On Monday, December 12, 2016 at 12:55:47 PM UTC-5, Jeffrey Walton wrote: > > FYI... We'll be asking for a CVE for the issue. > > ---------- Forwarded message ---------- > From: Gergely Nagy <[email protected]> > Date: Mon, Dec 12, 2016 at 8:45 AM > Subject: Security issue (DoS) in Crypto++ ASN1 decoder > To: Jeffrey Walton <[email protected]> > Cc: Tamás Koczka <[email protected]> > > Hi! > > I have found a bug in several BERDecode* functions which could be used > for a DoS attack. > > The issue is similar to CVE-2016-2109 in OpenSSL which was disclosed > in https://www.openssl.org/news/secadv/20160503.txt > > > Basically after the ASN1 decoder reads the length, it allocates a > SecByteBlock of that size before checking that there is enough data > available. > > This can cause memory exhaustion on most platforms, but it has (in my > opinion) the worst effect on 64-bit Linux systems where the allocation >
Tresorit's revised patch was committed at https://github.com/weidai11/cryptopp/commit/d0a6d43e16e4677d36bd0567978286938c1cfe6b. The test cases for the issue was committed at https://github.com/weidai11/cryptopp/commit/7031fc7f6fb3c96ced8a1e86391d9bef2c007518. We also improved parsing and validation in accordance with X.690 for some of the ASN.1 types at https://github.com/weidai11/cryptopp/commit/b19332a69fbd7b82f0e08c18f55a6880487d55e9. We still have to improve parsing and validation in a couple of spots, like BERGeneralDecoder and Integer's decoder. Jeff -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
