Vulnerability Description
Crypto++ (aka cryptopp and libcrypto++) 5.6.4 contained a bug in its ASN.1 BER decoding routine. The library will allocate a memory block based on the length field of the ASN.1 object. If there is not enough content octets in the ASN.1 object, then the function will fail and the memory block will be zeroed even if its unused. There is a noticeable delay during the wipe for a large allocation.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cryptopp | Crypto\+\+ | 5.6.4 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://www.debian.org/security/2016/dsa-3748Third Party Advisory
- http://www.openwall.com/lists/oss-security/2016/12/12/7Mailing ListPatchThird Party Advisory
- http://www.securityfocus.com/bid/94854Third Party AdvisoryVDB Entry
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- http://www.debian.org/security/2016/dsa-3748Third Party Advisory
- http://www.openwall.com/lists/oss-security/2016/12/12/7Mailing ListPatchThird Party Advisory
- http://www.securityfocus.com/bid/94854Third Party AdvisoryVDB Entry
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2016-9939?
CVE-2016-9939 is a vulnerability with a CVSS score of 7.5 (HIGH). Crypto++ (aka cryptopp and libcrypto++) 5.6.4 contained a bug in its ASN.1 BER decoding routine. The library will allocate a memory block based on the length field of the ASN.1 object. If there is not...
How severe is CVE-2016-9939?
CVE-2016-9939 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-9939?
Check the references section above for vendor advisories and patch information. Affected products include: Cryptopp Crypto\+\+, Debian Debian Linux.