The little bug that couldn't: Securing OpenSSL

Software security extends beyond one's own code to include library dependencies, as adopting external code also means inheriting its potential vulnerabilities. This issue becomes more complex as dependencies and their sub-dependencies multiply, prompting a focus on securing widely used libraries like OpenSSL, which is critical for cryptographic needs. A GitHub security researcher discovered two bugs in the OpenSSL library, using tools like CodeQL to identify and patch these vulnerabilities by analyzing control flow and ensuring proper memory management with functions like BN_CTX_start and BN_CTX_end. One such bug, occurring in commit a9612d6c, involves a mismatch in memory allocation calls, leading to potential memory corruption and exploitation opportunities. To detect similar issues, CodeQL queries were utilized, yielding 36 results, though only four were true positives. The vulnerability involved a specific function used in verifying certificate signatures, and was demonstrated with a proof of concept causing a crash, highlighting the potential for code execution and emphasizing the need for careful dependency management and security practices.