every signature is logged in a public append-only log, so you can say with confidence what signatures exists. This makes hidden releases no longer deniable for the same public key. Releases are Sigsum-signed with the following public key: cat <<EOF > libtasn1-sigsum-key.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE EOF Run a command like this to verify downloaded artifacts: sigsum-verify -k libtasn1-sigsum-key.pub -P sigsum-generic-2025-1 \ libtasn1-4.21.0.tar.gz.proof < libtasn1-4.21.0.tar.gz You may learn more about Sigsum concepts and find instructions how to download the tools here: https://www.sigsum.org/getting-started/ This release is based on the libtasn1 git repository, available as git clone https://codeberg.org/libtasn1/libtasn1.git with commit 83f96d790a8107889e7c570294d49227b2db9d61 tagged as v4.21.0. For a summary of changes and contributors, see: https://codeberg.org/libtasn1/libtasn1/commits/tag/v4.21.0 or run this command from a git-cloned libtasn1 directory: git shortlog v4.20.0..v4.21.0 This release was bootstrapped with the following tools: Gnulib 2026-01-01 e93789db7e86c51d6cb9683ea508e676a55cdefa Autoconf 2.72 Automake 1.17 Libtoolize 2.4.7 Make 4.4.1 Makeinfo 7.1.1 Bison 3.8.2 Help2man 1.49.2 Gtkdocize 1.34.0 Tar 1.35 Gzip 1.13 Guix ac92638bcec817cbbf94201eab0b342553987d42 NEWS.md # Noteworthy changes in release 4.21.0 (2026-01-08) [stable] - Undocumented asn1Decoding --debug flag removed, thanks to Andrew Hamilton. - Code coverage for src/ went from 35% to 82%, thanks to Andrew Hamilton. - Fix of ASN.1 typo in manual, thanks to Masatake YAMATO. - NEWS renamed to NEWS.md and uses markdown syntax. - Update gnulib files and various build/maintenance fixes. - Fix for vulnerability CVE-2025-13151 Stack-based buffer overflow
