RUSTSEC-2021-0057

Source
https://rustsec.org/advisories/RUSTSEC-2021-0057
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0057.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2021-0057
Aliases
Published
2021-05-01T12:00:00Z
Modified
2023-12-06T00:45:55.820566Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Integer overflow in CipherUpdate
Details

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.

References

Affected packages

crates.io / openssl-src

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
111.14.0

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}