[openssl/openssl] d63b3e: Restrict the size of OBJECT IDENTIFIERs that OBJ_o...

Richard Levitte noreply at github.com
Tue Jun 6 08:51:25 UTC 2023

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: d63b3e7959e79f98d60760a739f7876dc5adc838
  Author: Richard Levitte <levitte at openssl.org>
  Date:   2023-06-06 (Tue, 06 Jun 2023)

  Changed paths:
    M CHANGES.md
    M NEWS.md
    M crypto/objects/obj_dat.c

  Log Message:
  Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate

OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form.  For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that

To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:

> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).

Fixes otc/security#96
Fixes CVE-2023-2650

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>

More information about the openssl-commits mailing list