Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Patched Fix openssl X509StoreRef::objects is unsound #394

Closed
wants to merge 1 commit into from

Conversation

bangtabil
Copy link

This function returned a reference into an OpenSSL datastructure, but there was no way to ensure OpenSSL would not mutate the datastructure behind one's back.

Use of this function should be replaced with X509StoreRef::all_certificates.

This function returned a reference into an OpenSSL datastructure, but there was no way to ensure OpenSSL would not mutate the datastructure behind one's back.

Use of this function should be replaced with `X509StoreRef::all_certificates.`
Copy link

Pull Request Test Coverage Report for Build 8423840451

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.07%) to 94.427%

Totals Coverage Status
Change from base Build 8310295107: 0.07%
Covered Lines: 5761
Relevant Lines: 6101

💛 - Coveralls

@Rigidity
Copy link
Contributor

Rigidity commented Mar 25, 2024

Hey, I don't quite follow this - there aren't any code changes other than a version bump in the lockfile, so I'm not sure if this would actually fix the mentioned issue?

We only work with certificates in the chia-ssl crate of chia_rs, and I don't think we use the X509StoreRef::objects method.

@Rigidity
Copy link
Contributor

I see, the relevant issue is sfackler/rust-openssl#2096?

Looks like CI is failing, so will have to look into that. And ideally bump whichever crate indirectly depends on OpenSSL as well.

@arvidn
Copy link
Contributor

arvidn commented Apr 25, 2024

this should also be addressed in the Cargo.toml file, right?
Also, once addressed, we should remove this exception: https://github.com/Chia-Network/clvm_rs/blob/main/.github/workflows/dependency-review.yml#L22C24-L22C43

@@ -942,11 +925,11 @@ checksum = "0ab1bc2a289d34bd04a330323ac98a1b4bc82c9d9fcb1e66b63caa84da26b575"

[[package]]
name = "openssl"
version = "0.10.55"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Team @Rigidity,

Thank you for your respond. bellow I provide additional information.

You can see at #394 that Chia-Network is using the vulnerable version "0.10.55".

@@ -108,23 +108,6 @@ version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"

[[package]]
name = "chia-bls"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated some packages to avoid the attacks I listed. I hope in the future. this version is always updated. because every vulnerability will exist every year. according to CVE / CWE standards.

@jack60612
Copy link
Contributor

thanks for your contribution, this was merged into one big pr and included

@jack60612
Copy link
Contributor

Thanks! Included in #435.

@jack60612 jack60612 closed this Jul 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants