Patches were issued for flaws in MatrixSSL, v3.8.5 and previous, according to an advisory from CERT.
MatrixSSL is a cryptographic protocol designed for custom apps in embedded hardware environments.
CERT stated that in CVE-2016-6890, the Subject Alt Name field of X.509 certificates is not properly parsed. Thus a specially crafted certificate could result in a heap-based buffer overflow and arbitrary code execution.
In another bug, CVE-2016-6891, the ASN.1 Bit Field is not properly parsed. Here, a specially crafted certificate could lead to a denial-of-service condition due to an out-of-bounds read in memory, the advisory stated.
For CVE-2016-6892, the x509FreeExtensions() function does not properly parse X.509 certificates, CERT stated. A denial of service condition could result if a specially crafted certificate leads to a free operation on unallocated memory.
To patch these issues, users are advised to update with the vendor’s v3.8.6.