rpms/libtasn1

Fork 0

[security][HIGH] libtasn1 4.20.0: CVE-2025-13151 require triage #1

New issue

Closed

opened 2026-05-25 20:44:48 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-05-25 20:44:48 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: libtasn1
Version: 4.20.0
EVR: 4.20.0-1
Category: -
Policy class: -
NiceOS policy class: -
Owner: -
Severity: HIGH
Max CVSS: 7.5
CVE count: 1
Included NiceOS statuses: needs_triage
Included match types: cpe-exact

LLM recommendation / Рекомендация LLM

RU

Для пакета libtasn1 4.20.0 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-13151. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for libtasn1 4.20.0: CVE-2025-13151. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	Confidence	NiceOS status	Fixed in	Existing issue	Reason
CVE-2025-13151	HIGH	7.5	cpe-exact	80	needs_triage			exact CPE version match: package 4.20.0 == CPE 4.20.0

Descriptions

CVE-2025-13151

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Scanner integration / Интеграция со сканером

This issue was generated from niceos_cve_matches after the SPEC/Forgejo evidence pass.
After real creation, this script writes forgejo_issue_open rows into niceos_cve_evidence and marks the selected CVE rows as issue_open, so the next scanner/creator run does not duplicate the issue.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-13151"
  ],
  "fingerprint": "8654f3aa561fe54d36d3",
  "generated_at": "2026-05-25T17:44:47Z",
  "match_ids": [
    1493
  ],
  "match_types": [
    "cpe-exact"
  ],
  "package": "libtasn1",
  "prompt_version": "niceos_cve_issue_analysis_v2",
  "statuses": [
    "needs_triage"
  ],
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "2.0",
  "version": "4.20.0"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `libtasn1` - Version: `4.20.0` - EVR: `4.20.0-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `7.5` - CVE count: `1` - Included NiceOS statuses: `needs_triage` - Included match types: `cpe-exact` ## LLM recommendation / Рекомендация LLM ### RU Для пакета libtasn1 4.20.0 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-13151. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for libtasn1 4.20.0: CVE-2025-13151. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | Confidence | NiceOS status | Fixed in | Existing issue | Reason | |---|---|---:|---|---:|---|---|---|---| | CVE-2025-13151 | HIGH | 7.5 | cpe-exact | 80 | needs_triage | | | exact CPE version match: package 4.20.0 == CPE 4.20.0 | ## Descriptions ### CVE-2025-13151 Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. ## Scanner integration / Интеграция со сканером This issue was generated from `niceos_cve_matches` after the SPEC/Forgejo evidence pass. After real creation, this script writes `forgejo_issue_open` rows into `niceos_cve_evidence` and marks the selected CVE rows as `issue_open`, so the next scanner/creator run does not duplicate the issue. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-13151" ], "fingerprint": "8654f3aa561fe54d36d3", "generated_at": "2026-05-25T17:44:47Z", "match_ids": [ 1493 ], "match_types": [ "cpe-exact" ], "package": "libtasn1", "prompt_version": "niceos_cve_issue_analysis_v2", "statuses": [ "needs_triage" ], "tool": "niceos_cve_create_issues.py", "tool_version": "2.0", "version": "4.20.0" } ```

sbelikov added the

labels

2026-05-25 20:44:48 +03:00

sbelikov commented

2026-05-26 00:00:03 +03:00

Author

Owner

Fixed in NiceOS by backporting the upstream libtasn1 fix for CVE-2025-13151.

Applied fix:

upstream commit: d276cc495a2a32b182c3c39851f1ba58f2d9f9b8
upstream title: Fix for CVE-2025-13151 Buffer overflow
affected function: asn1_expand_octet_string
source package: libtasn1
fixed EVR: 4.20.0-2
branch: niceos-5.2
spec source: SPECS/libtasn1.spec

Validation:

CVE applies to libtasn1 4.20.0.
Patch increases the local name buffer in lib/decoding.c from 2 * ASN1_MAX_NAME_SIZE + 1 to 2 * ASN1_MAX_NAME_SIZE + 2.
This matches the upstream fix and closes the scanner triage item.

Fixed in NiceOS by backporting the upstream libtasn1 fix for CVE-2025-13151. Applied fix: - upstream commit: `d276cc495a2a32b182c3c39851f1ba58f2d9f9b8` - upstream title: `Fix for CVE-2025-13151 Buffer overflow` - affected function: `asn1_expand_octet_string` - source package: `libtasn1` - fixed EVR: `4.20.0-2` - branch: `niceos-5.2` - spec source: `SPECS/libtasn1.spec` Validation: - CVE applies to libtasn1 `4.20.0`. - Patch increases the local `name` buffer in `lib/decoding.c` from `2 * ASN1_MAX_NAME_SIZE + 1` to `2 * ASN1_MAX_NAME_SIZE + 2`. - This matches the upstream fix and closes the scanner triage item.

sbelikov

2026-05-26 00:00:03 +03:00