oss-sec mailing list archives

CVE Request: Potential DoS in Crypto++ ASN.1 parser

From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 12 Dec 2016 13:47:56 -0500

Gergely Nagy and Tamás Koczka of Tresorit report a potential DoS in
the Crypto++ ASN.1 parser. A copy of their email with the report can
be found at https://groups.google.com/d/msg/cryptopp-users/fEQ8jWg_K8g/qOLHGIDICwAJ.

When Crypto++ library parses an ASN.1 data value, the library
allocates for the content octets based on the length octets. Later, if
there's too few or too little content octets, the library throws a
BERDecodeErr exception. The memory for the content octets will be
zeroized (even if unused), which could take a long time on a large
allocation.

Please assign a CVE for the potential issue.

Thanks in advance.

Current thread:

CVE Request: Potential DoS in Crypto++ ASN.1 parser Jeffrey Walton (Dec 12)
- Re: CVE Request: Potential DoS in Crypto++ ASN.1 parser cve-assign (Dec 12)