| Minos Galanakis | 9314555 | 2025-09-09 18:54:52 +0100 | [diff] [blame] | 1 | Security |
| 2 | * Fix possible use-after-free or double-free in code calling |
| 3 | mbedtls_x509_string_to_names(). This was caused by the function calling |
| 4 | mbedtls_asn1_free_named_data_list() on its head argument, while the |
| 5 | documentation did no suggest it did, making it likely for callers relying |
| 6 | on the documented behaviour to still hold pointers to memory blocks after |
| 7 | they were free()d, resulting in high risk of use-after-free or double-free, |
| 8 | with consequences ranging up to arbitrary code execution. |
| 9 | In particular, the two sample programs x509/cert_write and x509/cert_req |
| 10 | were affected (use-after-free if the san string contains more than one DN). |
| 11 | Code that does not call mbedtls_string_to_names() directly is not affected. |
| 12 | Found by Linh Le and Ngan Nguyen from Calif. |
| Minos Galanakis | cc3f987 | 2025-09-29 10:58:51 +0100 | [diff] [blame^] | 13 | CVE-2025-47917 |
| Minos Galanakis | 9314555 | 2025-09-09 18:54:52 +0100 | [diff] [blame] | 14 | |
| 15 | Changes |
| 16 | * The function mbedtls_x509_string_to_names() now requires its head argument |
| 17 | to point to NULL on entry. This makes it likely that existing risky uses of |
| 18 | this function (see the entry in the Security section) will be detected and |
| 19 | fixed. |