VU#271649: Stack-based buffer overflow in libtasn1 versions v4.20.0 and earlier

Overview

A stack-based buffer overflow vulnerability exists in GNU libtasn1, a low-level ASN.1 parsing library. The issue is caused by unsafe string concatenation in the asn1_expand_octet_string function located in decoding.c. Under worst-case conditions, this results in a one-byte stack overflow that may corrupt adjacent memory. While the overflow is limited to a single byte, such conditions can still lead to unexpected behavior when processing untrusted ASN.1 input data.

Description

GNU libtasn1 is a low-level C library for manipulating Abstract Syntax Notation One (ASN.1) data structures and encoding rules, including Distinguished Encoding Rules (DER). It implements functionality defined by ITU-T Recommendations X.680 and X.690 and is widely used as a foundational component in cryptographic software stacks to parse and validate complex ASN.1-encoded data.

A stack-based buffer overflow has been identified in the function asn1_expand_octet_string in the file decoding.c. The vulnerability arises from the use of unbounded string manipulation functions (strcpy and strcat) to construct a local stack buffer (name) using the fields definitions->name and p2->name. In the worst-case scenario, both source strings may be at their maximum allowed length. When concatenated together with an additional separator character (".") and a terminating null byte, the destination buffer is undersized by one byte. As a result, the final null terminator written by strcat overflows the allocated stack buffer by a single byte.

Although the overflow is limited in size, it occurs during the parsing of potentially untrusted ASN.1 input. One-byte stack overflows have historically led to subtle memory corruption issues and may cause unexpected behavior, including crashes, during cryptographic operations such as signature verification or certificate parsing.

Impact

An attacker could trigger the buffer overflow using a malformed ASN.1 data to potential corrupt memory or cause unexpected behavior. This requires breaking libtasn1’s assumption that ASN.1 structures passed to it are already validated by the main application using this library. The impact of this vulnerability is limited due to the one-byte nature of the overflow. Exploitation is constrained and may be further mitigated by modern compiler protections such as stack canaries, _FORTIFY_SOURCE, and other hardening mechanisms. However, as the GNU libtasn1 is commonly used in cryptographic libraries and security-sensitive contexts, malformed ASN.1 input triggering this condition could result in parsing failures or abnormal behavior during critical cryptographic operations, including signature verification and cryptographic data validation.

Solution

A patch addressing this issue has been proposed to the GNU libtasn1 project and is available for review and testing at: https://gitlab.com/gnutls/libtasn1/-/merge_requests/121. Developers and integrators are encouraged to evaluate the patch and apply appropriate mitigations, such as using bounded string operations or safer formatting functions, to eliminate the overflow condition in affected versions. Read https://gitlab.com/gnutls/libtasn1/-/blob/master/NEWS.md for updates

Acknowledgements

Thanks to Benny Zelster from Microsoft Research for coordinating the disclosure of this vulnerability.This document was written by Vijay Sarvepalli.