Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 723846 (CVE-2018-0739) - [Tracker] ASN.1 parsing vulnerability (CVE-2018-0739)
Summary: [Tracker] ASN.1 parsing vulnerability (CVE-2018-0739)
Status: RESOLVED FIXED
Alias: CVE-2018-0739
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [cve]
Keywords:
Depends on: CVE-2018-0733 CVE-2018-12437
Blocks:
  Show dependency tree
 
Reported: 2020-05-18 21:30 UTC by Sam James
Modified: 2020-07-29 23:47 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-18 21:30:59 UTC 
Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)
==========================================================================================

Severity: Moderate

Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There are
no such structures used within SSL/TLS that come from untrusted sources so this
is considered safe.

OpenSSL 1.1.0 users should upgrade to 1.1.0h
OpenSSL 1.0.2 users should upgrade to 1.0.2o

This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project.
The fix was developed by Matt Caswell of the OpenSSL development team.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-18 21:37:58 UTC 
Please note that this is *not* a new issue in OpenSSL; this tracker is so we can use the CVE for libtomcrypt / dropbear too.