PT-2017-10391 · Cryptopp+1 · Crypto+++1

Noloader

Published

2016-12-26

Updated

2021-10-06

CVE-2016-9939

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Crypto++ versions 5.6.4

Description The issue is related to a bug in the ASN.1 BER decoding routine of the library. When the library allocates a memory block based on the length field of the ASN.1 object and there are not enough content octets, the function fails and the memory block is zeroed, even if it's unused. This results in a noticeable delay during the wipe for large allocations.

Recommendations For version 5.6.4, consider updating to a newer version that contains a fix for this issue, as the current version has a bug in its ASN.1 BER decoding routine that can cause a noticeable delay during memory wipe for large allocations.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2016-9939

DLA-766-1

DSA-3748-1

MGASA-2017-0010

OPENSUSE-SU-2021:3301-1

OPENSUSE-SU-2021_3301-1

SUSE-SU-2021:3301-1

SUSE-SU-2021_3301-1

Affected Products

Crypto++

Suse

PT-2017-10391 · Cryptopp+1 · Crypto+++1

CVE-2016-9939

Weakness Enumeration

Related Identifiers

Affected Products

References · 31