CVE-2023-39914 in bcder. (#1782)

* CVE-2023-39914 in bcder. * Improve advisory data. * Remove comments. Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com> --------- Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
2026-01-04 02:25:24 +01:00 · 2023-09-13 17:46:14 +02:00
parent 19e0777eb7
commit 3fefc61182
1 changed files with 26 additions and 0 deletions
--- a/crates/bcder/RUSTSEC-0000-0000.md
+++ b/crates/bcder/RUSTSEC-0000-0000.md
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "bcder"
+date = "2023-09-13"
+url = "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"
+categories = ["denial-of-service"]
+keywords = ["example", "freeform", "keywords"]
+aliases = ["CVE-2023-39914"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+references = ["https://github.com/NLnetLabs/bcder/pull/74"]
+
+[versions]
+patched = [">= 0.7.3"]
+```
+
+# BER/CER/DER decoder panics on invalid input
+
+Due to insufficient checking of input data, decoding certain data sequences
+can lead to _bcder_ panicking rather than returning an error. This can affect
+both the actual decoding stage as well as accessing content of types that
+utilized delayed decoding.
+
+bcder 0.7.3 fixes these issues by more thoroughly checking inputs and
+returning errors as expected.
+