Check for overflow in BER decoder EOC scanning

author: Jack Lloyd <[email protected]> 2016-11-23 12:46:45 -0500
committer: Jack Lloyd <[email protected]> 2016-11-27 16:49:17 -0500
commit: 06a93345fb715dfaefbdb5774ec66eff46fdfaa3 (patch)
tree: 71b10f2c036d54b470c283168b50466bcdec5045 /doc
parent: f11d1bf525d1c77514bac61b309bd604c92acbfd (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/doc/security.rst b/doc/security.rst
index faefca7d5..151c279f6 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -21,7 +21,16 @@ Advisories
 2016
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-* 2016-10-8871 (CVE-2016-8871) OAEP side channel
+* 2016-11-27 (CVE-2016-xxxx) Integer overflow in BER decoder
+
+  While decoding BER length fields, an integer overflow could occur. This could
+  occur while parsing untrusted inputs such as X.509 certificates. The overflow
+  does not seem to lead to any obviously exploitable condition, but exploitation
+  cannot be positively ruled out. Only 32-bit platforms are likely affected; to
+  cause an overflow on 64-bit the parsed data would have to be many gigabytes.
+  Bug found by Falko Strenzke, cryptosource GmbH.
+
+* 2016-10-26 (CVE-2016-8871) OAEP side channel
 
   A side channel in OAEP decoding could be used to distinguish RSA ciphertexts
   that did or did not have a leading 0 byte. For an attacker capable of
author	Jack Lloyd <[email protected]>	2016-11-23 12:46:45 -0500
committer	Jack Lloyd <[email protected]>	2016-11-27 16:49:17 -0500
commit	06a93345fb715dfaefbdb5774ec66eff46fdfaa3 (patch)
tree	71b10f2c036d54b470c283168b50466bcdec5045 /doc
parent	f11d1bf525d1c77514bac61b309bd604c92acbfd (diff)