Update Patched Fix `openssl` `X509StoreRef::objects` is unsound

Chia-Network / clvm_rs

Rust implementation of clvm

Apache License 2.0

67 stars 54 forks source link

Update Patched Fix `openssl` `X509StoreRef::objects` is unsound #394

Closed bangtabil closed 1 week ago

bangtabil commented 4 months ago

This function returned a reference into an OpenSSL datastructure, but there was no way to ensure OpenSSL would not mutate the datastructure behind one's back.

Use of this function should be replaced with X509StoreRef::all_certificates.

coveralls-official[bot] commented 4 months ago

Pull Request Test Coverage Report for Build 8423840451

Details

0 of 0 changed or added relevant lines in 0 files are covered.
No unchanged relevant lines lost coverage.
Overall coverage increased (+0.07%) to 94.427%

Totals
Change from base Build 8310295107:	0.07%
Covered Lines:	5761
Relevant Lines:	6101

💛 - Coveralls

Rigidity commented 4 months ago

Hey, I don't quite follow this - there aren't any code changes other than a version bump in the lockfile, so I'm not sure if this would actually fix the mentioned issue?

We only work with certificates in the chia-ssl crate of chia_rs, and I don't think we use the X509StoreRef::objects method.

Rigidity commented 4 months ago

I see, the relevant issue is https://github.com/sfackler/rust-openssl/issues/2096?

Looks like CI is failing, so will have to look into that. And ideally bump whichever crate indirectly depends on OpenSSL as well.

arvidn commented 3 months ago

this should also be addressed in the Cargo.toml file, right? Also, once addressed, we should remove this exception: https://github.com/Chia-Network/clvm_rs/blob/main/.github/workflows/dependency-review.yml#L22C24-L22C43

jack60612 commented 1 week ago

thanks for your contribution, this was merged into one big pr and included

jack60612 commented 1 week ago

Thanks! Included in #435.