Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <a8f864f872e832e706ca7f5846445b4a@cpansec.org>
Date: Mon, 13 Jul 2026 19:28:14 -0300
From: Timothy Legge <timlegge@...nsec.org>
To: Oss Security <oss-security@...ts.openwall.com>
Subject: 2 CVEs Crypt::OpenSSL::X509 versions before 2.1.3

CVE-2026-58101: Crypt::OpenSSL::X509 versions before 2.1.3 for Perl 
allow denial of service via NULL pointer dereference
CVE-2026-58102: Crypt::OpenSSL::X509 versions before 2.1.3 for Perl 
allow a heap out-of-bounds read via a long certificate extension OID in 
hv_exts

========================================================================
CVE-2026-58101                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-58101
   Distribution:  Crypt-OpenSSL-X509
       Versions:  before 2.1.3

       MetaCPAN:  https://metacpan.org/dist/Crypt-OpenSSL-X509
       VCS Repo:  https://github.com/dsully/perl-crypt-openssl-x509


Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of
service via NULL pointer dereference

Description
-----------
Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of
service via NULL pointer dereference.

X509V3_EXT_d2i(ext) returns NULL when an extension's DER value fails to
parse. basicC, ia5string, and auth_att dereference its result without a
NULL check. keyid_data also dereferences akid->keyid, which is NULL for
an empty AKI SEQUENCE (DER 30 00) even when the parse succeeds.

A caller invoking an affected helper on an extension from an untrusted
certificate triggers a SIGSEGV that crashes the Perl process.

Problem types
-------------
- CWE-476 NULL Pointer Dereference

Solutions
---------
Upgrade to Crypt::OpenSSL::X509 2.1.3 or later, which NULL-checks each
X509V3_EXT_d2i result and the optional keyid field before
dereferencing.


References
----------
https://github.com/dsully/perl-crypt-openssl-x509/commit/4c1e2370556097c253ae27abe9e1097ea377fbd2.patch
https://metacpan.org/release/JONASBN/Crypt-OpenSSL-X509-2.1.3/source/Changes.md

========================================================================
CVE-2026-58102                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-58102
   Distribution:  Crypt-OpenSSL-X509
       Versions:  before 2.1.3

       MetaCPAN:  https://metacpan.org/dist/Crypt-OpenSSL-X509
       VCS Repo:  https://github.com/dsully/perl-crypt-openssl-x509


Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap
out-of-bounds read via a long certificate extension OID in hv_exts

Description
-----------
Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap
out-of-bounds read via a long certificate extension OID in hv_exts.

When building the extension hash (via extensions(),
extensions_by_long_name(), extensions_by_oid(), or
has_extension_oid()), the code passes OBJ_obj2txt()'s return value as
the hash-key length; because that value is the OID's full text length
rather than the bytes written to the fixed-size buffer (129 bytes), an
OID whose text is longer than the 129-byte buffer causes a read past
the allocation, exposing adjacent heap memory as the returned hash key.
extensions_by_name() uses the static shortname path and is not
affected.

Problem types
-------------
- CWE-125 Out-of-bounds Read

Workarounds
-----------
Callers that must enumerate extensions of untrusted certificates can
restrict enumeration to extensions_by_name(), which uses the static
shortname path and does not trigger the over-read.


Solutions
---------
Upgrade to Crypt::OpenSSL::X509 2.1.3 or later.


References
----------
https://github.com/dsully/perl-crypt-openssl-x509/commit/757289bfce095455c104d4adfe9312e7b339620f.patch
https://metacpan.org/release/JONASBN/Crypt-OpenSSL-X509-2.1.3/source/Changes.md

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.