Reported

February 7, 2023

Issued

February 7, 2023

Package

openssl-src (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Aliases

• CVE-2023-0216

Details

https://www.openssl.org/news/secadv/20230207.txt

Patched

• >=300.0.12

Unaffected

• <300.0.0

Description

An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.

The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.