Headline
CVE-2023-39914
NLnet Labs’ bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.
The CVE number for this vulnerability is CVE-2023-39914. == Summary The decoder of the bcder library does not sufficiently check inpout data resulting in panics when decoding certain invalid data. == Affected products bcder up to and including 0.7.2. == Description Due to insufficient checking of input data, decoding certain data sequences can lead to bcder panicking rather than returning an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding. bcder 0.7.3 fixes these issues by more thoroughly checking inputs. == Acknowledgments We would like to thank Haya Shulman, Donika Mirdita, Niklas Vogel from Fraunhofer SIT and ATHENE for discovering and reporting the issue.
Related news
NLnet Labs’ bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.