GHSA-4fcv-w3qc-ppgg: rust-openssl Use-After-Free in `Md::fetch` and `Cipher::fetch`

April 4, 2025

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop’s behavior).

The maintainers thank quitbug for reporting this vulnerability to us.

References

github.com/advisories/GHSA-4fcv-w3qc-ppgg
github.com/sfackler/rust-openssl
github.com/sfackler/rust-openssl/commit/87085bd67896b7f92e6de35d081f607a334beae4
github.com/sfackler/rust-openssl/pull/2390
rustsec.org/advisories/RUSTSEC-2025-0022.html

Code Behaviors & Features

Detect and mitigate GHSA-4fcv-w3qc-ppgg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →