Bug 2343573 (CVE-2025-24898) - CVE-2025-24898 rust-openssl: rust openssl ssl::select_next_proto use after free [NEEDINFO]
Summary: CVE-2025-24898 rust-openssl: rust openssl ssl::select_next_proto use after free
Keywords:
Status: NEW
Alias: CVE-2025-24898
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-03 18:01 UTC by OSIDB Bzimport
Modified: 2025-05-13 10:36 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
vashirov: needinfo? (rgatica)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:7147 0 None None None 2025-05-13 10:10:06 UTC
Red Hat Product Errata RHSA-2025:7160 0 None None None 2025-05-13 10:13:41 UTC
Red Hat Product Errata RHSA-2025:7241 0 None None None 2025-05-13 10:25:16 UTC
Red Hat Product Errata RHSA-2025:7313 0 None None None 2025-05-13 10:35:09 UTC
Red Hat Product Errata RHSA-2025:7317 0 None None None 2025-05-13 10:36:06 UTC

Description OSIDB Bzimport 2025-02-03 18:01:18 UTC 
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. The crate`openssl` version 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers. Users are advised to upgrade. In standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback.
Comment 2 Viktor Ashirov 2025-02-03 20:25:17 UTC 
https://github.com/389ds/389-ds-base/pull/6573
Comment 3 Viktor Ashirov 2025-02-04 10:37:56 UTC 
openssl crate is used in 389-ds-base only in pwdchan plugin for hashing purposes:
https://github.com/389ds/389-ds-base/blob/main/src/plugins/pwdchan/Cargo.toml
https://github.com/389ds/389-ds-base/blob/main/src/plugins/pwdchan/src/lib.rs

Therefore I believe 389-ds-base is unaffected by this CVE.

Robb, could you please confirm?
Comment 11 errata-xmlrpc 2025-05-13 10:10:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7147 https://access.redhat.com/errata/RHSA-2025:7147
Comment 12 errata-xmlrpc 2025-05-13 10:13:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7160 https://access.redhat.com/errata/RHSA-2025:7160
Comment 13 errata-xmlrpc 2025-05-13 10:25:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7241 https://access.redhat.com/errata/RHSA-2025:7241
Comment 14 errata-xmlrpc 2025-05-13 10:35:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7313 https://access.redhat.com/errata/RHSA-2025:7313
Comment 15 errata-xmlrpc 2025-05-13 10:36:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7317 https://access.redhat.com/errata/RHSA-2025:7317
Note You need to log in before you can comment on or make changes to this bug.