1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
|
0.9.15: 2005-June-01
* Compiler now checks 64-bit overflows in constraints range handling
code. No effect on the code produced by the compiler.
* Compiler support for tagged and marked parametrized members.
* Empty tags to element map avoided.
0.9.14: 2005-Apr-29
* Fixed check-70.-fnative-integers.c test (it was failing
when no test directory was found).
0.9.13: 2005-Apr-24
* Added extra const qualifiers into the support code.
* More RFC variations supported in crfc2asn1.pl.
* Refined string values compatibility. (Test cases 77, 78).
* Support for ContainedSubtype constraints. (Test case 16).
* Parsing support for CONSTRAINED BY. (Test case 79).
* Support for CharsDefn (Quadruple and Tuple, most used in
ASN1-CHARACTER-MODULE) (Test case 80).
* Pretty-printing support for WITH COMPONENT[S]. (Test case 82).
* Streamed OCTET STRING decoding of large values: fixed allocation
problem introduced in 0.9.9. (Severity: high; Security impact: medium)
Reported by Yann Grossel <olrick@users.sourceforge.net>.
* Fixed BASIC-XER encoding of REAL numbers.
0.9.12: 2005-Mar-10
* Fixed a name clash in produced constraint checking code.
* #includes are now in single quotes (to solve a name
clash with system's <time.h> on a Win32 system).
* Small refinement of XML DTD generation (`asn1c -X`).
* Relaxed XER processing rules to skip extra whitespace
in some more places. It also skips XML comments (although
XML comments in XER are prohibited by X.693, #8.2.1).
(Test case 70) (Severity: medium; Security impact: none)
Reported by <Dominique.Nerriec@alcatel.fr>.
* Constraints on primitive types being defined are now supported.
(Test case 74) (Severity: low; Security impact: none)
* XMLValueList generation fixed for CHOICE type.
(Severity: medium; Security impact: none)
* Added the GSM TAP3 decoder into ./examples/sample.source.TAP3
0.9.11: 2005-Mar-04
* Released -fcompound-names to fix the name clashes in the code
produced by the asn1c.
* Released -fno-include-deps to avoid #including non-critical
external dependencies.
* Compiler is taught to produce compilable code for yet another class
of circular ASN.1 type references.
* X.693:8.3.4 prohibits anything but SignedNumber; fixed XER codec.
* Fixed ENUMERATED identifier to value conversion in XER.
Reported by <jacque.celaire@caramail.com>.
* If the compiled file contents are the same as in already existing
file (left from previous compilation), the old file is retained.
This prevents thrashing `make` dependencies if amount of changes in
the original ASN.1 module(s) is small.
0.9.10: 2005-Feb-25
* Completed the XER XMLValueList encoding and decoding.
* Native integer type is now using "long".
* Fixed #1150856. Reported by <vvvy@users.sourceforge.net>.
* Some WIN32 portability fixes.
0.9.9: 2005-Feb-22
* First release of XER (XML) decoding implementation (somewhat
experimental).
* ANY allocation routine fixed.
Reported by <mikko.ahonen@elma.net>.
* Fixed tag parsing (tags like "[ 0 ]" were not supported).
* Compiler now checks for duplicate ASN.1 types across modules.
0.9.8: 2005-Jan-17
* [NEW PLATFORM] Compiled and tested on Linux @ alpha64 (LP64).
Some code needed to be fixed regarding int-long conversions
(mostly inside the test suite), and floating point handling
code needed to be restructured to handle signalling NAN and
other floating point exceptions quietly. Smooth transition!
* [NEW PLATFORM] Compiled and tested on Sun Solaris 9 @ sparc.
Improved includes/defines of/for system headers.
* -X command line option added to asn1c to generate XML DTD.
* Empty SEQUENCE and SET clauses are now allowed.
* Removed confusion between &xNN; and &#xNN; in enber and unber.
* Removed order dependency in DEFAULT references to ENUMERATED
identifiers (./tests/68-*-OK.asn1).
* ber_dec_rval_t renamed into asn_dec_rval_t: more generality.
* Extensions in CHOICE types are properly marked as non-pointers
(Test case 59) (Severity: medium; Security impact: medium)
Reported by <roman.pfender@sdm.de>.
