OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2021-3711 | SM2 Decryption Buffer Overflow | High | Not affected; BoringSSL does not implement SM2. |
| CVE-2021-3712 | Read buffer overruns processing ASN.1 strings | Moderate | Affected; fixed as of commit 61f320874 |
The ASN1_STRING type represents its contents with a data pointer and a length. The contents may contain NUL bytes, and there is no guarantee that the string is NUL-terminated. For convenience, OpenSSL will NUL-terminate the value in some codepaths (e.g. parsing), but not in others.
Parts of OpenSSL incorrectly relied on NUL-termination. These bugs were also present in BoringSSL and have been fixed as of commit 61f320874be3541087c9ba5e2f21c1ebbc90dbce. This has two consequences:
First, if the ASN1_STRING came from a codepath that did not NUL-terminate, the function would run off the end of the buffer. This can crash or leak information. However, all ASN1_STRINGs produced by parsing will NUL-terminate the string, so we expect most consumers will not be affected.
Second, the function may truncate the value on an interior NUL byte. This wasn’t analyzed in the OpenSSL advisory. Callers trying to parse the result of print functions may get the wrong value and misinterpret names in a certificate. We do not recommend parsing print function output. Name constraint verification is affected, but we do not believe this allows bypassing a name-constrained intermediate. Finally, X509_get1_email, X509_REQ_get1_email, and X509_get1_ocsp could return a truncated value, different from what other code, e.g. name constraint checks, observed.