"In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data."
Patch 1: https://github.com/libtom/libtomcrypt/commit/25c26a3b7a9ad8192ccc923e15cf62bf0108ef94
Patch 2 (adds test):
https://github.com/libtom/libtomcrypt/commit/91856f003f9095e5a1fb461ffe9e434f735e8ac6 (not on a branch?)
I'll apply the patch later. Ideally, the comments on the test case patch would be resolved first.
(In reply to Sam James from comment #1)
> I'll apply the patch later. Ideally, the comments on the test case patch
> would be resolved first.
Look addressed now but can't test atm.
I'm not convinced this is actually fixed: https://github.com/libtom/libtomcrypt/issues/561
Package list is empty or all packages have requested keywords.