Skip to content
This repository was archived by the owner on Mar 18, 2025. It is now read-only.

fix(deps): update rust crate openssl to v0.10.70 [security]#624

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/crate-openssl-vulnerability
Open

fix(deps): update rust crate openssl to v0.10.70 [security]#624
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/crate-openssl-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 3, 2025

This PR contains the following updates:

Package Type Update Change
openssl dependencies patch 0.10.68 -> 0.10.70

GitHub Vulnerability Alerts

CVE-2025-24898

Impact

ssl::select_next_proto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the server buffer's lifetime is shorter than the client buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client.

Patches

openssl 0.10.70 fixes the signature of ssl::select_next_proto to properly constrain the output buffer's lifetime to that of both input buffers.

Workarounds

In standard usage of ssl::select_next_proto in the callback passed to SslContextBuilder::set_alpn_select_callback, code is only affected if the server buffer is constructed within the callback. For example:

Not vulnerable - the server buffer has a 'static lifetime:

builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK)
});

Not vulnerable - the server buffer outlives the handshake:

let server_protos = b"\x02h2".to_vec();
builder.set_alpn_select_callback(|_, client_protos| {
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

Vulnerable - the server buffer is freed when the callback returns:

builder.set_alpn_select_callback(|_, client_protos| {
    let server_protos = b"\x02h2".to_vec();
    ssl::select_next_proto(&server_protos, client_protos).ok_or_else(AlpnError::NOACK)
});

References

https://github.com/sfackler/rust-openssl/pull/2360

Release Notes

sfackler/rust-openssl (openssl)

v0.10.70: openssl v0.10.70

Compare Source

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.69...openssl-v0.10.70

v0.10.69: openssl v0.10.69

Compare Source

What's Changed

New Contributors

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.68...openssl-v0.10.69

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 3, 2025

🚨 Rust Panic Audit: 342 Potential Panic Points Detected 🚨

Crate: ``

📊 Total Usages: 239

  • 🔎 expect usages: 41
  • 🎁 unwrap usages: 159
  • 🚨 panic usages: 8
  • 🔢 array_index usages: 31

Crate: federation_query_planner

📊 Total Usages: 50

  • 🎁 unwrap usages: 29
  • 🚨 panic usages: 3
  • 🔢 array_index usages: 10
  • 🔎 expect usages: 8

Crate: conductor

📊 Total Usages: 11

  • 🎁 unwrap usages: 2
  • 🔎 expect usages: 7
  • 🚨 panic usages: 2

Crate: common

📊 Total Usages: 11

  • 🔢 array_index usages: 1
  • 🎁 unwrap usages: 10

Crate: cloudflare_worker

📊 Total Usages: 8

  • 🎁 unwrap usages: 5
  • 🔎 expect usages: 2
  • 🚨 panic usages: 1

Crate: telemetry

📊 Total Usages: 7

  • 🔢 array_index usages: 4
  • 🎁 unwrap usages: 3

Crate: engine

📊 Total Usages: 7

  • 🎁 unwrap usages: 6
  • 🔎 expect usages: 1

Crate: tracing

📊 Total Usages: 6

  • 🎁 unwrap usages: 5
  • 🔎 expect usages: 1

Crate: config

📊 Total Usages: 3

  • 🚨 panic usages: 1
  • 🎁 unwrap usages: 2

📌 Expected Annotations

Crate: vrl

📊 Total Expected Usages: 2

expand details
  1. Reason: "if the provided VRL code in the config file can't compile, we have to exit."
  • Code: panic!("failed to compile vrl program");
  • Location: ./plugins/vrl/src/plugin.rs:129
  1. Reason: "states is a non-user provided variable"
  • Code: .expect("can't merge states when states is an empty vector!")
  • Location: ./plugins/vrl/src/plugin.rs:146

