GHSA-3m6f-3gfg-4x56: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-3m6f-3gfg-4x56) affects version 0.6.0 of the simple_asn1 Rust crate, which was discovered on November 14, 2021. The issue involves a panic vulnerability when parsing malformed inputs in the ASN.1 'UTCTime' format. This security flaw was introduced during a dependency update from chrono to time crate and was patched in version 0.6.1 (GitHub Advisory, RustSec Advisory).

The vulnerability occurs in the parsing functions (fromder and derdecode) when processing ASN.1 'UTCTime' format. Specifically, if an attacker provides a UTCTime where the first character is ASCII but the second character is above 0x7f, a string slice operation in the fromder function attempts to slice into the middle of a UTF-8 character, causing a panic. The issue was introduced in commit d7d39d709577710e9dc8 during the transition from the chrono dependency to the time crate (GitHub Issue).

Since the simple_asn1 crate is frequently used with network inputs, this vulnerability can lead to denial-of-service attacks when processing malformed input data. The panic in string processing can cause application crashes when handling specially crafted malicious inputs (RustSec Advisory).

Users should upgrade to simple_asn1 version 0.6.1 or later, which contains the fix for this vulnerability. Versions prior to 0.6.0 are not affected by this issue (GitHub Advisory).