Yes, this time in Squid. I've been following security bugs in ASN.1 parsers for some time now, as it seems to be a common bug, owing to the complexity of parsing complex structures like ASN.1.

By my count, 18 or so security updates have been issued in the last two years relating to ASN.1 parsing:

Squid Web Proxy Cache Remote Denial of Service Vulnerability
http://www.idefense.com/application/poi/display?id=152

Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products
http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0699

MIT krb5: Multiple vulnerabilities (heap overrun)
http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0644


MIT krb5: Multiple vulnerabilities (Double-free)
http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0642

Vulnerability in libtasn1 related to DER parsing
http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0401

Double-free vulnerability in the ASN.1 library in Windows
http://icat.nist.gov/icat.cfm?cvename=CAN-2004-0123

Multiple integer overflows in Microsoft ASN.1 library
http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0818

OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences.
http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0851

Multiple vulnerabilities in multiple vendor implementations of the X.400 protocol
http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0565

Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol
http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0564

Double-free vulnerability in OpenSSL 0.9.7
http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0545

OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs
http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0544

Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service
http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0543

The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value.
http://icat.nist.gov/icat.cfm?cvename=CAN-2003-0430

Integer signedness error in MIT Kerberos V5 ASN.1 decoder
http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0036

The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service
http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0659

The ASN.1 parser in Ethereal 0.9.2 and earlier allows remote attackers to cause a denial of service
http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0353

Vulnerabilities in the SNMPv1 request handling
http://icat.nist.gov/icat.cfm?cvename=CAN-2002-0013


So what the heck is ASN.1? It's a standard way, defined in X.680, to describe complex binary data. I know purists will hate me for saying this, but think of binary XML. You describe the data format in ASN format, and then an ASN compiler creates .C[PP] and .H[PP] files that you compile and link into your code. Voila!

For example, the following ASN snippet:

Stuff DEFINITIONS ::=

BEGIN
PersonnelRecord ::= SEQUENCE {
  name Name,
  title OCTET STRING,
  number EmployeeNumber,
  dateOfHire Date,
  nameOfSpouse Name}
Name ::= SEQUENCE {
  givenName OCTET STRING,
  initial OCTET STRING,
  familyName OCTET STRING}
EmployeeNumber ::= INTEGER
Date ::= OCTET STRING -- YYYYMMDD
END

May create the following header file:

#include "asn_obj.h“

#include “stuff.h“
class Name : public AsnSequence {
  public:
    AsnOctetString givenName;
    AsnOctetString initial;
    AsnOctetString familyName;
    Name();
    };
typedef AsnInteger EmployeeNumber;
typedef AsnOctetString Date;
class PersonnelRecord : public AsnSequence {
  public:
    Name name;
    AsnOctetString title;
    AsnInteger number;
    AsnOctetString dateOfHire;
    Name nameOfSpouse;
    PersonnelRecord();
    };
PersonnelRecord::PersonnelRecord() {...}
Name::Name() {...}

Problem is, if there are parsing errors in the ASN data format cracking library, then you may have security issues. The real worry is many network and security protocols use ASN.1, such as X.509 certificates (therefore SSL/TLS), Kerberos, SNMP, S/MIME, IPSec and so on.

The real lesson is this, code review your ASN.1 parsing code, or library, for integer overflow and buffer overrun issues. Or you may be next!