CVE-2025-69419

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously<br /> crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing<br /> non-ASCII BMP code point can trigger a one byte write before the allocated<br /> buffer.<br /> <br /> Impact summary: The out-of-bounds write can cause a memory corruption<br /> which can have various consequences including a Denial of Service.<br /> <br /> The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12<br /> BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes,<br /> the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16<br /> source byte count as the destination buffer capacity to UTF8_putc(). For BMP<br /> code points above U+07FF, UTF-8 requires three bytes, but the forwarded<br /> capacity can be just two bytes. UTF8_putc() then returns -1, and this negative<br /> value is added to the output length without validation, causing the<br /> length to become negative. The subsequent trailing NUL byte is then written<br /> at a negative offset, causing write outside of heap allocated buffer.<br /> <br /> The vulnerability is reachable via the public PKCS12_get_friendlyname() API<br /> when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a<br /> different code path that avoids this issue, PKCS12_get_friendlyname() directly<br /> invokes the vulnerable function. Exploitation requires an attacker to provide<br /> a malicious PKCS#12 file to be parsed by the application and the attacker<br /> can just trigger a one zero byte write before the allocated buffer.<br /> For that reason the issue was assessed as Low severity according to our<br /> Security Policy.<br /> <br /> The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue,<br /> as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.<br /> <br /> OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br /> <br /> OpenSSL 1.0.2 is not affected by this issue.