Opened 6 weeks ago

Closed 6 weeks ago

#21032 closed enhancement (fixed)

libtasn1-4.20.0

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New minor version 

NEWS

* Noteworthy changes in release 4.20.0 (2025-02-01) [stable]
- The release tarball is now reproducible.
- We publish a minimal source-only tarball generated by 'git archive'.
- Update gnulib files and various build/maintenance fixes.
- Fix CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF 
or SET OF elements

There isn't a rating for CVE-2024-12133 yet so we will assume High for the security advisory, and adjust it later if necessary

Change History (3)

comment:1 by Douglas R. Reno, 6 weeks ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 6 weeks ago

More details have been released about this vulnerability at https://gitlab.com/gnutls/libtasn1/-/blob/master/doc/security/CVE-2024-12133.md?ref_type=heads

Here's a slightly cleaned up version: 

CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF elements
When an input DER data contains a large number of SEQUENCE OF or SET
OF elements, decoding the data and searching a specific element in it
take quadratic time to complete. This could be utilized for a remote
DoS attack by presenting a crafted certificate to the network peer.
Severity: Moderate
Vulnerable versions : All released version of libtasn1
Not vulnerable      : libtasn1 4.20.0

Vulnerability information
The issue is twofold: decoding a DER input with sequences and locating
a specific element in a sequence. Even though a DER sequence is
conceptually an array, in libtasn1 it is represented as a linked list,
whose elements are assigned a string name, such as "?1". Therefore a
simple lookup of an element at a given position is linear O(N) time
complexity. When decoding a DER sequence, in each step libtasn1 looks
up the parent node, recorded on the first element, which requires a
backward linear search, resulting in O(N^2) time complexity.
For details, see the original issue reported at:
#52

Exploitation
By presenting a certificate with a large number of Subject Alternative
Name or name constraint entries, the adversary can impose Denial of
Service (DoS) in applications using libtasn1 for certificate parsing
and verification.

Recommendation
To address this vulnerability, please upgrade to libtasn1 4.20.0 or
later. At the same time, we recommend applications using libtasn1 for
certificate processing should set a limit of input sequences, such as
Subject Alternative Name or name constraint entries to reduce attack
surface.

Workaround
For those who cannot modify the application code, resource control
mechanisms provided by the operating system, such as cgroups could
help avoid excessive usage of CPU time.

comment:3 by Douglas R. Reno, 6 weeks ago

Resolution: fixed
Status: assignedclosed

Fixed at d3677351d840b5fe15d89f19e8b984d1142a1f6d

SA-12.2-077 issued

Note: See TracTickets for help on using tickets.