{"id":"RUSTSEC-2021-0125","summary":"Panic on incorrect date input to `simple_asn1`","details":"Version 0.6.0 of the `simple_asn1` crate panics on certain malformed\ninputs to its parsing functions, including `from_der` and `der_decode`.\nBecause this crate is frequently used with inputs from the network, this\nshould be considered a security vulnerability.\n\nThe issue occurs when parsing the old ASN.1 \"UTCTime\" time format.  If an\nattacker provides a UTCTime where the first character is ASCII but the\nsecond character is above 0x7f, a string slice operation in the\n`from_der_` function will try to slice into the middle of a UTF-8\ncharacter, and cause a panic.\n\nThis error was introduced in commit\n[`d7d39d709577710e9dc8`](https://github.com/acw/simple_asn1/commit/d7d39d709577710e9dc8833ee57d200eef366db8),\nwhich updated `simple_asn1` to use `time` instead of `chrono` because of\n[`RUSTSEC-2020-159`](https://rustsec.org/advisories/RUSTSEC-2020-0159).\nVersions of `simple_asn1` before 0.6.0 are not affected by this issue.\n\nThe [patch](https://github.com/acw/simple_asn1/pull/28) was applied in\n`simple_asn1` version 0.6.1.","aliases":["CVE-2021-45711","GHSA-3m6f-3gfg-4x56","GHSA-g4h2-4wvh-grc5"],"modified":"2023-11-08T04:07:23.302312Z","published":"2021-11-14T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/simple_asn1"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0125.html"},{"type":"REPORT","url":"https://github.com/acw/simple_asn1/issues/27"}],"affected":[{"package":{"name":"simple_asn1","ecosystem":"crates.io","purl":"pkg:cargo/simple_asn1"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.6.0"},{"fixed":"0.6.1"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"functions":[],"os":[]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0125.json","informational":null,"categories":["denial-of-service"],"cvss":null}}],"schema_version":"1.7.3"}