[Pkg-rust-maintainers] Bug#1052176: rust-bcder: CVE-2023-39914: BER/CER/DER decoder panics on invalid input (RUSTSEC-2023-0062)

Salvatore Bonaccorso carnil at debian.org
Mon Sep 18 19:58:19 BST 2023


Source: rust-bcder
Version: 0.6.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/NLnetLabs/bcder/pull/74
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for rust-bcder.

CVE-2023-39914[0]:
| NLnet Labs’ bcder library up to and including version 0.7.2 panics
| while decoding certain invalid input data rather than rejecting the
| data with an error. This can affect both the actual decoding stage
| as well as accessing content of types that utilized delayed
| decoding.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-39914
    https://www.cve.org/CVERecord?id=CVE-2023-39914
[1] https://github.com/NLnetLabs/bcder/pull/74
[2] https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt
[3] https://rustsec.org/advisories/RUSTSEC-2023-0062.html

Regards,
Salvatore


More information about the Pkg-rust-maintainers mailing list