RUSTSEC-2023-0023

openssl SubjectAlternativeName and ExtendedKeyUsage::other allow arbitrary file read

Reported

March 24, 2023

Issued

March 23, 2023 (last modified: June 13, 2023)

Package

openssl (crates.io)

Type

Vulnerability

Categories

file-disclosure

Aliases

GHSA-9qwg-crg9-m2vc

References

https://github.com/sfackler/rust-openssl/pull/1854

Patched

>=0.10.48

Affected Functions

Version

openssl::x509::extension::ExtendedKeyUsage::other

<0.10.48, >=0.9.7

openssl::x509::extension::SubjectAlternativeName::new

<0.10.48, >=0.9.7

Description

SubjectAlternativeName and ExtendedKeyUsage arguments were parsed using the OpenSSL function X509V3_EXT_nconf. This function parses all input using an OpenSSL mini-language which can perform arbitrary file reads.

Thanks to David Benjamin (Google) for reporting this issue.

Advisory available under CC0-1.0 license.