ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in sslparseserverpskhint() that could cause a crash on invalid input.
{ "vanir_signatures": [ { "digest": { "line_hashes": [ "117461203888014430861683533234656718512", "243825661406862980169231204533098741260", "2493167677520519019066058455255881707" ], "threshold": 0.9 }, "source": "https://github.com/mbed-tls/mbedtls/commit/740b218386083dc708ce98ccc94a63a95cd5629e", "signature_version": "v1", "id": "CVE-2018-9989-33b2e7ed", "target": { "file": "library/ssl_cli.c" }, "signature_type": "Line", "deprecated": false }, { "digest": { "length": 505.0, "function_hash": "314921054803960153312991629036160735432" }, "source": "https://github.com/mbed-tls/mbedtls/commit/740b218386083dc708ce98ccc94a63a95cd5629e", "signature_version": "v1", "id": "CVE-2018-9989-422b6ae2", "target": { "function": "ssl_parse_server_psk_hint", "file": "library/ssl_cli.c" }, "signature_type": "Function", "deprecated": false } ] }