Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2013-7488: Unsafe decoding creates infinite loop · Issue #14 · gbarr/perl-Convert-ASN1

perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.

CVE
#git#perl#auth

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

danaj opened this issue

Oct 8, 2013

· 5 comments · Fixed by #15

Closed

Unsafe decoding creates infinite loop #14

danaj opened this issue

Oct 8, 2013

· 5 comments · Fixed by #15

Assignees

Comments

Copy link

Contributor

****danaj** commented Oct 8, 2013**

The following test of decoding unsafe input will make an infinite loop spewing warnings in 0.26:

use Convert::ASN1; my $asn = Convert::ASN1->new; $asn->prepare(q< [APPLICATION 7] SEQUENCE { int INTEGER } >); my $out; $out = $asn->decode( pack("H*", “dfccd3fde3”) ); $out = $asn->decode( pack("H*", “b0805f92cb”) );

I ran random 5-byte strings to find two repeatable examples.

Fix: Add a position check to the two do loops on lines 636 and 690 of _decode.pm:

do {
  $tag .= substr($\_\[0\],$pos++,1);
  $b = ord substr($tag,-1);
} while($b & 0x80 && $pos < $end);

This can happen in Convert::PEM when an incorrect password is used. See RT 27574 for an example.

Copy link

Contributor Author

****danaj** commented Oct 9, 2013**

Alternate fix. This seems to fit the existing style slightly better but I haven’t seen any examples where it matters.

do {
  return if $pos >= $end;
  $tag .= substr($\_\[0\],$pos++,1);
  $b = ord substr($tag,-1);
} while($b & 0x80);

This puts the test in front of the substr call so it happens before the first substr.

Also the “my $n = 1” at line 632 is unused.

I’ll try to find time to do a pull request using the first code set.

Mentioned corresponding pull request is at #15

gentoo-bot pushed a commit to gentoo/gentoo that referenced this issue

Jun 28, 2020

NeddySeagoon pushed a commit to NeddySeagoon/gentoo-arm64 that referenced this issue

Jun 29, 2020

@gbarr do the proposed change look good to be merged?

Copy link

Owner

****gbarr** commented Mar 6, 2021**

@carnil I have not been active with anything Perl for a long time. If anyone wants to take maintainership I would be happy to pass it on

timlegge linked a pull request

May 22, 2021

that will close this issue

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907