[gnutls-devel] libtasn1 | Potential Buffer Overrun in _asn1_tag_der() (#49)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Feb 27 11:57:03 CET 2024

Simon Josefsson commented: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790913215

And `_asn1_insert_tag_der` is only used via `asn1_der_coding` where the tags come from the ASN.1 schema and is likely safe, except for implicit tags but I'm not convinced they are ever attacker controller.

The code should be improved to not be safe just because it is just in particular ways.  Since `_asn1_tag_der` only supports tags 1..4 bytes I think it can be implemented without loops.  It would be nice to add white-box testing of similar internal functions, but library export visibility makes it a bit difficult.

There are other coverity finds in your link that looks interesting. I thought we already ran coverity checks on libtasn1 and had looked into them, but it was a long time ago and I may have forgotten the details.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/49#note_1790913215
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240227/05978ee6/attachment.html>

More information about the Gnutls-devel mailing list