CVE-2024-0727

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL<br /> to crash leading to a potential Denial of Service attack<br /> <br /> Impact summary: Applications loading files in the PKCS12 format from untrusted<br /> sources might terminate abruptly.<br /> <br /> A file in PKCS12 format can contain certificates and keys and may come from an<br /> untrusted source. The PKCS12 specification allows certain fields to be NULL, but<br /> OpenSSL does not correctly check for this case. This can lead to a NULL pointer<br /> dereference that results in OpenSSL crashing. If an application processes PKCS12<br /> files from an untrusted source using the OpenSSL APIs then that application will<br /> be vulnerable to this issue.<br /> <br /> OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),<br /> PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()<br /> and PKCS12_newpass().<br /> <br /> We have also fixed a similar issue in SMIME_write_PKCS7(). However since this<br /> function is related to writing data we do not consider it security significant.<br /> <br /> The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.