RUSTSEC-2025-0022: Use-After-Free in `Md::fetch` and `Cipher::fetch`


> Use-After-Free in `Md::fetch` and `Cipher::fetch`

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Package             | `openssl`                      |
| Version             | `0.10.71`                   |
| URL                 | [https://github.com/sfackler/rust-openssl/pull/2390](https://github.com/sfackler/rust-openssl/pull/2390) |
| Date                | 2025-04-04                         |
| Patched versions    | `>=0.10.72`                  |
| Unaffected versions | `<0.10.39`               |

When a `Some(...)` value was passed to the `properties` argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to `CString::drop`&#39;s behavior).

The maintainers thank [quitbug](https://github.com/quitbug/) for reporting this vulnerability to us.

See [advisory page](https://rustsec.org/advisories/RUSTSEC-2025-0022.html) for additional details.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

RUSTSEC-2025-0022: Use-After-Free in `Md::fetch` and `Cipher::fetch` #5933

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Details
Package	`openssl`
Version	`0.10.71`
URL	sfackler/rust-openssl#2390
Date	2025-04-04
Patched versions	`>=0.10.72`
Unaffected versions	`<0.10.39`

RUSTSEC-2025-0022: Use-After-Free in Md::fetch and Cipher::fetch #5933

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

RUSTSEC-2025-0022: Use-After-Free in `Md::fetch` and `Cipher::fetch` #5933