From 24d2d14cce1606f65f95a3ffaebccef349a673d0 Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Wed, 22 Jan 2025 13:29:14 -0700 Subject: [PATCH 01/13] Create RUSTSEC-0000-0000.md --- crates/openssl-probe/RUSTSEC-0000-0000.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 crates/openssl-probe/RUSTSEC-0000-0000.md diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..c5e54197a --- /dev/null +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -0,0 +1,16 @@ +[advisory] +id = "RUSTSEC-0000-0000" +package = "openssl-probe" +date = "2025-01-10" +url = "https://github.com/alexcrichton/openssl-probe/issues/30" +references = ["https://www.edgedb.com/blog/c-stdlib-isn-t-threadsafe-and-even-safe-rust-didn-t-save-us"] +informational = "unsound" +categories = ["memory-corruption"] +cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" +keywords = ["ssl", "openssl", "environment"] + +[affected] +os = ["linux"] + +[versions] +patched = [] From 42844c4a9354695d99b6baebf28803ab505fef31 Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Wed, 22 Jan 2025 13:33:21 -0700 Subject: [PATCH 02/13] Update RUSTSEC-0000-0000.md Surround the TOML data with code markers. --- crates/openssl-probe/RUSTSEC-0000-0000.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index c5e54197a..34447bc9d 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -1,3 +1,4 @@ +``` [advisory] id = "RUSTSEC-0000-0000" package = "openssl-probe" @@ -14,3 +15,4 @@ os = ["linux"] [versions] patched = [] +``` From 26f7af938ba72a54c5f29fba213ac8abd46a7f0d Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Wed, 22 Jan 2025 13:40:10 -0700 Subject: [PATCH 03/13] Update RUSTSEC-0000-0000.md Add security prose --- crates/openssl-probe/RUSTSEC-0000-0000.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index 34447bc9d..1e0ee0902 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -16,3 +16,16 @@ os = ["linux"] [versions] patched = [] ``` + +# `openssl-probe` may cause memory corruption in multi-threaded processes + +`openssl-probe` offers non-`unsafe` methods that call environment setters, which may be called +in a multithreaded environment, and potentially clash with environment access on other threads. + +When these methods are called while other threads are active and accessing the environment, it +may cause the other threads to access dangling pointer values in the cases where the underlying +environment data is moved or resized in response to an additional environment variable being +added, or a variable's contents being enlarged. + +The affected function is `try_init_ssl_cert_env_vars` in +. From 2c95894980f78337662a4df276018f14eb995994 Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Wed, 22 Jan 2025 13:41:31 -0700 Subject: [PATCH 04/13] Update RUSTSEC-0000-0000.md --- crates/openssl-probe/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index 1e0ee0902..120f1e1db 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -1,4 +1,4 @@ -``` +```toml [advisory] id = "RUSTSEC-0000-0000" package = "openssl-probe" From a285059e93be4d8e34d27623efa395bd125365c8 Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 23 Jan 2025 09:44:26 -0700 Subject: [PATCH 05/13] Update RUSTSEC-0000-0000.md --- crates/openssl-probe/RUSTSEC-0000-0000.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index 120f1e1db..db03915e5 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -10,11 +10,14 @@ categories = ["memory-corruption"] cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" keywords = ["ssl", "openssl", "environment"] +[affected.functions] +"openssl_probe::try_init_ssl_cert_env_vars" = ["< 0.1.6"] + [affected] os = ["linux"] [versions] -patched = [] +patched = [">= 0.1.6"] ``` # `openssl-probe` may cause memory corruption in multi-threaded processes @@ -27,5 +30,10 @@ may cause the other threads to access dangling pointer values in the cases where environment data is moved or resized in response to an additional environment variable being added, or a variable's contents being enlarged. +This is shown to occur on Linux, but it will also likely occur on any other platform where `getenv` +and `setenv` are not thread-safe, though trigger conditions may vary widely. + The affected function is `try_init_ssl_cert_env_vars` in -. +. + +The crate's author released a fix in versions `>=0.1.6` which marks these functions as `unsafe` and `#[deprecated]`. From 7d475271bdf444d1b759c2e344ac1d060a2526ee Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 23 Jan 2025 09:56:46 -0700 Subject: [PATCH 06/13] Update RUSTSEC-0000-0000.md --- crates/openssl-probe/RUSTSEC-0000-0000.