ghsa-v5w6-wcm8-jm4q
Vulnerability from github
The function PEM_read_bio_ex()
reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.
The functions PEM_read_bio()
and PEM_read()
are simple wrappers around PEM_read_bio_ex()
and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex()
and
SSL_CTX_use_serverinfo_file()
which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex()
returns a failure code. These locations include the PEM_read_bio_TYPE()
functions as well as the decoders introduced in OpenSSL 3.0.
{ "affected": [ { "package": { "ecosystem": "crates.io", "name": "openssl-src" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "111.25.0" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "crates.io", "name": "openssl-src" }, "ranges": [ { "events": [ { "introduced": "300.0.0" }, { "fixed": "300.0.12" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-4450" ], "database_specific": { "cwe_ids": [ "CWE-415" ], "github_reviewed": true, "github_reviewed_at": "2023-02-08T22:22:58Z", "nvd_published_at": "2023-02-08T20:15:00Z", "severity": "HIGH" }, "details": "The function `PEM_read_bio_ex()` reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case `PEM_read_bio_ex()` will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.\n\nThe functions `PEM_read_bio()` and `PEM_read()` are simple wrappers around `PEM_read_bio_ex()` and therefore these functions are also directly affected.\n\nThese functions are also called indirectly by a number of other OpenSSL functions including `PEM_X509_INFO_read_bio_ex()` and\n`SSL_CTX_use_serverinfo_file()` which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if `PEM_read_bio_ex()` returns a failure code. These locations include the `PEM_read_bio_TYPE()` functions as well as the decoders introduced in OpenSSL 3.0.\n", "id": "GHSA-v5w6-wcm8-jm4q", "modified": "2023-02-21T19:59:57Z", "published": "2023-02-08T22:22:58Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4450" }, { "type": "WEB", "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83" }, { "type": "WEB", "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b" }, { "type": "WEB", "url": "https://rustsec.org/advisories/RUSTSEC-2023-0010.html" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202402-08" }, { "type": "WEB", "url": "https://www.openssl.org/news/secadv/20230207.txt" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "openssl-src contains Double free after calling `PEM_read_bio_ex`" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.