rustsec · mmastrac · Jan 22, 2025 · Jan 22, 2025 · Jan 22, 2025 · Jan 22, 2025
diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md
@@ -0,0 +1,39 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "openssl-probe"
+date = "2025-01-10"
+url = "https://github.com/alexcrichton/openssl-probe/issues/30"
+references = ["https://www.edgedb.com/blog/c-stdlib-isn-t-threadsafe-and-even-safe-rust-didn-t-save-us"]
+informational = "unsound"
+categories = ["memory-corruption"]
+cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
+keywords = ["ssl", "openssl", "environment"]
+
+[affected.functions]
+"openssl_probe::try_init_ssl_cert_env_vars" = ["< 0.1.6"]
+
+[affected]
+os = ["linux"]
+
+[versions]
+patched = [">= 0.1.6"]
+```
+
+# `openssl-probe` may cause memory corruption in multi-threaded processes
+
+`openssl-probe` offers non-`unsafe` methods that call environment setters, which may be called
+in a multithreaded environment, and potentially clash with environment access on other threads.
+
+When these methods are called while other threads are active and accessing the environment, it
+may cause the other threads to access dangling pointer values in the cases where the underlying
+environment data is moved or resized in response to an additional environment variable being
+added, or a variable's contents being enlarged.
+
+This is shown to occur on Linux, but it will also likely occur on any other platform where `getenv`
+and `setenv` are not thread-safe, though trigger conditions may vary widely.
+
+The affected function is `try_init_ssl_cert_env_vars` in 
+<https://github.com/alexcrichton/openssl-probe/blob/db67c9e5b333b1b4164467b17f5d99207fad004c/src/lib.rs#L65>.
+
+The crate's author released a fix in versions `>=0.1.6` which marks these functions as `unsafe` and `#[deprecated]`.