-
Notifications
You must be signed in to change notification settings - Fork 334
/
RUSTSEC-2023-0010.json
75 lines (75 loc) · 2.99 KB
/
RUSTSEC-2023-0010.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
{
"schema_version": null,
"id": "RUSTSEC-2023-0010",
"modified": "2023-06-13T13:10:24Z",
"published": "2023-02-07T12:00:00Z",
"aliases": [
"CVE-2022-4450",
"GHSA-v5w6-wcm8-jm4q"
],
"related": [],
"summary": "Double free after calling `PEM_read_bio_ex`",
"details": "The function `PEM_read_bio_ex()` reads a PEM file from a BIO and parses and\ndecodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data.\nIf the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are\npopulated with pointers to buffers containing the relevant decoded data. The\ncaller is responsible for freeing those buffers. It is possible to construct a\nPEM file that results in 0 bytes of payload data. In this case `PEM_read_bio_ex()`\nwill return a failure code but will populate the header argument with a pointer\nto a buffer that has already been freed. If the caller also frees this buffer\nthen a double free will occur. This will most likely lead to a crash. This\ncould be exploited by an attacker who has the ability to supply malicious PEM\nfiles for parsing to achieve a denial of service attack.\n\nThe functions `PEM_read_bio()` and `PEM_read()` are simple wrappers around\n`PEM_read_bio_ex()` and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL\nfunctions including `PEM_X509_INFO_read_bio_ex()` and\n`SSL_CTX_use_serverinfo_file()` which are also vulnerable. Some OpenSSL internal\nuses of these functions are not vulnerable because the caller does not free the\nheader argument if `PEM_read_bio_ex()` returns a failure code. These locations\ninclude the `PEM_read_bio_TYPE()` functions as well as the decoders introduced in\nOpenSSL 3.0.",
"severity": [],
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "openssl-src",
"purl": "pkg:cargo/openssl-src"
},
"ecosystem_specific": {
"affects": {
"arch": [],
"os": [],
"functions": []
},
"affected_functions": null
},
"database_specific": {
"categories": [
"denial-of-service"
],
"cvss": null,
"informational": null
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "111.25.0"
},
{
"introduced": "300.0.0"
},
{
"fixed": "300.0.12"
}
]
}
],
"versions": []
}
],
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/openssl-src"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2023-0010.html"
},
{
"type": "WEB",
"url": "https://www.openssl.org/news/secadv/20230207.txt"
}
],
"database_specific": {
"license": "CC0-1.0"
}
}