CVE-2022-4450

*** Pendiente de traducción *** The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and<br /> decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data.<br /> If the function succeeds then the "name_out", "header" and "data" arguments are<br /> populated with pointers to buffers containing the relevant decoded data. The<br /> caller is responsible for freeing those buffers. It is possible to construct a<br /> PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()<br /> will return a failure code but will populate the header argument with a pointer<br /> to a buffer that has already been freed. If the caller also frees this buffer<br /> then a double free will occur. This will most likely lead to a crash. This<br /> could be exploited by an attacker who has the ability to supply malicious PEM<br /> files for parsing to achieve a denial of service attack.<br /> <br /> The functions PEM_read_bio() and PEM_read() are simple wrappers around<br /> PEM_read_bio_ex() and therefore these functions are also directly affected.<br /> <br /> These functions are also called indirectly by a number of other OpenSSL<br /> functions including PEM_X509_INFO_read_bio_ex() and<br /> SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal<br /> uses of these functions are not vulnerable because the caller does not free the<br /> header argument if PEM_read_bio_ex() returns a failure code. These locations<br /> include the PEM_read_bio_TYPE() functions as well as the decoders introduced in<br /> OpenSSL 3.0.<br /> <br /> The OpenSSL asn1parse command line application is also impacted by this issue.