new file mode 100644

@@ -0,0 +1,22 @@

+diff -rupr a/lib/decoding.c b/lib/decoding.c

+--- a/lib/decoding.c	2015-09-14 10:41:16.000000000 -0700

+@@ -767,10 +767,17 @@ _asn1_extract_der_octet (asn1_node node,

+   DECR_LEN(der_len, len3);

+ 

+   if (len2 == -1)

+-    counter_end = der_len - 2;

++    {

++      if (der_len < 2)

++        return ASN1_DER_ERROR;

++      counter_end = der_len - 2;

++    }

+   else

+     counter_end = der_len;

+ 

++  if (counter_end < counter)

++    return ASN1_DER_ERROR;

++

+   while (counter < counter_end)

+     {

+       DECR_LEN(der_len, 1);

@@ -1,7 +1,7 @@

 Summary:	ASN.1 library

 Name:		libtasn1

 Version:	4.7

-Release:	2%{?dist}

+Release:	3%{?dist}

 License:	GPLv3+ and LGPLv2+

 URL:		http://www.gnu.org/software/libtasn1/

 Source0:	http://ftp.gnu.org/gnu/libtasn1/%{name}-%{version}.tar.gz

@@ -9,6 +9,9 @@ Source0:	http://ftp.gnu.org/gnu/libtasn1/%{name}-%{version}.tar.gz

 Group:		System Environment/Libraries

 Vendor:		VMware, Inc.

 Distribution:	Photon

+

+Patch0:         CVE-2016-4008.patch

+

 %description

 Libtasn1 library provides Abstract Syntax Notation One (ASN.1, as specified by the X.680 ITU-T recommendation) parsing and structures management, 

 and Distinguished Encoding Rules (DER, as per X.690) encoding and decoding functions.

@@ -24,6 +27,8 @@ developing applications that use libtasn1.

 %prep

 %setup -q

+%patch0 -p1

+

 %build

 ./configure \

 	--prefix=%{_prefix}

@@ -49,6 +54,8 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck}

 %{_libdir}/pkgconfig/*.pc

 %{_libdir}/*.a

 %changelog

+*       Wed Nov 30 2016 Dheeraj Shetty <dheerajs@vmware.com> 4.7-3

+-       Added patch for CVE-2016-4008

 *	Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.7-2

 -	GA - Bump release of all rpms

 * 	Fri Jan 15 2016 Xiaolin Li <xiaolinl@vmware.com> 4.7-1