CVE-2023-0215

The public API function BIO_new_NDEF is a helper function used for streaming<br /> ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the<br /> SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by<br /> end user applications.<br /> <br /> The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter<br /> BIO onto the front of it to form a BIO chain, and then returns the new head of<br /> the BIO chain to the caller. Under certain conditions, for example if a CMS<br /> recipient public key is invalid, the new filter BIO is freed and the function<br /> returns a NULL result indicating a failure. However, in this case, the BIO chain<br /> is not properly cleaned up and the BIO passed by the caller still retains<br /> internal pointers to the previously freed filter BIO. If the caller then goes on<br /> to call BIO_pop() on the BIO then a use-after-free will occur. This will most<br /> likely result in a crash.<br /> <br /> <br /> <br /> This scenario occurs directly in the internal function B64_write_ASN1() which<br /> may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on<br /> the BIO. This internal function is in turn called by the public API functions<br /> PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,<br /> SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.<br /> <br /> Other public API functions that may be impacted by this include<br /> i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and<br /> i2d_PKCS7_bio_stream.<br /> <br /> The OpenSSL cms and smime command line applications are similarly affected.