* Tagged CHOICE type is now supported again.
(Test case 59) (Severity: low; Security impact: low)
Reported by <orlinkata@dir.bg>.
* Implemented der_encode_to_buffer() procedure.
0.9.7.1: 2004-Oct-12
* Fixed automatic tagging for extensions of compound types.
* Fixed ParametrizedReference parsing: {} are now recognized.
0.9.7: 2004-Oct-11
* Finished CXER implementation by adding SET and SET OF canonical
ordering support.
* Fixed unber(1) limits controlling logic.
* Removed C99'izm from the x509dump, now understood by older compilers.
* Enhanced UTF8String constraint validation, now it checks
for the minimal encoding length; API of UTF8String_length() changed.
* Fixed SEQUENCE dealing with premature termination of the
optionals-laden indefinite length structure. The code was previously
refusing to parse such structures.
* Fixed explicitly tagged ANY type encoding and decoding
(Severity: medium; Security impact: low).
* Fixed CHOICE code spin when indefinite length structures appear
in the extensions (Severity: medium; Security impact: medium).
Reported by <siden@ul-gsm.ru>.
* BIT STRING now stores the number of unused octets in a separate field.
0.9.6: 2004-Sep-29
* Added several security firewalls: decoder's stack usage control
and the stricter checking of the TLV length.
* Implemented BASIC-XER encoding support (X.693).
* Implemented unber(1) and enber(1) for BER<->XML translation.
* Implemented CGI for online ASN.1 compilation (asn1c/webcgi).
* Implemented the sample X.509 decoder (./examples/sample.source.PKIX1).
* NamedType is now supported for SET OF/SEQUENCE OF type.
* Added -fno-constraints option to asn1c, which disabled generation of
ASN.1 subtype constraints checking code.
* Added ASN1C_ENVIRONMENT_VERSION and get_asn1c_environment_version().
* Fixed ANY type decoding (Severity: high; Security impact: low).
* Fixed BER decoder restartability problem with certain primitive
types (BOOLEAN, INTEGER, and REAL). The problem occured when the
encoding of such type is split between several bytes.
(Severity: high; Security impact: low)
* Support for cross-referencing type definitions (updated ./tests/43-*).
* Fixed pretty-printing of the REAL type. Added lots of test cases.
* Renamed asn1_* into asn_* in function and type names.
* Updated documentation.
0.9.5: 2004-Sep-17
* Fixed CER (common BER) decoder code. See check-25.c/VisibleString
case for details. X.690 specifies that inner structures in BER
encoding must be tagged by stripping off the outer tag for each
subsequent containment level. See also X.690: 8.21.5.4 and
the "Spouse" case in A.3.
(Severity: medium; Security impact: low)
* Added converters between any generic type and the ANY type.
* Parser fixed: Information Object Class fields may be taged.
* Parser fixed: tagged types inside SEQUENCE OF/SET OF support.
* Improved DEFAULT Value parsing and pretty-printing.
* Condition on distinct tags checker was incorrectly dealing with
tagged CHOICE types. Fixed. Modified tests/37-indirect-choice-OK.asn1
* Improved type name generation code ("struct foo" vs "foo_t").
* Fixed constraint checking code incorrectly dealing with imported
types with constraint values defined in other modules.
* Real REAL support! (Haven't tested denormals support yet!)
See skeletons/tests/check-REAL.c
0.9.4: 2004-Sep-10
* More support for recursive type definitions.
* Explicit support for ANY type decoding.
* Refactored tags processing code.
* Fixed constraints checking code: non-exploitable buffer overflow.
(Severity: medium; Security impact: low)
0.9.3: 2004-Sep-07
* Extended constraints support in parametrized types.
* Better support for parametrization and constraints handling.
* Better handling of recursive type definitions.
* Added support for ANY type.
0.9.2: 2004-Aug-24
* More flexible subtype constraints handling, with relaxed
PER visibility rules for actual constraints checking code generator.
* Indirect references in constraints resolver code fixed.
* Avoided compilation warning on gcc 3.3.3 systems.
* Better ValueSet printing.
0.9.1: 2004-Aug-23
* Documentation updated: doc/asn1c-usage.pdf
* Fixed OBJECT IDENTIFIER human-readable printing.
