OctoRPKI crashes when processing GZIP bomb returned via malicious repository
Description
Reviewed
Nov 10, 2021
Published to the GitHub Advisory Database
Nov 10, 2021
Published by the National Vulnerability Database
Nov 11, 2021
Last updated
Feb 14, 2023
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
Patches
For more information
If you have any questions or comments about this advisory email us at security@cloudflare.com
References