Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 12 Dec 2016 18:34:07 -0500
From: <cve-assign@...re.org>
To: <noloader@...il.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>,
	<ngg@...sorit.com>, <koczka@...sorit.com>, <jean-pierre.muench@....de>,
	<mouse008@...il.com>
Subject: Re: CVE Request: Potential DoS in Crypto++ ASN.1 parser

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> When Crypto++ library parses an ASN.1 data value, the library
> allocates for the content octets based on the length octets. Later, if
> there's too few or too little content octets, the library throws a
> BERDecodeErr exception. The memory for the content octets will be
> zeroized (even if unused), which could take a long time on a large
> allocation.

> https://groups.google.com/forum/#!msg/cryptopp-users/fEQ8jWg_K8g/qOLHGIDICwAJ
> https://github.com/weidai11/cryptopp/issues/346

>> several BERDecode* functions
>> bug was found using "honggfuzz"

Use CVE-2016-9939.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYTzNzAAoJEHb/MwWLVhi2eccQALN5rY/Oya5G4EuRxjZyZyKt
IcuPVecHhTCDl4yM4nZ7r1/+6yV8VCI4RglDOKnjSPhm8+Hf/UrinX6E/4uch3Vs
RHMWCLprB8W0mabXau6y8//C6uiwvZ6cZjn3oth1hF6akLMtdbgZ9Frhadmrh+rl
ITHbVoZd7fya8VWNNTnDoA2jdQmB8JU+/MjfZ4NqjIAs+rULhlzXFesxKV+Z++Yl
J38WhIOnQ4gCftHNQKabFosULdM6VuQikoIVfHtbvJIn8Q8nMWuc0yfUMgtpxPpw
Mmagdht7R7EoWYy4vaqznqdJ40p428Qa1HKhC/XXG+CPqRyDaqPhrHX0UyjdhYFc
LCrSGaVSs4v4WMkCEk+Bz9/xuclx7YI9Ss+JJMcQW3CgrDV5HIS+ILOTA+A/s+N7
Izn7jbR3mbsNgJ0PkGQUVZ0GbRcJyUT4bB+Y9ayjDNOpLPstnUpEZFRkSGXGKUmd
Ig3WTZyovrk8AO3dR5rTmsal66nwKOzstZpNKoGT21a2o8MC+wp1ZCEwu1dK7Vm1
mltJzfcAyitMOkxIKxURbCqPcK4BcFI7/YUDKW7HMGiPR1s4bDG8PKZ/t4gZsl7X
3O00PQVOEsfMxs9HcRfrzFLpCiAhmDQ3v6FYgYfm8S72+U2RCGO0ASxs3lLfzDTC
OHCW0YL4p6J40zb3Why4
=l+lt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.