Reported

June 20, 2023

Issued

June 20, 2023 (last modified: July 8, 2023)

Package

openssl (crates.io)

Type

Vulnerability

Categories

• memory-exposure

Aliases

• GHSA-xcf7-rvmh-g6q4

References

• https://github.com/sfackler/rust-openssl/issues/1965

Patched

• >=0.10.55

Affected Functions

Version

openssl::x509::verify::X509VerifyParamRef::set_host

• <0.10.55, >=0.10.0

Description

When this function was passed an empty string, openssl would attempt to call strlen on it, reading arbitrary memory until it reached a NUL byte.

Advisory available under CC0-1.0 license.