Reported by <siden@ul-gsm.ru>.
0.9: 2004-Aug-23
* Reworked subtype constraints handling, aiming at PER-applicability.
* BOOLEAN and NULL are now implemented in terms of native int type.
* Compiler now links in only necessary skeleton files.
* -t option added to asn1c to ease manual BER/CER/DER decoding.
* Added support COMPONENTS OF construct.
* Numerous parser fixes and enhancements.
* Better constraint failure reporting.
0.8.19: 2004-Aug-18
* Fixed BER encoder (problem encoding large tag values)
(Severity: medium; Security impact: low)
0.8.18: 2004-Aug-12
* Parser: fixed multiple IMPORTS problem (incorrect assertion).
* Parser: constraints extensibility parsing fix.
0.8.17: 2004-Aug-11
* Improved compiler output: duplicate #includes eliminated.
* Win32 portability fixes.
* More compatibility with C++ or non-GCC compilers.
0.8.16: 2004-Jul-22
* Fixed application-level problem in SET OF/SEQUENCE OF array cleanup.
(Severity: medium; Security impact: low)
* Improved asn_GT2time() and added asn_time2{GT,UT}() functions.
* BIT STRING pretty-printing.
0.8.15: 2004-Jul-20
* Fixed parser: memory leak in free_struct code for SET OF/SEQUENCE OF.
(Severity: high; Security impact: medium)
* Fixed parser: invalid memory reference in code constructing tags.
(Test case 48) (Severity: high; Security impact: medium)
When encoding data for certain ASN.1 specifications containing
explicit tags, the tag is always written incorrectly due to
incorrect memory reference. The encoding will almost always produce
unparseable data and might well reference unmapped region so program
would produce segmentation violation. Fortunately, memory is
read, not written, so remote exploits cannot execute arbitrary
code and triggering unmapped memory reference is highly unlikely
even it attacker knows the code (basically, the compiler should place
asn1_DEF_... right before the end of the mapped memory region, which
is extremely rare).
* Improved INTEGER type printing.
0.8.14: 2004-Jun-30
* Fixed compiler: extensibility of CHOICE and SET type has not been
taken into account during table construction.
(Test case 47) (Severity: high; Security impact: low)
0.8.13: 2004-Jun-29
* Fixed compiler: the skip values for IMPLICIT tagging were broken
in some complex cases where one type is defined using another.
(Test case 46) (Severity: medium; Security impact: low).
* Added -fknown-extern-type command line parameter to asn1c.
* Removed -N command line flag and underlying functionality
to honor KISS principle.
0.8.12: 2004-Jun-17
* RELATIVE-OID and OBJECT IDENTIFIER encoders/decoders are not bound
anymore to an integer type of specific size (unsigned long). The
size of an integer must be provided explicitly.
See {OBJECT_IDENTIFIER|RELATIVE_OID}_{get|set}_arcs().
* SEQUENCE BER decoder fixed again for complex CHOICE case
(Test case 44) (Severity: medium; Security impact: low).
0.8.11: 2004-Jun-05
* Enforced stricter conformance with C standards.
* SEQUENCE BER decoder is now equipped with the sorted map
in case of complex CHOICE descendants. Test case 44 created.
0.8.10: 2004-Jun-02
* Added const qualifier where necessary.
* Changed position of outmost_tag fetcher within asn1_TYPE_descriptor_t
structure.
0.8.9: 2004-May-26
* Added *_{get|set}_arcs_*() functions for OBJECT IDENTIFIER
and RELATIVE-OID, together with test cases.
0.8.8: 2004-May-09
* Introduced subtype constraints support (incomplete!).
* Fixed compiler. If the last member of the SEQUENCE is OPTIONAL
and absent in the encoding, and the type is extensible (...) or
EXTENSIBILITY IMPLIED flag is set, then the structure could not
be correctly decoded. (Severity: high; Security impact: low).
* Compiler: fixed recursive ASN.1 types inclusion (Severity: low,
Security impact: none).
* Parser: IMPORTS/FROM fixes, now allowing multiple sections.
* NEW PLATFORM: Compiled and tested on MacOS X (@ PowerPC).
