[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: soname bump? (was: GNU Libtasn1 4.11 released)
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: soname bump? (was: GNU Libtasn1 4.11 released) |
Date: |
Mon, 29 May 2017 06:37:35 +0200 |
On Sun, 2017-05-28 at 18:02 +0200, Andreas Metzler wrote:
> On 2017-05-27 Nikos Mavrogiannopoulos <address@hidden> wrote:
> [...]
> > * Noteworthy changes in release 4.11 (released 2017-05-27) [stable]
> > - Introduced the ASN1_TIME_ENCODING_ERROR error code to indicate
> > an invalid encoding in the DER time fields.
> > - Introduced flag ASN1_DECODE_FLAG_ALLOW_INCORRECT_TIME. This flag
> > allows decoding errors in time fields even when in strict DER
> > mode.
> > That is introduced in order to allow toleration of invalid times
> > in
> > X.509 certificates (which are common) even though strict DER
> > adherence
> > is enforced in other fields.
> > - Added safety check in asn1_find_node(). That prevents a crash
> > when a very long variable name is provided by the developer.
> > Note that this to be exploited requires controlling the ASN.1
> > definitions used by the developer, i.e., the 'name' parameter of
> > asn1_write_value() or asn1_read_value(). The library is
> > not designed to protect against malicious manipulation of the
> > developer assigned variable names. Reported by Jakub Jirasek.
>
> [...]
>
> Hello,
>
> this release features a soname bump (libtasn1.so.6 -> libtasn1.so.7).
> As
> the changelog does not mention an ABI break I assume this was not
> done
> intentionally. Perhaps a typo, bumping LT_CURRENT instead of
> LT_REVISION?
You are right. I'll make a new release fixing that issue and introduce
an ABI check to avoid such issues in the future.
regards,
Nikos