Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 11 Apr 2016 08:42:15 +0000
From: Pascal Cuoq <cuoq@...st-in-soft.com>
To: "cve-assign@...re.org" <cve-assign@...re.org>,
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@...il.com>
Subject: Infinite loops parsing malicious DER certificates in libtasn1 4.7

The libtasn1 library, in its 4.7 version, can loop for a long time or indefinitely when it is used to parse DER representations of X509 certificates, leading to a denial of service. Some of these loops may in addition increase heap or stack usage, leading to more issues.

These issues were found by Pascal Cuoq and Miod Vallat using american fuzzy lop. They are fixed in libtasn1 version 4.8.

Proof of concept, using the test files distributed in http://ftp.gnu.org/gnu/libtasn1/libtasn1-4.8.tar.gz :

~/libtasn1-4.8 $ asn1Decoding -v
asn1Decoding (libtasn1) 4.7
…
~/libtasn1-4.8 $ asn1Decoding tests/pkix.asn tests/invalid-x509/id-000000.der PKIX1.Certificate
tests/pkix.asn:332: Warning: VisibleString is a built-in ASN.1 type.
tests/pkix.asn:334: Warning: NumericString is a built-in ASN.1 type.
tests/pkix.asn:336: Warning: IA5String is a built-in ASN.1 type.
tests/pkix.asn:338: Warning: TeletexString is a built-in ASN.1 type.
tests/pkix.asn:340: Warning: PrintableString is a built-in ASN.1 type.
tests/pkix.asn:342: Warning: UniversalString is a built-in ASN.1 type.
tests/pkix.asn:345: Warning: BMPString is a built-in ASN.1 type.
tests/pkix.asn:349: Warning: UTF8String is a built-in ASN.1 type.
Parse: done.
^C





Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.