[Bug 1015243] New: VUL-0: CVE-2016-9939: libcryptopp: Potential DoS in Crypto++ (libcryptopp) ASN.1 parser
http://bugzilla.opensuse.org/show_bug.cgi?id=1015243
Bug ID: 1015243
Summary: VUL-0: CVE-2016-9939: libcryptopp: Potential DoS in
Crypto++ (libcryptopp) ASN.1 parser
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@suse.de
Reporter: mikhail.kasimov@gmail.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
Reference: [1] http://seclists.org/oss-sec/2016/q4/659
[1]:
=========================================================================
Gergely Nagy and Tamás Koczka of Tresorit report a potential DoS in
the Crypto++ ASN.1 parser. A copy of their email with the report can
be found at
https://groups.google.com/d/msg/cryptopp-users/fEQ8jWg_K8g/qOLHGIDICwAJ.
When Crypto++ library parses an ASN.1 data value, the library
allocates for the content octets based on the length octets. Later, if
there's too few or too little content octets, the library throws a
BERDecodeErr exception. The memory for the content octets will be
zeroized (even if unused), which could take a long time on a large
allocation.
Please assign a CVE for the potential issue.
Thanks in advance.
========================================================================
[2] https://groups.google.com/d/msg/cryptopp-users/fEQ8jWg_K8g/qOLHGIDICwAJ
[2]:
========================================================================
---------- Forwarded message ----------
From: Gergely Nagy
http://bugzilla.opensuse.org/show_bug.cgi?id=1015243
Mikhail Kasimov
http://bugzilla.opensuse.org/show_bug.cgi?id=1015243
http://bugzilla.opensuse.org/show_bug.cgi?id=1015243#c1
--- Comment #1 from Mikhail Kasimov
participants (1)
-
bugzilla_noreply@novell.com