Reported

November 23, 2023

Issued

November 28, 2023 (last modified: February 10, 2024)

Package

openssl (crates.io)

Type

INFO Unsound

Categories

• memory-corruption

Aliases

• GHSA-xphf-cx8h-7q9g

References

• https://github.com/sfackler/rust-openssl/issues/2096

Patched

• >=0.10.60

Affected Functions

Version

openssl::x509::store::X509StoreRef::objects

• <0.10.60, >=0.10.29

Description

This function returned a shared reference into an OpenSSL datastructure but did not account for interior mutability. OpenSSL may modify the data behind this reference, meaning accesses can race and the reference is unsound.

Use of this function should be replaced with X509StoreRef::all_certificates.

Advisory available under CC0-1.0 license.