asn1_expand_octet_string functionExpanding an “OCTET STRING” element of a structure using the asn1_expand_octet_string function may lead to a one-byte stack overflow that may corrupt adjacent memory in the worst case scenario.
Severity: Low Vulnerable versions : All released version of libtasn1 Not vulnerable : libtasn1 4.21.0
The asn1_expand_octet_string function was using an internal buffer of size 2 * ASN1_MAX_NAME_SIZE + 1, allocated on the stack. The function then constructs the element name on the buffer, by concatenating definitions->name and p2->name, separated with a dot (“.”) character. When both the names are of ASN1_MAX_NAME_SIZE characters, the final NUL character could have been written past the boundary.
For details, see the original issue reported at: https://gitlab.com/gnutls/libtasn1/-/issues/55
In order to exploit this, the target program must be using the asn1_expand_octet_string function explicitly with an excessively long name (ASN1_MAX_NAME_SIZE = 64 characters) for both the ASN.1 definition and the target element. Given the ASN.1 definitions are normally part of the application code base, it is highly unlikely to be exploitable.
To address this vulnerability, please upgrade to libtasn1 4.21.0 or later. We recommend that applications using libtasn1 should embed the ASN.1 definitions as a C table created using the asn1Parser program, rather than loading it at run time, to reduce the attack surface.
For those who cannot modify the application code, compile the libtasn1 with the -D_FORTIFY_SOURCE=2 flag will mitigate the issue by replacing the strcat implementation with a bounds check.
Thanks to Benny Zelster from Microsoft Research and Vijay Sarvepalli from CERT/CC for coordinating the disclosure of this vulnerability.