From eed48b9a152e4748871b5042de3df63f841cc72f Mon Sep 17 00:00:00 2001
From: Alexis Mousset <alexis.mousset@rudder.io>
Date: Sat, 1 May 2021 14:11:36 +0200
Subject: [PATCH] Add CVE-2021-23841 for openssl-src (#888)

---
 crates/openssl-src/RUSTSEC-0000-0000.md | 27 +++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 crates/openssl-src/RUSTSEC-0000-0000.md

diff --git a/crates/openssl-src/RUSTSEC-0000-0000.md b/crates/openssl-src/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..6721d0f
--- /dev/null
+++ b/crates/openssl-src/RUSTSEC-0000-0000.md
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "openssl-src"
+aliases = ["CVE-2021-23841"]
+categories = ["denial-of-service"]
+date = "2021-05-01"
+url = "https://www.openssl.org/news/secadv/20210216.txt"
+
+[versions]
+patched = [">= 111.14"]
+```
+
+# Null pointer deref in `X509_issuer_and_serial_hash()`
+
+The OpenSSL public API function `X509_issuer_and_serial_hash()` attempts to
+create a unique hash value based on the issuer and serial number data contained
+within an X509 certificate. However it fails to correctly handle any errors
+that may occur while parsing the issuer field (which might occur if the issuer
+field is maliciously constructed). This may subsequently result in a NULL
+pointer deref and a crash leading to a potential denial of service attack.
+
+The function `X509_issuer_and_serial_hash()` is never directly called by OpenSSL
+itself so applications are only vulnerable if they use this function directly
+and they use it on certificates that may have been obtained from untrusted
+sources.
+