Skip to content

Panic on incorrect date input to `simple_asn1`

Moderate severity GitHub Reviewed Published Jun 17, 2022 to the GitHub Advisory Database • Updated Jun 13, 2023

Package

cargo simple_asn1 (Rust)

Affected versions

= 0.6.0

Patched versions

0.6.1

Description

Version 0.6.0 of the simple_asn1 crate panics on certain malformed
inputs to its parsing functions, including from_der and der_decode.
Because this crate is frequently used with inputs from the network, this
should be considered a security vulnerability.

The issue occurs when parsing the old ASN.1 "UTCTime" time format. If an
attacker provides a UTCTime where the first character is ASCII but the
second character is above 0x7f, a string slice operation in the
from_der_ function will try to slice into the middle of a UTF-8
character, and cause a panic.

This error was introduced in commit
d7d39d709577710e9dc8,
which updated simple_asn1 to use time instead of chrono because of
RUSTSEC-2020-159.
Versions of simple_asn1 before 0.6.0 are not affected by this issue.

The patch was applied in
simple_asn1 version 0.6.1.

References

Published to the GitHub Advisory Database Jun 17, 2022
Reviewed Jun 17, 2022
Last updated Jun 13, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-3m6f-3gfg-4x56

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.