RUSTSEC-2023-0023: openssl SubjectAlternativeName and ExtendedKeyUsage::other allow arbitrary file read #180
Description
opensslSubjectAlternativeNameandExtendedKeyUsage::otherallow arbitrary file read
| Details | |
|---|---|
| Package | openssl |
| Version | 0.10.38 |
| URL | rust-openssl/rust-openssl#1854 |
| Date | 2023-03-24 |
| Patched versions | >=0.10.48 |
SubjectAlternativeName and ExtendedKeyUsage arguments were parsed using the OpenSSL
function X509V3_EXT_nconf. This function parses all input using an OpenSSL mini-language
which can perform arbitrary file reads.
Thanks to David Benjamin (Google) for reporting this issue.
See advisory page for additional details.