blob: ec167afd8e31ef28f2e7c80f96511778ff881fa4 [file] [view]
==================================================================
CVE-2025-13151: Stack-based buffer overflow in `asn1_expand_octet_string` function
==================================================================
Expanding an "OCTET STRING" element of a structure using the
`asn1_expand_octet_string` function may lead to a one-byte stack
overflow that may corrupt adjacent memory in the worst case scenario.
Severity: Low
Vulnerable versions : All released version of libtasn1
Not vulnerable : libtasn1 4.21.0
Vulnerability information
=========================
The `asn1_expand_octet_string` function was using an internal buffer
of size `2 * ASN1_MAX_NAME_SIZE + 1`, allocated on the stack. The
function then constructs the element name on the buffer, by
concatenating `definitions->name` and `p2->name`, separated with a dot
(".") character. When both the names are of `ASN1_MAX_NAME_SIZE`
characters, the final NUL character could have been written past the
boundary.
For details, see the original issue reported at:
https://gitlab.com/gnutls/libtasn1/-/issues/55
Exploitation
============
In order to exploit this, the target program must be using the
`asn1_expand_octet_string` function explicitly with an excessively
long name (`ASN1_MAX_NAME_SIZE` = 64 characters) for both the ASN.1
definition and the target element. Given the ASN.1 definitions are
normally part of the application code base, it is highly unlikely to
be exploitable.
Recommendation
=========
To address this vulnerability, please upgrade to libtasn1 4.21.0 or
later. We recommend that applications using libtasn1 should embed the
ASN.1 definitions as a C table created using the `asn1Parser` program,
rather than loading it at run time, to reduce the attack surface.
Workaround
==========
For those who cannot modify the application code, compile the libtasn1
with the `-D_FORTIFY_SOURCE=2` flag will mitigate the issue by
replacing the `strcat` implementation with a bounds check.
Credits
=======
Thanks to Benny Zelster from Microsoft Research and Vijay Sarvepalli
from CERT/CC for coordinating the disclosure of this vulnerability.