No major portability issues experienced.
0.8.7: 2004-Apr-11 T-version-0-8-7
* Fixed SEQUENCE BER decoder: if the last member of the SEQUENCE is
OPTIONAL and absent in the encoding, RC_FAIL was returned instead
of RC_OK (Severity: high; Security impact: low).
* Added test case to check the above problem.
* Added test case to check -fnative-integers mode.
0.8.6: 2004-Apr-03 T-version-0-8-6
* Fixed compiler output for embedded ASN.1 structures.
0.8.5: 2004-Mar-28 T-version-0-8-5
* Fixed ber_tlv_length() computation problem (Severity: high,
Security impact: none).
Reported by <vss@high.net.ru>
0.8.4: 2004-Mar-22
* Removed RC_ITAG enumeration element from BER decoder.
This return code did not have much practical value.
0.8.3: 2004-Mar-14 T-version-0-8-3
* Fixed SET::BER decoder: restart after reaching a buffer boundary
weas broken (Severity: high; Security impact: low).
* Fixed OCTET STRING::BER decoder: restart after reaching a buffer
boundary was broken (Severity: high; Security impact: low).
Reported by <vss@high.net.ru>
* Added test cases to check decoders restartability.
* Slightly more general INTEGER2long decoder.
* Allowed nested /* C-type */ comments, as per X.680:2002.
0.8.2: 2004-Mar-01 T-version-0-8-2
* Fixed SEQUENCE BER decoder: an OPTIONAL element was required, where
should not have been (Severity: major; Security impact: low).
* Fixed print_struct pointer inheritance.
* Added -fno-c99 and -funnamed-unions
0.8.1: 2004-Feb-22
* -R switch to asn1c: Omit support code, compile only the tables.
* Introduced NativeInteger pseudotype.
* Corrected the informal print_struct()'s output format.
0.8.0: 2004-Feb-03 T-version-0-8-0
* Some documentation is created (a .pdf and a short manual page).
* Last touches to the code.
0.7.9: 2004-Feb-01 T-version-0-7-9
* Human readable printing support.
* Support for implicit (standard) constraints.
0.7.8: 2004-Jan-31
* SET now rejects duplicate fields in the data stream.
0.7.7: 2004-Jan-25
* Added types: GeneralizedTime and UTCTime.
0.7.6: 2004-Jan-24 T-version-0-7-6
* DER encoding of a SET OF now involves dynamic sorting.
0.7.5: 2004-Jan-24 T-version-0-7-5
* DER encoding of a SET with untagged CHOICE
now involves dynamic sorting.
0.7.0: 2004-Jan-19 T-version-0-7-0
* A bunch of DER encoders is implemented.
0.6.6: 2004-Jan-11
* Implemented CHOICE decoder.
* Implemented destructors support.
0.6.5: 2004-Jan-03
* Implemented SET decoder.
* Implemented SET OF and SEQUENCE OF decoders.
0.6.4: 2003-Dec-31
* Implemented BOOLEAN, NULL, ENUMERATED decoders.
* Implemented OCTET STRING decoder.
* Implemented BIT STRING decoder.
0.6: 2003-Dec-30
* First decoding of a BER-encoded structure!
0.5: 2003-Dec-28
* Framework and most of the compiler backbone coding done.
0.1: 2003-Nov-28
* Programming started.
=== Bug importance disclosure terms ===
SEVERITY.
This term applies to the frequence the particular construct is used
in the real world. The higher the frequency, the more chances of triggering
this bug.
low: The ASN.1 specifications which could trigger
this kind of bug are not widespread.
medium: The particular ASN.1 construct is used quite often,
so the chance of triggering an error is considerable.
high: This fix is considered urgent, or the particular ASN.1
construct triggering this bug is in wide use.
SECURITY IMPACT.
This term applies to the amount of potential damage a bug exploitation
could cause.
low: The local exploitation is unlikely; the remote exploitation
is impossible.
medium: The remote exploitation is possible when a particular ASN.1
construct is being used. If possible, only hard failure, spin
or memory leak are the possible outcome: no shellcode
injection could possibly be carried by the attack.
high: The remote shellcode injection is possible, or the bug is
otherwise remotely exploitable for most specifications.
|