Crate: engine

📊 Total Expected Usages: 2

expand details
  1. Reason: "if we are unable to construct the endpoints and attach them onto the gateway's http server, we have to exit"
  • Code: Err(e) => panic!("failed to construct endpoint: {:?}", e),
  • Location: ./libs/engine/src/gateway.rs:158
  1. Reason: "we can safely index here, it's inside a test with constant defined fixtures."
  • Code: ConductorGateway::execute(request, &gw.routes[0].route_data).await
  • Location: ./libs/engine/src/gateway.rs:190

Crate: cloudflare_worker

📊 Total Expected Usages: 4

expand details
  1. Reason: "it panics only if the header name is not valid, and we know it is."
  • Code: .unwrap()
  • Location: ./bin/cloudflare_worker/src/http_tracing.rs:20
  1. Reason: "it panics only if the URL source is not valid, and it's already validated before."
  • Code: let url = req.url().unwrap();
  • Location: ./bin/cloudflare_worker/src/http_tracing.rs:23
  1. Reason: "it only panics if we are not running in a CF context, should be safe."
  • Code: let cf_info = req.cf().unwrap();
  • Location: ./bin/cloudflare_worker/src/http_tracing.rs:27
  1. Reason: "unwraps only in special cases where "data:text" is used."
  • Code: let http_host = url.host().unwrap().to_string();
  • Location: ./bin/cloudflare_worker/src/http_tracing.rs:36

Crate: common

📊 Total Expected Usages: 1

expand details
  1. Reason: "we're parsing a statically defined constant, we know it works ;)"
  • Code: .unwrap()
  • Location: ./libs/common/src/graphql.rs:31

Crate: config

📊 Total Expected Usages: 9

expand details
  1. Reason: "part of development docgen CLI"
  • Code: .expect("Failed to serialize json schema for config file!");
  • Location: ./libs/config/src/generate-json-schema.rs:50
  1. Reason: "part of development docgen CLI"
  • Code: .expect("Failed to write the json schema to the file system!");
  • Location: ./libs/config/src/generate-json-schema.rs:54
  1. Reason: "statically defined regex pattern, we know it works ;)"
  • Code: .unwrap();
  • Location: ./libs/config/src/interpolate.rs:18
  1. Reason: "👇"
  • Code: let raw_contents = read_to_string(file_path)
  • Location: ./libs/config/src/lib.rs:815
  1. Reason: "👇"
  • Code: panic!("Failed to interpolate config file, please resolve the above errors");
  • Location: ./libs/config/src/lib.rs:847
  1. Reason: "👇"
  • Code: parse_config_from_json(&config_string).expect("Failed to parse JSON config file")
  • Location: ./libs/config/src/lib.rs:854
  1. Reason: "👇"
  • Code: parse_config_from_yaml(&config_string).expect("Failed to parse YAML config file")
  • Location: ./libs/config/src/lib.rs:858
  1. Reason: "👇"
  • Code: _ => panic!("Unsupported config file extension"),
  • Location: ./libs/config/src/lib.rs:875
  1. Reason: "👇"
  • Code: None => panic!("Config file has no extension"),
  • Location: ./libs/config/src/lib.rs:878

Crate: jwt_auth

📊 Total Expected Usages: 1

expand details
  1. Reason: "if initiating an http client fails, then we have to exit."
  • Code: let client = wasm_polyfills::create_http_client().build().unwrap();
  • Location: ./plugins/jwt_auth/src/jwks_provider.rs:49

Crate: conductor

📊 Total Expected Usages: 2

expand details
  1. Reason: "we need to exit the process, if the logger can't be correctly set."
  • Code: let _guard = tracing::subscriber::set_default(subscriber);
  • Location: ./bin/conductor/src/lib.rs:64
  1. Reason: "we need to exit the process, if the provided configuration file is incorrect."
  • Code: panic!("Failed to initialize gateway: {:?}", e);
  • Location: ./bin/conductor/src/lib.rs:103

