GHSA-3m6f-3gfg-4x56: Panic on incorrect date input to `simple_asn1`
Version 0.6.0 of the simple_asn1
crate panics on certain malformed
inputs to its parsing functions, including from_der
and der_decode
.
Because this crate is frequently used with inputs from the network, this
should be considered a security vulnerability.
The issue occurs when parsing the old ASN.1 “UTCTime” time format. If an
attacker provides a UTCTime where the first character is ASCII but the
second character is above 0x7f, a string slice operation in the
from_der_
function will try to slice into the middle of a UTF-8
character, and cause a panic.
This error was introduced in commit
d7d39d709577710e9dc8
,
which updated simple_asn1
to use time
instead of chrono
because of
RUSTSEC-2020-159
.
Versions of simple_asn1
before 0.6.0 are not affected by this issue.
The patch was applied in
simple_asn1
version 0.6.1.
References
Detect and mitigate GHSA-3m6f-3gfg-4x56 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →