Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Dec 2016 13:47:56 -0500
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Cc: Gergely Nagy <ngg@...sorit.com>, Tamás Koczka <koczka@...sorit.com>, 
	Jean-Pierre Münch <jean-pierre.muench@....de>, 
	Uri Blumenthal <mouse008@...il.com>
Subject: CVE Request: Potential DoS in Crypto++ ASN.1 parser

Gergely Nagy and Tamás Koczka of Tresorit report a potential DoS in
the Crypto++ ASN.1 parser. A copy of their email with the report can
be found at https://groups.google.com/d/msg/cryptopp-users/fEQ8jWg_K8g/qOLHGIDICwAJ.

When Crypto++ library parses an ASN.1 data value, the library
allocates for the content octets based on the length octets. Later, if
there's too few or too little content octets, the library throws a
BERDecodeErr exception. The memory for the content octets will be
zeroized (even if unused), which could take a long time on a large
allocation.

Please assign a CVE for the potential issue.

Thanks in advance.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