graph-node icon indicating copy to clipboard operation
graph-node copied to clipboard

Published 20 hours ago verified publisher icon graphprotocol

RUSTSEC-2025-0022: Use-After-Free in `Md::fetch` and `Cipher::fetch`

Open github-actions[bot] opened this issue 8 months ago • 0 comments

Use-After-Free in Md::fetch and Cipher::fetch

Details
Package openssl
Version 0.10.71
URL https://github.com/sfackler/rust-openssl/pull/2390
Date 2025-04-04
Patched versions >=0.10.72
Unaffected versions <0.10.39

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.

See advisory page for additional details.

github-actions[bot] avatar Apr 08 '25 00:04 github-actions[bot]