Bug 1484823 (CVE-2017-12966) - CVE-2017-12966 asn1c: segmentation fault in asn1f_lookup_symbol_impl function
Summary: CVE-2017-12966 asn1c: segmentation fault in asn1f_lookup_symbol_impl function
Alias: CVE-2017-12966
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: https://github.com/vlm/asn1c/issues/190
Depends On: 1484824
TreeView+ depends on / blocked
Reported: 2017-08-24 11:24 UTC by Adam Mariš
Modified: 2019-09-29 14:19 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-08 03:22:07 UTC

Attachments (Terms of Use)

Description Adam Mariš 2017-08-24 11:24:12 UTC
The asn1f_lookup_symbol_impl function in asn1fix_retrieve.c in
libasn1fix.a in asn1c 0.9.28 allows remote attackers to cause a denial
of service (segmentation fault) via a crafted .asn1 file.



Comment 1 Adam Mariš 2017-08-24 11:24:35 UTC
Created asn1c tracking bugs for this issue:

Affects: fedora-all [bug 1484824]

Comment 2 Robbie Harwood 2017-08-24 16:35:12 UTC
This has got to be one of the worst upstream bug reports I've ever seen.

- There's no traceback or indication of what actually went wrong, just "access violation" and the function.
- There's no reproducer; in the middle, the reporter shows a different file.  It is not clear why this file is shown.
- The reporter has clearly made a custom build (probably for fuzzing), but couldn't be bothered to build it unoptimized.
- asn1c is expressly not intended to be public facing; no compiler is hardened in this manner.

Given the above, I'm kind of shocked that this was issued a CVE, and I doubt anyone will be "fixing" it soon.

Comment 3 Robbie Harwood 2017-08-24 16:36:10 UTC
(Sorry, applied status change to the wrong bug instead of the Fedora one.)

Comment 4 Product Security DevOps Team 2019-06-08 03:22:07 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.