Skip to content

0.7.3
Compare
Choose a tag to compare
@partim partim released this 13 Sep 09:29
· 12 commits to main since this release
v0.7.3
6a7250a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

This release fixes a number of decoding issues that can lead to panics on invalid input data. They have been assigned CVE-2023-39914.

Bug fixes

  • Fixes various decoding that lead to a panic on invalid data.
    Specifically:
    • error out rather than panic when a nested value has a greater length than allowed by the outer value,
    • check that there is enough data available before skipping over a primitive value’s content,
    • check that enough data is available before trying to parse a tag value,
    • check for correct encoding of bit strings: don’t allow the number of unused bits to be greater than 7 and that they are zero for an empty bit string,
    • check for correct encoding of object identifiers: they cannot be empty and the last byte must have bit 7 cleared.
Assets 2
Loading