From 3fefc61182ec98232e79d2f38cbae824c639fc74 Mon Sep 17 00:00:00 2001
From: Martin Hoffmann <hn@nvnc.de>
Date: Wed, 13 Sep 2023 17:46:14 +0200
Subject: [PATCH] CVE-2023-39914 in bcder. (#1782)

* CVE-2023-39914 in bcder.

* Improve advisory data.

* Remove comments.

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>

---------

Co-authored-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
---
 crates/bcder/RUSTSEC-0000-0000.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 crates/bcder/RUSTSEC-0000-0000.md

diff --git a/crates/bcder/RUSTSEC-0000-0000.md b/crates/bcder/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..ab69d7b
--- /dev/null
+++ b/crates/bcder/RUSTSEC-0000-0000.md
@@ -0,0 +1,26 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "bcder"
+date = "2023-09-13"
+url = "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"
+categories = ["denial-of-service"]
+keywords = ["example", "freeform", "keywords"]
+aliases = ["CVE-2023-39914"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+references = ["https://github.com/NLnetLabs/bcder/pull/74"]
+
+[versions]
+patched = [">= 0.7.3"]
+```
+
+# BER/CER/DER decoder panics on invalid input
+
+Due to insufficient checking of input data, decoding certain data sequences
+can lead to _bcder_ panicking rather than returning an error. This can affect
+both the actual decoding stage as well as accessing content of types that
+utilized delayed decoding.
+
+bcder 0.7.3 fixes these issues by more thoroughly checking inputs and
+returning errors as expected.
+