Headline
CVE-2013-7488: Unsafe decoding creates infinite loop · Issue #14 · gbarr/perl-Convert-ASN1
perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
danaj opened this issue
Oct 8, 2013
· 5 comments · Fixed by #15
Closed
Unsafe decoding creates infinite loop #14
danaj opened this issue
Oct 8, 2013
· 5 comments · Fixed by #15
Assignees
Comments
Copy link
Contributor
****danaj** commented Oct 8, 2013**
The following test of decoding unsafe input will make an infinite loop spewing warnings in 0.26:
use Convert::ASN1; my $asn = Convert::ASN1->new; $asn->prepare(q< [APPLICATION 7] SEQUENCE { int INTEGER } >); my $out; $out = $asn->decode( pack("H*", “dfccd3fde3”) ); $out = $asn->decode( pack("H*", “b0805f92cb”) );
I ran random 5-byte strings to find two repeatable examples.
Fix: Add a position check to the two do loops on lines 636 and 690 of _decode.pm:
do {
$tag .= substr($\_\[0\],$pos++,1);
$b = ord substr($tag,-1);
} while($b & 0x80 && $pos < $end);
This can happen in Convert::PEM when an incorrect password is used. See RT 27574 for an example.
Copy link
Contributor Author
****danaj** commented Oct 9, 2013**
Alternate fix. This seems to fit the existing style slightly better but I haven’t seen any examples where it matters.
do {
return if $pos >= $end;
$tag .= substr($\_\[0\],$pos++,1);
$b = ord substr($tag,-1);
} while($b & 0x80);
This puts the test in front of the substr call so it happens before the first substr.
Also the “my $n = 1” at line 632 is unused.
I’ll try to find time to do a pull request using the first code set.
Mentioned corresponding pull request is at #15
gentoo-bot pushed a commit to gentoo/gentoo that referenced this issue
Jun 28, 2020
NeddySeagoon pushed a commit to NeddySeagoon/gentoo-arm64 that referenced this issue
Jun 29, 2020
@gbarr do the proposed change look good to be merged?
Copy link
Owner
****gbarr** commented Mar 6, 2021**
@carnil I have not been active with anything Perl for a long time. If anyone wants to take maintainership I would be happy to pass it on
timlegge linked a pull request
May 22, 2021
that will close this issue