CVE-2022-34476: 
NixOS vulnerability analysis and mitigation

ASN.1 parsing of an indefinite SEQUENCE inside an indefinite GROUP could have resulted in the parser accepting malformed ASN.1. This vulnerability affects Firefox versions prior to 102 and was disclosed in June 2022. The vulnerability was assigned CVE-2022-34476 and was discovered by security researcher Gustavo Grieco (Mozilla Advisory).

The vulnerability occurs when parsing an indefinite-length encoded SEQUENCE that is inside an indefinite-length encoded GROUP (SEQUENCE-OF or SET-OF). The parser incorrectly interprets a single EOC (End-of-Contents) as ending both the SEQUENCE and the GROUP containing it. This affects a legacy decoder that is not used to parse WebPKI X.509 certificates in Firefox, though further investigation was needed to rule out potential impact on PKCS#7 and PKCS#12 usage. The vulnerability was rated as moderate severity (Mozilla Advisory, Bugzilla).

The worst-case scenario of this vulnerability is that the decoder might accept malformed ASN.1 data by admitting an item that is missing a trailing EOC (End-of-Contents) marker. The impact was assessed as moderate, with limited potential consequences as it affected a legacy decoder not used in primary certificate parsing functions (Bugzilla).

The vulnerability was fixed in Firefox 102. The fix involved correcting the handling of end-of-contents octets in the ASN.1 parser to properly handle indefinite-length encoded sequences within groups. Users should upgrade to Firefox 102 or later to receive the fix (Mozilla Advisory).