On Tue, 19 Jul 2016, Jay R. Ashworth wrote:
Heap overflow bug in either a widely used ASN.1 library from Objective Systems, apparently popular with cell-radio industry people. Not sure if this will leak over into NANOG land -- but neither are you, and that's most of my point.
DO *you* know if this library is used in your routers? Can you find out?
How easily and quickly?
CERT/CC has published a list of contacted vendors: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=790839&SearchOrder=4
From the timeline:
https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-... it is not clear if all vendors have been contacted. Wonder how to grep for rtxMemHeapAlloc in the possibly encrypted baseband module firmware. Marcin