GHSA-3M6F-3GFG-4X56
Vulnerability from github – Published: 2022-06-17 00:19 – Updated: 2022-06-17 00:19Version 0.6.0 of the simple_asn1 crate panics on certain malformed
inputs to its parsing functions, including from_der and der_decode.
Because this crate is frequently used with inputs from the network, this
should be considered a security vulnerability.
The issue occurs when parsing the old ASN.1 "UTCTime" time format. If an
attacker provides a UTCTime where the first character is ASCII but the
second character is above 0x7f, a string slice operation in the
from_der_ function will try to slice into the middle of a UTF-8
character, and cause a panic.
This error was introduced in commit
d7d39d709577710e9dc8,
which updated simple_asn1 to use time instead of chrono because of
RUSTSEC-2020-159.
Versions of simple_asn1 before 0.6.0 are not affected by this issue.
The patch was applied in
simple_asn1 version 0.6.1.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "simple_asn1"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6.0"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T00:19:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Version 0.6.0 of the `simple_asn1` crate panics on certain malformed\ninputs to its parsing functions, including `from_der` and `der_decode`.\nBecause this crate is frequently used with inputs from the network, this\nshould be considered a security vulnerability.\n\nThe issue occurs when parsing the old ASN.1 \"UTCTime\" time format. If an\nattacker provides a UTCTime where the first character is ASCII but the\nsecond character is above 0x7f, a string slice operation in the\n`from_der_` function will try to slice into the middle of a UTF-8\ncharacter, and cause a panic.\n\nThis error was introduced in commit\n[`d7d39d709577710e9dc8`](https://github.com/acw/simple_asn1/commit/d7d39d709577710e9dc8833ee57d200eef366db8),\nwhich updated `simple_asn1` to use `time` instead of `chrono` because of\n[`RUSTSEC-2020-159`](https://rustsec.org/advisories/RUSTSEC-2020-0159).\nVersions of `simple_asn1` before 0.6.0 are not affected by this issue.\n\nThe [patch](https://github.com/acw/simple_asn1/pull/28) was applied in\n`simple_asn1` version 0.6.1.\n",
"id": "GHSA-3m6f-3gfg-4x56",
"modified": "2022-06-17T00:19:49Z",
"published": "2022-06-17T00:19:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/acw/simple_asn1/issues/27"
},
{
"type": "WEB",
"url": "https://github.com/acw/simple_asn1/commit/d7d39d709577710e9dc8833ee57d200eef366db8"
},
{
"type": "PACKAGE",
"url": "https://github.com/acw/simple_asn1"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0125.html"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Panic on incorrect date input to `simple_asn1`"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.