rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions ssl::select_next_proto
can return a slice pointing into the server
arguments buffer but with a lifetime bound to the client
argument. In situations where the sever
buffers lifetime is shorter than the client
buffers, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. The crateopenssl
version 0.10.70 fixes the signature of ssl::select_next_proto
to properly constrain the output buffers lifetime to that of both input buffers. Users are advised to upgrade. In standard usage of ssl::select_next_proto
in the callback passed to SslContextBuilder::set_alpn_select_callback
, code is only affected if the server
buffer is constructed within the callback.
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Red Hat Enterprise Linux 9 | RedHat | rpm-ostree-0:2025.5-1.el9 | * |
Red Hat Enterprise Linux 9 | RedHat | bootc-0:1.1.6-3.el9_6 | * |
Red Hat Enterprise Linux 9 | RedHat | rust-bootupd-0:0.2.27-3.el9 | * |
Red Hat Enterprise Linux 9 | RedHat | keylime-agent-rust-0:0.2.2-2.el9 | * |
Red Hat Enterprise Linux 9 | RedHat | python3.12-cryptography-0:41.0.7-2.el9 | * |
Rust-openssl | Ubuntu | focal | * |
Rust-openssl | Ubuntu | oracular | * |
Rust-openssl-sys | Ubuntu | focal | * |
Rust-openssl-sys | Ubuntu | oracular | * |