OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-08 04:27:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

CPU denial of service in rustls-webpki and webpki crates (#1752)

Browse Source 
* Add rustls-webpki denial of service bug

* Add webpki denial of service bug
This commit is contained in:
ctz
2023-08-22 13:44:03 +01:00
committed by GitHub
parent 7600054d6c
commit ff6edc9823
2 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
crates/rustls-webpki/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,31 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "rustls-webpki"
date = "2023-08-22"
categories = ["denial-of-service"]
keywords = ["certificate", "path building", "x509"]
cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
related = ["CVE-2018-16875"]
[versions]
patched = [">= 0.100.2, < 0.101.0", ">= 0.101.4"]
```
# rustls-webpki: CPU denial of service in certificate path building
When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
We now give each path building operation a budget of 100 signature verifications.
The original `webpki` crate is also affected.
This was previously reported in the original crate
<https://github.com/briansmith/webpki/issues/69> and re-reported to us
recently by Luke Malinowski.

28
crates/webpki/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,28 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "webpki"
date = "2023-08-22"
categories = ["denial-of-service"]
keywords = ["certificate", "path building", "x509"]
cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
related = ["CVE-2018-16875"]
[versions]
patched = []
```
# webpki: CPU denial of service in certificate path building
When this crate is given a pathological certificate chain to validate, it will
spend CPU time exponential with the number of candidate certificates at each
step of path building.
Both TLS clients and TLS servers that accept client certificate are affected.
This was previously reported in
<https://github.com/briansmith/webpki/issues/69> and re-reported recently
by Luke Malinowski.
`rustls-webpki` is a fork of this crate which contains a fix for this issue
and is actively maintained.