oss-sec mailing list archives
CVE Request: Potential DoS in Crypto++ ASN.1 parser
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 12 Dec 2016 13:47:56 -0500
Gergely Nagy and Tamás Koczka of Tresorit report a potential DoS in the Crypto++ ASN.1 parser. A copy of their email with the report can be found at https://groups.google.com/d/msg/cryptopp-users/fEQ8jWg_K8g/qOLHGIDICwAJ. When Crypto++ library parses an ASN.1 data value, the library allocates for the content octets based on the length octets. Later, if there's too few or too little content octets, the library throws a BERDecodeErr exception. The memory for the content octets will be zeroized (even if unused), which could take a long time on a large allocation. Please assign a CVE for the potential issue. Thanks in advance.
Current thread:
- CVE Request: Potential DoS in Crypto++ ASN.1 parser Jeffrey Walton (Dec 12)
- Re: CVE Request: Potential DoS in Crypto++ ASN.1 parser cve-assign (Dec 12)