[RUSTSEC-2023-0009] Use-after-free following `BIO_new_NDEF`
The public API function BIO_new_NDEF
is a helper function used for streaming
ASN.1 data via a BIO
. It is primarily used internally to OpenSSL to support the
SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by
end user applications.
The function receives a BIO
from the caller, prepends a new BIO_f_asn1
filter
BIO
onto the front of it to form a BIO
chain, and then returns the new head of
the BIO
chain to the caller. Under certain conditions, for example if a CMS
recipient public key is invalid, the new filter BIO
is freed and the function
returns a NULL
result indicating a failure. However, in this case, the BIO
chain
is not properly cleaned up and the BIO
passed by the caller still retains
internal pointers to the previously freed filter BIO
. If the caller then goes on
to call BIO_pop()
on the BIO
then a use-after-free will occur. This will most
likely result in a crash.
This scenario occurs directly in the internal function B64_write_ASN1()
which
may cause BIO_new_NDEF()
to be called and will subsequently call BIO_pop()
on
the BIO
. This internal function is in turn called by the public API functions
PEM_write_bio_ASN1_stream
, PEM_write_bio_CMS_stream
, PEM_write_bio_PKCS7_stream
,
SMIME_write_ASN1
, SMIME_write_CMS
and SMIME_write_PKCS7
.
Other public API functions that may be impacted by this include
i2d_ASN1_bio_stream
, BIO_new_CMS
, BIO_new_PKCS7
, i2d_CMS_bio_stream
and
i2d_PKCS7_bio_stream
.
Package | Affected Version |
---|---|
pkg:cargo/openssl-src | < 300.0.12 |
Package | Fixed Version |
---|---|
pkg:cargo/openssl-src | >= 111.25, < 300.0 |
pkg:cargo/openssl-src | >= 300.0.12 |
- ID
- RUSTSEC-2023-0009
- Severity
- high
- Severity from
- CVE-2023-0215
- Impact
- Denial Of Service
- URL
- https://rustsec.org/advisories/RUSTSEC-2023-0009.html
- Published
-
2023-02-07T00:00:00
(19 months ago) - Modified
-
2023-06-13T13:10:24
(15 months ago) - Other Advisories
-
- ALAS-2023-1683
- ALAS2-2023-1934
- ALAS2-2023-1935
- ALAS2-2024-2502
- ALPINE:CVE-2023-0215
- ALSA-2023:0946
- ALSA-2023:1405
- ALSA-2023:2165
- ALSA-2023:2932
- DSA-5343-1
- ELSA-2023-0946
- ELSA-2023-12152
- ELSA-2023-12213
- ELSA-2023-13024
- ELSA-2023-13025
- ELSA-2023-13026
- ELSA-2023-13027
- ELSA-2023-1405
- ELSA-2023-2165
- ELSA-2023-2932
- ELSA-2023-32790
- ELSA-2023-32791
- FEDORA-2023-57f33242bc
- FEDORA-2023-a5564c0a3f
- FEDORA-2023-e1ffb79ddf
- FEDORA-2023-e821b64a4c
- FREEBSD:648A432C-A71F-11ED-86E9-D4C9EF517024
- FREEBSD:C8EB4C40-47BD-11EE-8E38-002590C1F29C
- GLSA-202402-08
- RHSA-2023:0946
- RHSA-2023:1405
- RHSA-2023:2165
- RHSA-2023:2932
- RLSA-2023:0946
- RLSA-2023:1405
- SSA:2023-038-01
- SUSE-SU-2023:0305-1
- SUSE-SU-2023:0305-2
- SUSE-SU-2023:0306-1
- SUSE-SU-2023:0307-1
- SUSE-SU-2023:0308-1
- SUSE-SU-2023:0309-1
- SUSE-SU-2023:0310-1
- SUSE-SU-2023:0311-1
- SUSE-SU-2023:0312-1
- SUSE-SU-2023:0684-1
- USN-5844-1
- USN-5845-1
- USN-5845-2
- USN-6564-1
Source | # ID | Name | URL |
---|---|---|---|
https://www.openssl.org/news/secadv/20230207.txt | |||
crates.io | openssl-src | https://crates.io/crates/openssl-src | |
rustsec.org | openssl-src | https://rustsec.org/packages/openssl-src.html | |
Security Advisory | GHSA-r7jw-wp68-3xch | https://github.com/advisories/GHSA-r7jw-wp68-3xch |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:cargo/openssl-src | openssl-src | >= 111.25 < 300.0 | ||||
Fixed | pkg:cargo/openssl-src | openssl-src | >= 300.0.12 | ||||
Affected | pkg:cargo/openssl-src | openssl-src | < 300.0.12 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |