Fluid Attacks Database

Description

In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	libtomcrypt	>=0 <1.18.2-3	1.18.2-3
alpine v3.20	perl-cryptx	=0.067-r0 \|\| =0.068-r0 \|\| =0.069-r0 \|\| =0.069-r1 \|\| =0.070-r0 \|\| =0.071-r0 \|\| =0.072-r0 \|\| =0.073-r0 \|\| =0.073-r1 \|\| =0.074-r0 \|\| =0.075-r0 \|\| =0.076-r0 \|\| =0.076-r1 \|\| =0.077-r0 \|\| =0.078-r0 \|\| =0.078-r1 \|\| >=0 <0.079-r0	0.079-r0
alpine v3.22	perl-cryptx	>=0 <0.079-r0	0.079-r0
debian 11	libtomcrypt	>=0 <1.18.2-3	1.18.2-3
debian 12	libtomcrypt	>=0 <1.18.2-3	1.18.2-3
debian 13	libtomcrypt	>=0 <1.18.2-3	1.18.2-3
alpine v3.21	perl-cryptx	>=0 <0.079-r0	0.079-r0
alpine v3.19	perl-cryptx	=0.067-r0 \|\| =0.068-r0 \|\| =0.069-r0 \|\| =0.069-r1 \|\| =0.070-r0 \|\| =0.071-r0 \|\| =0.072-r0 \|\| =0.073-r0 \|\| =0.073-r1 \|\| =0.074-r0 \|\| =0.075-r0 \|\| =0.076-r0 \|\| =0.076-r1 \|\| =0.077-r0 \|\| =0.078-r0 \|\| =0.078-r1 \|\| >=0 <0.079-r0	0.079-r0
alpine v3.23	perl-cryptx	>=0 <0.079-r0	0.079-r0

Aliases

1. CVE-2019-173622. NVD-2019-173623. OSV-DEBIAN-2019-173624. OSV-2019-173625. OSV-ALPINE-2019-173626. SECURITY-TRACKER-CVE-2019-173627. SECURITY-CVE-2019-17362

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.