CVE-2023-0216

An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2iPKCS7(), d2iPKCS7bio() or d2iPKCS7_fp() functions.

The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.

References

Affected packages

Git / github.com/openssl/openssl

Affected ranges

Type: GIT
Repo: https://github.com/openssl/openssl
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

42768eafab40d3e2f0851caa84aa9801139c74ab

Affected versions

Other

BEFORE_engine

OpenSSL_0_9_1c

OpenSSL_0_9_2b

OpenSSL_0_9_3

OpenSSL_0_9_3a

OpenSSL_0_9_3beta2

OpenSSL_0_9_4

OpenSSL_0_9_5a

OpenSSL_0_9_5a-beta1

OpenSSL_0_9_5a-beta2

OpenSSL_0_9_5beta1

OpenSSL_0_9_5beta2

OpenSSL_0_9_6-beta3

OpenSSL_1_1_0-pre1

OpenSSL_1_1_0-pre2

OpenSSL_1_1_0-pre3

OpenSSL_1_1_0-pre4

OpenSSL_1_1_0-pre5

OpenSSL_1_1_0-pre6

OpenSSL_1_1_1

OpenSSL_1_1_1-pre1

OpenSSL_1_1_1-pre2

OpenSSL_1_1_1-pre3

OpenSSL_1_1_1-pre4

OpenSSL_1_1_1-pre5

OpenSSL_1_1_1-pre6

OpenSSL_1_1_1-pre7

OpenSSL_1_1_1-pre8

OpenSSL_1_1_1-pre9

master-post-auto-reformat

master-post-reformat

master-pre-auto-reformat

master-pre-reformat

openssl-3.*

openssl-3.0.0-alpha1

openssl-3.0.0-alpha10

openssl-3.0.0-alpha11

openssl-3.0.0-alpha12

openssl-3.0.0-alpha13

openssl-3.0.0-alpha14

openssl-3.0.0-alpha15

openssl-3.0.0-alpha16

openssl-3.0.0-alpha17

openssl-3.0.0-alpha2

openssl-3.0.0-alpha3

openssl-3.0.0-alpha4

openssl-3.0.0-alpha5

openssl-3.0.0-alpha6

openssl-3.0.0-alpha7

openssl-3.0.0-alpha8

openssl-3.0.0-alpha9

openssl-3.0.0-beta1

openssl-3.0.0-beta2

openssl-3.2.0-alpha1

openssl-3.2.0-alpha2

openssl-3.3.0

openssl-3.3.0-alpha1

openssl-3.3.0-beta1

openssl-3.3.1

openssl-3.3.2