Crate: ``

📊 Total Expected Usages: 22

expand details
  1. Reason: "we're parsing a statically defined constant, we know it works ;)"
  • Code: .unwrap()
  • Location: ./libs/common/src/graphql.rs:31
  1. Reason: "if we are unable to construct the endpoints and attach them onto the gateway's http server, we have to exit"
  • Code: Err(e) => panic!("failed to construct endpoint: {:?}", e),
  • Location: ./libs/engine/src/gateway.rs:158
  1. Reason: "we can safely index here, it's inside a test with constant defined fixtures."
  • Code: ConductorGateway::execute(request, &gw.routes[0].route_data).await
  • Location: ./libs/engine/src/gateway.rs:190
  1. Reason: "part of development docgen CLI"
  • Code: .expect("Failed to serialize json schema for config file!");
  • Location: ./libs/config/src/generate-json-schema.rs:50
  1. Reason: "part of development docgen CLI"
  • Code: .expect("Failed to write the json schema to the file system!");
  • Location: ./libs/config/src/generate-json-schema.rs:54
  1. Reason: "statically defined regex pattern, we know it works ;)"
  • Code: .unwrap();
  • Location: ./libs/config/src/interpolate.rs:18
  1. Reason: "👇"
  • Code: let raw_contents = read_to_string(file_path)
  • Location: ./libs/config/src/lib.rs:815
  1. Reason: "👇"
  • Code: panic!("Failed to interpolate config file, please resolve the above errors");
  • Location: ./libs/config/src/lib.rs:847
  1. Reason: "👇"
  • Code: parse_config_from_json(&config_string).expect("Failed to parse JSON config file")
  • Location: ./libs/config/src/lib.rs:854
  1. Reason: "👇"
  • Code: parse_config_from_yaml(&config_string).expect("Failed to parse YAML config file")
  • Location: ./libs/config/src/lib.rs:858
  1. Reason: "👇"
  • Code: _ => panic!("Unsupported config file extension"),
  • Location: ./libs/config/src/lib.rs:875
  1. Reason: "👇"
  • Code: None => panic!("Config file has no extension"),
  • Location: ./libs/config/src/lib.rs:878
  1. Reason: "we need this"
  • Code: panic!("Exited process!")
  • Location: ./libs/napi/src/lib.rs:18
  1. Reason: "if the provided VRL code in the config file can't compile, we have to exit."
  • Code: panic!("failed to compile vrl program");
  • Location: ./plugins/vrl/src/plugin.rs:129
  1. Reason: "states is a non-user provided variable"
  • Code: .expect("can't merge states when states is an empty vector!")
  • Location: ./plugins/vrl/src/plugin.rs:146
  1. Reason: "if initiating an http client fails, then we have to exit."
  • Code: let client = wasm_polyfills::create_http_client().build().unwrap();
  • Location: ./plugins/jwt_auth/src/jwks_provider.rs:49
  1. Reason: "we need to exit the process, if the logger can't be correctly set."
  • Code: let _guard = tracing::subscriber::set_default(subscriber);
  • Location: ./bin/conductor/src/lib.rs:64
  1. Reason: "we need to exit the process, if the provided configuration file is incorrect."
  • Code: panic!("Failed to initialize gateway: {:?}", e);
  • Location: ./bin/conductor/src/lib.rs:103
  1. Reason: "it panics only if the header name is not valid, and we know it is."
  • Code: .unwrap()
  • Location: ./bin/cloudflare_worker/src/http_tracing.rs:20
  1. Reason: "it panics only if the URL source is not valid, and it's already validated before."
  • Code: let url = req.url().unwrap();
  • Location: ./bin/cloudflare_worker/src/http_tracing.rs:23
  1. Reason: "it only panics if we are not running in a CF context, should be safe."
  • Code: let cf_info = req.cf().unwrap();
  • Location: ./bin/cloudflare_worker/src/http_tracing.rs:27
  1. Reason: "unwraps only in special cases where "data:text" is used."
  • Code: let http_host = url.host().unwrap().to_string();
  • Location: ./bin/cloudflare_worker/src/http_tracing.rs:36

Crate: napi

📊 Total Expected Usages: 1

expand details
  1. Reason: "we need this"
  • Code: panic!("Exited process!")
  • Location: ./libs/napi/src/lib.rs:18

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants