Bug #19974


OpenSSL::PKCS7 generates SegFault when parsing invalid data

Added by dprater (David Prater) 4 months ago. Updated 4 months ago.

Target version:
ruby -v:
ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-musl], ruby 3.1.3p185 (2022-11-24 revision 1a6b16756e) [arm64-darwin21]


We ran into an instance of attempting to parse invalid PKCS7 certs that consistently causes a segfault in multiple versions of Ruby 3, on multiple platforms (Linux, Mac).

To reproduce:
------- (within pry or irb or whatever ruby shell you prefer) ----------
data = "-----BEGIN PKCS7-----\nMAsGCSqGSIb3DQEHAg==\n-----END PKCS7-----\n"

This causes a segfault 100% of the time for me on both an M1 Mac as well as in docker containers running on both Mac as well as Linux hosts.

The issue appears to be attempting to parse empty signedData. shows that this data contains the necessary ASN1 sequence to look like a valid PKCS7 certificate. However, the signedData is empty. I assume this is the cause of the issue, but I surely don't know.

I've attached the info from the core dump inside a linux container running on an M1 Mac.


core_dump (145 KB) core_dump dprater (David Prater), 10/26/2023 02:15 PM

Updated by dprater (David Prater) 4 months ago

By the way, looks like this (or at least a very similar) issue was opened in 2012 for Ruby 1.9.3 - The bug was fixed, according to the tracker, but it seems like the issue was either reintroduced at some point, or wasn't completely fixed.

Updated by jeremyevans0 (Jeremy Evans) 4 months ago

I submitted a pull request upstream to fix this:

This is a different issue than #6134, which affected, not PKCS7#certificates.

Updated by dprater (David Prater) 4 months ago

That's great, thanks so much!


Also available in: Atom PDF