Summary: | The _asn1_check_identifier function in GNU Libtasn1 before 4.12(including 4.12) causes a NULL pointer dereference and crash when a NULL value assigned to value member in asn1_node. It will lead to a remote denial of service attack. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
Component: | libtasn1 | Assignee: | Nikos Mavrogiannopoulos <nmavrogi> | ||||
Status: | CLOSED UPSTREAM | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.5-Alt | CC: | carnil, meissner, szidek | ||||
Target Milestone: | rc | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-07-20 08:20:41 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Attachments: |
|
Description
owl337
2017-06-22 13:50:04 UTC
Hi, Thank you for reporting that. I'd recommend to provide more information when reporting vulnerabilities. What you provide above is insufficient, e.g., how can you exploit the issue you report? To the specifics, there are two calls to _asn1_check_identifier(), one from ASN1.y which is used for the parsing of developer-provided file and structure.c in asn1_array2tree() where the developer-provided file is converted to an array. Neither of these uses can lead to a vulnerability. (In reply to Nikos Mavrogiannopoulos from comment #2) > Hi, > Thank you for reporting that. I'd recommend to provide more information > when reporting vulnerabilities. What you provide above is insufficient, > e.g., how can you exploit the issue you report? > > To the specifics, there are two calls to _asn1_check_identifier(), one from > ASN1.y which is used for the parsing of developer-provided file and > structure.c in asn1_array2tree() where the developer-provided file is > converted to an array. Neither of these uses can lead to a vulnerability. Thanks for your reminding. There were many other applications on parsing asn1 syntax used asn1_array2tree or asn1_parser2array function. For example, https://github.com/FrUh/BitPunch/blob/master/lib/src/bitpunch/asn1/asn1.c . In addtion, there should be lots of serialization-based applications need asn1 synax self-definetion that exist the risk for suffering the dos attack. I still do not see how can this be exploited. Hi owl337, Please report these issues to upstream libtasn1 project, if you haven't already done so. Thanks. |