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index db03915e5..c111bd7b4 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -33,7 +33,21 @@ added, or a variable's contents being enlarged. This is shown to occur on Linux, but it will also likely occur on any other platform where `getenv` and `setenv` are not thread-safe, though trigger conditions may vary widely. +## Affected Code + The affected function is `try_init_ssl_cert_env_vars` in -. +, and +any other library's function which may call this function directly or indirectly +. `native_tls <= 0.2.12` may +do so in certain configurations . The crate's author released a fix in versions `>=0.1.6` which marks these functions as `unsafe` and `#[deprecated]`. + +## Alternative Mitigations + +In the case of glibc users, some thread-safety improvements may protect you from `setenv`/`getenv` clashes +which were introduced in , +however direct `environ` access in multithreaded programs will still risk dangling pointer access. + +Users of other `libc` implementations should consult their sourcecode listings for thread-safety guarantees +around multithreaded environment read/write access, though readers should be prepared to be disappointed. From 83e428343ce1878398e2f57485909c2a35aac41a Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 23 Jan 2025 10:07:06 -0700 Subject: [PATCH 07/13] Update RUSTSEC-0000-0000.md Update w/Alex's feedback. --- crates/openssl-probe/RUSTSEC-0000-0000.md | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index c111bd7b4..df77c28cc 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -12,7 +12,7 @@ keywords = ["ssl", "openssl", "environment"] [affected.functions] "openssl_probe::try_init_ssl_cert_env_vars" = ["< 0.1.6"] - +" [affected] os = ["linux"] @@ -33,15 +33,26 @@ added, or a variable's contents being enlarged. This is shown to occur on Linux, but it will also likely occur on any other platform where `getenv` and `setenv` are not thread-safe, though trigger conditions may vary widely. +## Rust's `set_env` + +This crate, and all callers of the Rust `set_env` function () +are unsound due to some early decisions in the Rust ecosystem that provided these functions without +an `unsafe` marker. The real problem, however, lies in the POSIX standard which defines this method +without making any sort of thread-safety guarantees. + +In Rust's 2024 edition these environment setters are made `unsafe` and the documentation was updated to note +that the only safe way to use these functions is in a single-threaded context. + ## Affected Code -The affected function is `try_init_ssl_cert_env_vars` in -, and +The affected functions are `init_ssl_cert_env_vars` and `try_init_ssl_cert_env_vars` in + and , respectively, and any other library's function which may call this function directly or indirectly -. `native_tls <= 0.2.12` may +<[https://github.com/search?q=try_init_ssl_cert_env_vars&type=code](https://github.com/search?q=try_init_ssl_cert_env_vars+OR+init_ssl_cert_env_vars&type=code)>. `native_tls <= 0.2.12` may do so in certain configurations . -The crate's author released a fix in versions `>=0.1.6` which marks these functions as `unsafe` and `#[deprecated]`. +The crate's author released a fix in versions `>=0.1.6` which marks these functions as `#[deprecated]` and adds +new `unsafe` equivalents . ## Alternative Mitigations From baa0e08bbbd249de4b4eaf7c5d92087ef43689cc Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 23 Jan 2025 10:14:51 -0700 Subject: [PATCH 08/13] Update RUSTSEC-0000-0000.md --- crates/openssl-probe/RUSTSEC-0000-0000.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index df77c28cc..7169498dc 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -22,25 +22,28 @@ patched = [">= 0.1.6"] # `openssl-probe` may cause memory corruption in multi-threaded processes -`openssl-probe` offers non-`unsafe` methods that call environment setters, which may be called +`openssl-probe` offers non-`unsafe` methods that call `std::env::set_var`, which may be called in a multithreaded environment, and potentially clash with environment access on other threads. When these methods are called while other threads are active and accessing the environment, it -may cause the other threads to access dangling pointer values in the cases where the underlying +may cause other threads to access dangling environment pointers in the cases where the underlying environment data is moved or resized in response to an additional environment variable being added, or a variable's contents being enlarged. This is shown to occur on Linux, but it will also likely occur on any other platform where `getenv` and `setenv` are not thread-safe, though trigger conditions may vary widely. +Note that these function calls are completely safe and sound in purely single-threaded environments, +or multi-threaded environments where it can be proven that no simultaneous read and writes to the +environment occur. + ## Rust's `set_env` -This crate, and all callers of the Rust `set_env` function () -are unsound due to some early decisions in the Rust ecosystem that provided these functions without -an `unsafe` marker. The real problem, however, lies in the POSIX standard which defines this method +This crate, and all other callers of the Rust `set_env` function () +are unsound due to the unfortunate reality of the POSIX standard which defines these enviornment access methods without making any sort of thread-safety guarantees. -In Rust's 2024 edition these environment setters are made `unsafe` and the documentation was updated to note +In Rust's 2024 edition `std::env::set_var` is marked as `unsafe` and the documentation was updated to note that the only safe way to use these functions is in a single-threaded