oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-8721: Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs

From: Timothy Legge <timlegge () cpansec org>
Date: Sun, 17 May 2026 15:50:47 -0300
========================================================================
CVE-2026-8721                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-8721
  Distribution:  Crypt-OpenSSL-PKCS12
      Versions:  through 1.94

      MetaCPAN:  https://metacpan.org/dist/Crypt-OpenSSL-PKCS12
      VCS Repo:  https://github.com/dsully/perl-crypt-openssl-pkcs12


Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates
passwords with embedded NULLs

Description
-----------
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates
passwords with embedded NULLs.

Password parameters in PKCS12.xs are declared char *, which routes
through Perl's default typemap to SvPV_nolen.  The Perl length is
discarded.

The C code (or OpenSSL internally) calls strlen() on the buffer.  Any
password byte at or after the first NULL is silently dropped. Binary /
KDF-derived / HMAC-derived passwords lose entropy without any warnings.

Problem types
-------------
- CWE-170 Improper Null Termination

Solutions
---------
Upgrade to 1.95 or later.


References
----------
https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md

Timeline
--------
- 2026-05-13: CPANSec identified issue
- 2026-05-13: Author was notified
- 2026-05-17: Maintainer released patch version
Previous By Date Next
Previous By Thread Next

Current thread: