Case VU#271649: libtasn1 version: v4.20.0

[I was made aware of this vulnerability by CERT.org, so posting it here as confidential.]

Affected Vendor GNU.Org Affected Product libtasn1 version: v4.20.0 (latest) Affected Version libtasn1 version: v4.20.0 (latest) Significant ICS/OT impact? no Reporter Researcher name: Benny Zeltser [jimhull@microsoft.com] Microsoft Vendor contacted? yes We engaged GNU.Org but they stopped communicating.

sysadmin@gnu.org; michael@fsf.org Description Vendor direct contact (if available): GNU. More info can be found here: https://www.gnu.org/software/libtasn1/

Vulnerability Summary Stack-based buffer overflow in function asn1_expand_octet_string in the file decoding.c. The asn1_expand_octet_string function contains a buffer overflow vulnerability caused by unsafe string concatenation. The function declares a buffer name with size 2 * ASN1_MAX_NAME_SIZE + 1 but then uses strcpy() and strcat() to concatenate definitions->name, a dot character, and p2->name without bounds checking:

Since both definitions->name and p2->name can be up to ASN1_MAX_NAME_SIZE + 1 each, the total concatenated string would exceed the dest buffer capacity by 1 byte. This stack-based buffer overflow can corrupt adjacent memory, potentially leading to code execution, program crashes, or other security issues when processing maliciously crafted ASN.1 data Exploit Generate a malicious file/buffer in the ASN.1 format and invoke the function asn1_expand_octet_string from the libtasn1 library (see Appendix for PoC) Impact As a library, this issue has limited direct impact. However, libtasn1 is integrated into numerous open source projects including GRUB, GnuTLS, p11-kit, and many Linux distribution package managers (which use it for signature verification through GnuTLS). The impact mainly depends on the setup, and might result in tampering, denial of service, or elevation of privileges.

Rational: The overflow is limited by a single byte, which significantly constrains exploitation possibilities compared to larger overflows. Additionally, the vulnerability requires specific conditions where both name fields are at maximum length, and it affects only one specific function rather than the entire ASN.1 parsing subsystem. However, it's more than "Moderate" because libtasn1 is widely used in security-critical contexts (TLS, certificate processing), the vulnerability can be triggered remotely through malicious ASN.1 data without authentication, and memory corruption bugs always carry significant risk regardless of size limitations. Discovery Rational: The overflow is limited by a single byte, which significantly constrains exploitation possibilities compared to larger overflows. Additionally, the vulnerability requires specific conditions where both name fields are at maximum length, and it affects only one specific function rather than the entire ASN.1 parsing subsystem. However, it's more than "Moderate" because libtasn1 is widely used in security-critical contexts (TLS, certificate processing), the vulnerability can be triggered remotely through malicious ASN.1 data without authentication, and memory corruption bugs always carry significant risk regardless of size limitations. Has been exploited? no Is public? no Disclosure Plans? no