CVE-2022-0778: Loop with Unreachable Exit Condition ('Infinite Loop')

March 15, 2022 (updated November 9, 2023)

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters

References

lists.debian.org/debian-lts-announce/2022/03/msg00023.html
lists.debian.org/debian-lts-announce/2022/03/msg00024.html
nvd.nist.gov/vuln/detail/CVE-2022-0778
security.netapp.com/advisory/ntap-20220321-0002/
www.debian.org/security/2022/dsa-5103

Code Behaviors & Features

Detect and mitigate CVE-2022-0778 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →