clvm_rs
clvm_rs copied to clipboard
Chia-Network
Update Patched Fix `openssl` `X509StoreRef::objects` is unsound
This function returned a reference into an OpenSSL datastructure, but there was no way to ensure OpenSSL would not mutate the datastructure behind one's back.
Use of this function should be replaced with X509StoreRef::all_certificates.
Pull Request Test Coverage Report for Build 8423840451
Details
- 0 of 0 changed or added relevant lines in 0 files are covered.
- No unchanged relevant lines lost coverage.
- Overall coverage increased (+0.07%) to 94.427%
| Totals | |
|---|---|
| Change from base Build 8310295107: | 0.07% |
| Covered Lines: | 5761 |
| Relevant Lines: | 6101 |
💛 - Coveralls
![coveralls-official[bot] avatar](https://avatars.githubusercontent.com/in/296425?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey, I don't quite follow this - there aren't any code changes other than a version bump in the lockfile, so I'm not sure if this would actually fix the mentioned issue?
We only work with certificates in the chia-ssl crate of chia_rs, and I don't think we use the X509StoreRef::objects method.
I see, the relevant issue is https://github.com/sfackler/rust-openssl/issues/2096?
Looks like CI is failing, so will have to look into that. And ideally bump whichever crate indirectly depends on OpenSSL as well.
this should also be addressed in the Cargo.toml file, right?
Also, once addressed, we should remove this exception: https://github.com/Chia-Network/clvm_rs/blob/main/.github/workflows/dependency-review.yml#L22C24-L22C43
thanks for your contribution, this was merged into one big pr and included
