Bug #19974
open
OpenSSL::PKCS7 generates SegFault when parsing invalid data
Description
We ran into an instance of attempting to parse invalid PKCS7 certs that consistently causes a segfault in multiple versions of Ruby 3, on multiple platforms (Linux, Mac).
To reproduce:
------- (within pry or irb or whatever ruby shell you prefer) ----------
data = "-----BEGIN PKCS7-----\nMAsGCSqGSIb3DQEHAg==\n-----END PKCS7-----\n"
OpenSSL::PKCS7.new(data).certificates
This causes a segfault 100% of the time for me on both an M1 Mac as well as in docker containers running on both Mac as well as Linux hosts.
The issue appears to be attempting to parse empty signedData. https://lapo.it/asn1js/#MAsGCSqGSIb3DQEHAg shows that this data contains the necessary ASN1 sequence to look like a valid PKCS7 certificate. However, the signedData is empty. I assume this is the cause of the issue, but I surely don't know.
I've attached the info from the core dump inside a linux container running on an M1 Mac.
Files
Updated by dprater (David Prater) 6 months ago
By the way, looks like this (or at least a very similar) issue was opened in 2012 for Ruby 1.9.3 - https://bugs.ruby-lang.org/issues/6134. The bug was fixed, according to the tracker, but it seems like the issue was either reintroduced at some point, or wasn't completely fixed.
Updated by jeremyevans0 (Jeremy Evans) 6 months ago
I submitted a pull request upstream to fix this: https://github.com/ruby/openssl/pull/690
This is a different issue than #6134, which affected PKCS7.new, not PKCS7#certificates.
Updated by dprater (David Prater) 6 months ago
That's great, thanks so much!