RUSTSEC-2023-0022

openssl X509NameBuilder::build returned object is not thread safe

Reported

March 24, 2023

Issued

March 23, 2023 (last modified: June 13, 2023)

Package

openssl (crates.io)

Type

Vulnerability

Categories

thread-safety

Aliases

GHSA-3gxf-9r58-2ghg

References

https://github.com/sfackler/rust-openssl/pull/1854

Patched

>=0.10.48

Affected Functions

Version

openssl::x509::X509NameBuilder::build

<0.10.48, >=0.9.7

Description

OpenSSL has a modified bit that it can set on on X509_NAME objects. If this bit is set then the object is not thread-safe even when it appears the code is not modifying the value.

Thanks to David Benjamin (Google) for reporting this issue.

Advisory available under CC0-1.0 license.