[openssl/openssl] d63b3e: Restrict the size of OBJECT IDENTIFIERs that OBJ_o...
Richard Levitte
noreply at github.com
Tue Jun 6 08:51:25 UTC 2023
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: d63b3e7959e79f98d60760a739f7876dc5adc838
https://github.com/openssl/openssl/commit/d63b3e7959e79f98d60760a739f7876dc5adc838
Author: Richard Levitte <levitte at openssl.org>
Date: 2023-06-06 (Tue, 06 Jun 2023)
Changed paths:
M CHANGES.md
M NEWS.md
M crypto/objects/obj_dat.c
Log Message:
-----------
Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier.
To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:
> 3.5. OBJECT IDENTIFIER values
>
> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).
Fixes otc/security#96
Fixes CVE-2023-2650
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
More information about the openssl-commits
mailing list