Synopsis:
python-pyasn1 security updateSummary:
An update for python-pyasn1 is now available for openEuler-24.03-LTS-SP1Description:
Abstract Syntax Notation One (ASN.1) is a technology for exchanging structured data in a universally understood, hardware agnostic way. Many industrial, security and telephony applications heavily rely on ASN.1. The pyasn1 library implements ASN.1 support in pure-Python.
Security Fix(es):
The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application. The vulnerability exists in the indefLenValueDecoder, valueDecoder, and _decodeComponentsSchemaless functions, which recursively invoke the decoding callback decodeFun without passing a depth parameter or checking against a global MAX_ASN1_NESTING limit. Any service using pyasn1 to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.(CVE-2026-30922)Topic:
An update for python-pyasn1 is now available for openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Severity:
HighAffected Component:
python-pyasn1
0.5.1-3.oe2403sp10.5.1-3.oe2403sp10.5.1-3.oe2403sp1Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:NA:H7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H