Bug 2357560 (CVE-2025-3416, GHSA-4fcv-w3qc-ppgg)

Summary: CVE-2025-3416 openssl: rust-openssl Use-After-Free in `Md::fetch` and `Cipher::fetch`
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bkabrda, bsmejkal, csutherl, dbosanac, decathorpe, erack, gotiwari, jachapma, jclere, jhorak, jreimann, lball, mdessi, mrizzi, mvyas, ngough, pcattana, pjindal, plodge, progier, spichugi, ssidhaye, szappis, tbordaz, teagle, tpopela, vashirov, veshanka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2357935, 2357936, 2357940, 2357943, 2357922, 2357923, 2357924, 2357925, 2357926, 2357927, 2357928, 2357929, 2357930, 2357931, 2357932, 2357933, 2357934, 2357937, 2357938, 2357939, 2357941, 2357942, 2357944    
Bug Blocks:    

Description OSIDB Bzimport 2025-04-04 21:02:38 UTC 
When a `Some(...)` value was passed to the `properties` argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to `CString::drop`'s behavior).

The maintainers thank [quitbug](https://github.com/quitbug/) for reporting this vulnerability to us.
Comment 2 Fabio Valentini 2025-04-07 21:47:29 UTC 
How did you determine which Rust applications to file bugs against?
I was surprised to see that bugs were filed against *some* applications (but not all) that use the OpenSSL bindings from the "openssl" Rust crate, but no bug was filed against "rust-openssl" itself.
Comment 3 Fabio Valentini 2025-04-08 16:15:32 UTC 
I have now looked at the source code of all packages that depend on "rust-openssl", and only *one* of them has a reference to `Cipher::fetch` - python-cryptography, and it doesn't use the function in a way that triggers this CVE. There are zero references to `Md::fetch` in any packages that depend on "rust-openssl". I'll go ahead close all bugs that were reported against packages that are definitely not affected by this issue.

Again, I'm surprised that bugs were opened against "maturin" and "rustup" - neither use code from the "openssl" crate directly. The only package that *could* be affected (because it calls `Cipher::fetch`) is "python-cryptography", and it's one of the few packages that didn't get a bug reported against it 🤣

Note that I have *not* checked packages that vendor the "openssl" crate.