Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CVE-2023-0286 for openssl-src (#1573)
- Loading branch information
Showing
1 changed file
with
31 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
```toml | ||
[advisory] | ||
id = "RUSTSEC-0000-0000" | ||
package = "openssl-src" | ||
aliases = ["CVE-2023-0286"] | ||
categories = ["denial-of-service", "memory-exposure"] | ||
date = "2023-02-07" | ||
url = "https://www.openssl.org/news/secadv/20230207.txt" | ||
[versions] | ||
patched = [">= 111.25, < 300.0", ">= 300.0.12"] | ||
``` | ||
|
||
# X.400 address type confusion in X.509 `GeneralName` | ||
|
||
There is a type confusion vulnerability relating to X.400 address processing | ||
inside an X.509 `GeneralName`. X.400 addresses were parsed as an `ASN1_STRING` but | ||
the public structure definition for `GENERAL_NAME` incorrectly specified the type | ||
of the `x400Address` field as `ASN1_TYPE`. This field is subsequently interpreted by | ||
the OpenSSL function `GENERAL_NAME_cmp` as an `ASN1_TYPE` rather than an | ||
`ASN1_STRING`. | ||
|
||
When CRL checking is enabled (i.e. the application sets the | ||
`X509_V_FLAG_CRL_CHECK` flag), this vulnerability may allow an attacker to pass | ||
arbitrary pointers to a `memcmp` call, enabling them to read memory contents or | ||
enact a denial of service. In most cases, the attack requires the attacker to | ||
provide both the certificate chain and CRL, neither of which need to have a | ||
valid signature. If the attacker only controls one of these inputs, the other | ||
input must already contain an X.400 address as a CRL distribution point, which | ||
is uncommon. As such, this vulnerability is most likely to only affect | ||
applications which have implemented their own functionality for retrieving CRLs | ||
over a network. |