[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
libtasn1 issue [was: [Secunia Research] Libtasn1 Vulnerability Report]
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
libtasn1 issue [was: [Secunia Research] Libtasn1 Vulnerability Report] |
|
Date: |
Fri, 19 May 2017 18:02:12 +0200 |
Hi,
I've dug a little further to the previously reported issue, and it
seems there is an issue in asn1_find_node() if someone provides in
calls like asn1_read_value() a name which contains more than 65
characters between two dots.
That however I'd expect to be a very uncommon usage of libtasn1, which
is typically something like:
asn1_read_value(node, "tbsResponseData.responderID.byKey", data, &len);
That is the name is provided as a constant from the developer and these
names cannot be more than 64-variables in the '.asn' files parsed by
libtasn1. I do not believe that the library can even cope with
malicious input to that field as can be underlined by the bug.
There will be a release in the following days including that fix,
however, I'd appreciate a second pair of eyes on that issue and fix.
The issue was fixed in: https://gitlab.com/gnutls/libtasn1/commit/55207
04d075802df25ce4ffccc010ba1641bd484
Two test cases were introduced at:
https://gitlab.com/gnutls/libtasn1/commit/e43badf76307e1484fb257f271ff9a4f59258c7e
https://gitlab.com/gnutls/libtasn1/commit/1273c97343c2070a28cfa1f1dd55599ca87106e2
regards,
Nikos
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- libtasn1 issue [was: [Secunia Research] Libtasn1 Vulnerability Report],
Nikos Mavrogiannopoulos <=