If you want to back-port patches, the relevant commits ought to be: https://gitlab.com/gnutls/libtasn1/-/commit/4082ca2220b5ba910b546afddf7780fc4a51f75a https://gitlab.com/gnutls/libtasn1/-/commit/869a97aa259dffa2620dabcad84e1c22545ffc3d
I haven't tried applying these to various older versions. The issue tracker for this bug is here: https://gitlab.com/gnutls/libtasn1/-/issues/52 /Simon Simon Josefsson via Discussion list for GNU Libtasn1 <[email protected]> writes: > All, > > Please find below the security advisory that goes with the v4.20.0 > release. > > /Simon > > ================================================================== > CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF > elements > ================================================================== > > When an input DER data contains a large number of SEQUENCE OF or SET > OF elements, decoding the data and searching a specific element in it > take quadratic time to complete. This could be utilized for a remote > DoS attack by presenting a crafted certificate to the network peer. > > Severity: Moderate > Vulnerable versions : All released version of libtasn1 > Not vulnerable : libtasn1 4.20.0 > > Vulnerability information > ========================= > The issue is twofold: decoding a DER input with sequences and locating > a specific element in a sequence. Even though a DER sequence is > conceptually an array, in libtasn1 it is represented as a linked list, > whose elements are assigned a string name, such as "?1". Therefore a > simple lookup of an element at a given position is linear O(N) time > complexity. When decoding a DER sequence, in each step libtasn1 looks > up the parent node, recorded on the first element, which requires a > backward linear search, resulting in O(N^2) time complexity. > > For details, see the original issue reported at: > https://gitlab.com/gnutls/libtasn1/-/issues/52 > > Exploitation > ============ > By presenting a certificate with a large number of Subject Alternative > Name or name constraint entries, the adversary can impose Denial of > Service (DoS) in applications using libtasn1 for certificate parsing > and verification. > > Recommendation > ========= > To address this vulnerability, please upgrade to libtasn1 4.20.0 or > later. At the same time, we recommend applications using libtasn1 for > certificate processing should set a limit of input sequences, such as > Subject Alternative Name or name constraint entries to reduce attack > surface. > > Workaround > ========== > For those who cannot modify the application code, resource control > mechanisms provided by the operating system, such as cgroups could > help avoid excessive usage of CPU time. > > Credits > ======= > This vulnerability was found and reported by Bing Shi. >
signature.asc
Description: PGP signature
