Date: Mon, 12 Dec 2016 13:47:56 -0500 From: Jeffrey Walton <noloader@...il.com> To: oss-security@...ts.openwall.com Cc: Gergely Nagy <ngg@...sorit.com>, Tamás Koczka <koczka@...sorit.com>, Jean-Pierre Münch <jean-pierre.muench@....de>, Uri Blumenthal <mouse008@...il.com> Subject: CVE Request: Potential DoS in Crypto++ ASN.1 parser Gergely Nagy and Tamás Koczka of Tresorit report a potential DoS in the Crypto++ ASN.1 parser. A copy of their email with the report can be found at https://groups.google.com/d/msg/cryptopp-users/fEQ8jWg_K8g/qOLHGIDICwAJ. When Crypto++ library parses an ASN.1 data value, the library allocates for the content octets based on the length octets. Later, if there's too few or too little content octets, the library throws a BERDecodeErr exception. The memory for the content octets will be zeroized (even if unused), which could take a long time on a large allocation. Please assign a CVE for the potential issue. Thanks in advance.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