CVE-2015-1182

NameCVE-2015-1182
DescriptionThe asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-144-1, DSA-3136-1
Debian Bugs775776

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
polarssl (PTS)jessie, jessie (lts)1.3.9-2.1+deb8u4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
polarsslsourcesqueeze1.2.9-1~deb6u4DLA-144-1
polarsslsourcewheezy1.2.9-1~deb7u5DSA-3136-1
polarsslsource(unstable)1.3.9-2.1775776

Notes

https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04

Search for package or bug name: Reporting problems