RUSTSEC-2021-0129

Source

https://rustsec.org/advisories/RUSTSEC-2021-0129

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0129.json

Aliases

Published

2021-12-14T12:00:00Z

Modified

2023-12-06T01:01:31.831252Z

Details

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains.

References

Affected packages

crates.io / openssl-src

Package

Name: openssl-src

Affected ranges

Type: SEMVER
Events: Introduced

300.0.0

Fixed

300.0.4

Ecosystem specific

{
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": null,
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}