CryptX for Perl Malformed Unicode Vulnerability Leading to Denial-of-Service and Information Disclosure

A vulnerability in CryptX for Perl, prior to version 0.065, arises from its embedding of the tomcrypt library, which versions before 0.065 may be vulnerable to improper handling of UTF-8 encoding. This flaw allows context-dependent attackers to cause a denial-of-service by triggering an out-of-bounds read that crashes the application, or to exploit a two-step information disclosure attack by reading data from adjacent memory locations.

Impact

Exploitation of this vulnerability can lead to a program crash or unauthorized access to sensitive information from other memory areas.

Reproduction

The vulnerability can be reproduced by importing a crafted DER-encoded X.509 certificate that exploits the improper UTF-8 decoding in the tomcrypt library. This can be done by using a certificate that includes invalid UTF-8 sequences designed to manipulate the length calculations in the 'der_decode_utf8_string' function, causing a buffer over-read or memory leak.