[tnozaki-openssl] CVE-2023-2650 Possible DoS translating ASN.1 object identifiers

Takehiko NOZAKI reporter

BUGFIX: Issue ~~#347~~ - CVE-2023-2650 Possible DoS translating ASN.1 object identifiers

Cherry-picked from: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098

Original commit message: Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate

OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical numeric text form. For gigantic sub-identifiers, this would take a very long time, the time complexity being O(n^2) where n is the size of that sub-identifier.

To mitigate this, a restriction on the size that OBJ_obj2txt() will translate to canonical numeric text form is added, based on RFC 2578 (STD 58), which says this:

3.5. OBJECT IDENTIFIER values

An OBJECT IDENTIFIER value is an ordered list of non-negative numbers. For the SMIv2, each number in the list is referred to as a sub-identifier, there are at most 128 sub-identifiers in a value, and each sub-identifier has a maximum value of 2^32-1 (4294967295 decimal).

Fixes otc/security~~#96~~ Fixes CVE-2023-2650

Reviewed-by: Matt Caswell matt@openssl.org Reviewed-by: Tomas Mraz tomas@openssl.org

→ <<cset 6a325e32a065>>

2023-12-16T16:59:00+00:00

Comments (2)

Takehiko NOZAKI reporter
- changed status to resolved
done <<cset:6a325e32a065bae348f063d32d106e727bac0094>>
- 2023-12-16T16:23:50+00:00
Takehiko NOZAKI reporter
BUGFIX: Issue ~~#347~~ - CVE-2023-2650 Possible DoS translating ASN.1 object identifiers

Cherry-picked from: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098

Original commit message: Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate

OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical numeric text form. For gigantic sub-identifiers, this would take a very long time, the time complexity being O(n^2) where n is the size of that sub-identifier.

To mitigate this, a restriction on the size that OBJ_obj2txt() will translate to canonical numeric text form is added, based on RFC 2578 (STD 58), which says this:

3.5. OBJECT IDENTIFIER values

An OBJECT IDENTIFIER value is an ordered list of non-negative numbers. For the SMIv2, each number in the list is referred to as a sub-identifier, there are at most 128 sub-identifiers in a value, and each sub-identifier has a maximum value of 2^32-1 (4294967295 decimal).

Fixes otc/security~~#96~~ Fixes CVE-2023-2650

Reviewed-by: Matt Caswell matt@openssl.org Reviewed-by: Tomas Mraz tomas@openssl.org

→ <<cset 6a325e32a065>>
- 2023-12-16T16:59:00+00:00
Log in to comment