From 35792564ac922fc7fe99e05eb7140e8ed2c3a3fb Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 1 May 2021 14:08:48 +0200
Subject: [PATCH] Add CVE-2021-23840 for openssl-src (#887)

---
 crates/openssl-src/RUSTSEC-0000-0000.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 crates/openssl-src/RUSTSEC-0000-0000.md

diff --git a/crates/openssl-src/RUSTSEC-0000-0000.md b/crates/openssl-src/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..d4c9127
--- /dev/null
+++ b/crates/openssl-src/RUSTSEC-0000-0000.md
@@ -0,0 +1,22 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "openssl-src"
+aliases = ["CVE-2021-23840"]
+categories = ["denial-of-service"]
+date = "2021-05-01"
+url = "https://www.openssl.org/news/secadv/20210216.txt"
+
+[versions]
+patched = [">= 111.14"]
+```
+
+# Integer overflow in CipherUpdate
+
+Calls to `EVP_CipherUpdate`, `EVP_EncryptUpdate` and `EVP_DecryptUpdate` may overflow
+the output length argument in some cases where the input length is close to the
+maximum permissable length for an integer on the platform. In such cases the
+return value from the function call will be 1 (indicating success), but the
+output length value will be negative. This could cause applications to behave
+incorrectly or crash.
+