context. ## Affected Code @@ -52,11 +55,11 @@ any other library's function which may call this function directly or indirectly do so in certain configurations . The crate's author released a fix in versions `>=0.1.6` which marks these functions as `#[deprecated]` and adds -new `unsafe` equivalents . +new `unsafe` equivalents with safety guidance . ## Alternative Mitigations -In the case of glibc users, some thread-safety improvements may protect you from `setenv`/`getenv` clashes +In the case of glibc users, some future thread-safety improvements may protect you from `setenv`/`getenv` clashes which were introduced in , however direct `environ` access in multithreaded programs will still risk dangling pointer access. From ece1d78c571f9b1df5484fe3e9515f207ee92bcf Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 23 Jan 2025 10:17:29 -0700 Subject: [PATCH 09/13] Update RUSTSEC-0000-0000.md Revert cat-on-keyboard issue and clarify text --- crates/openssl-probe/RUSTSEC-0000-0000.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index 7169498dc..5453988f0 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -12,7 +12,8 @@ keywords = ["ssl", "openssl", "environment"] [affected.functions] "openssl_probe::try_init_ssl_cert_env_vars" = ["< 0.1.6"] -" +"openssl_probe::init_ssl_cert_env_vars" = ["< 0.1.6"] + [affected] os = ["linux"] @@ -50,7 +51,7 @@ that the only safe way to use these functions is in a single-threaded context. The affected functions are `init_ssl_cert_env_vars` and `try_init_ssl_cert_env_vars` in and , respectively, and -any other library's function which may call this function directly or indirectly +any other crate's call-graph which may call this function directly or indirectly <[https://github.com/search?q=try_init_ssl_cert_env_vars&type=code](https://github.com/search?q=try_init_ssl_cert_env_vars+OR+init_ssl_cert_env_vars&type=code)>. `native_tls <= 0.2.12` may do so in certain configurations . From 09303e99550a7647144642f1467b53898f577431 Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 23 Jan 2025 11:43:03 -0700 Subject: [PATCH 10/13] Update RUSTSEC-0000-0000.md Clarification --- crates/openssl-probe/RUSTSEC-0000-0000.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index 5453988f0..7becd8b69 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -25,8 +25,15 @@ patched = [">= 0.1.6"] `openssl-probe` offers non-`unsafe` methods that call `std::env::set_var`, which may be called in a multithreaded environment, and potentially clash with environment access on other threads. - -When these methods are called while other threads are active and accessing the environment, it +In pure Rust code, concurrent read and write access to the environment is actually safe due to a lock +taken in the platform implementations of the environment accessors (the documentation does not +state this, and it's possible it _could_ change in the future). Libraries using other runtimes +(including Python, those written in pure C and others) do not make use of these internal Rust +environment locks, however, and instead use their own locks, or unprotected raw access to `libc`'s +`getenv`, `setenv`, or even worse, `char** environ`. + +When these methods in `openssl-probe` (or that matter, any other pure Rust code calling `std::env::set_env`) +are called while other threads are active and accessing the environment, it may cause other threads to access dangling environment pointers in the cases where the underlying environment data is moved or resized in response to an additional environment variable being added, or a variable's contents being enlarged. From 88789ba3a6010ee77dd8f1abc81d797d7a628455 Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 30 Jan 2025 17:17:44 -0500 Subject: [PATCH 11/13] Update crates/openssl-probe/RUSTSEC-0000-0000.md Co-authored-by: pvichivanives <141073394+pvichivanives@users.noreply.github.com> --- crates/openssl-probe/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index 7becd8b69..b464314b6 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -48,7 +48,7 @@ environment occur. ## Rust's `set_env` This crate, and all other callers of the Rust `set_env` function () -are unsound due to the unfortunate reality of the POSIX standard which defines these enviornment access methods +are unsound due to the unfortunate reality of the POSIX standard which defines these environment access methods without making any sort of thread-safety guarantees. In Rust's 2024 edition `std::env::set_var` is marked as `unsafe` and the documentation was updated to note From 874bdda3a8e7f9cef0fd2c75cfc830171923337f Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 30 Jan 2025 17:26:22 -0500 Subject: [PATCH 12/13] Update RUSTSEC-0000-0000.md Show correct mitigation --- crates/openssl-probe/RUSTSEC-0000-0000.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index b464314b6..ab71fc6c3 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -62,10 +62,17 @@ any other crate's call-graph which may call this function directly or indirectly <[https://github.com/search?q=try_init_ssl_cert_env_vars&type=code](https://github.com/search?q=try_init_ssl_cert_env_vars+OR+init_ssl_cert_env_vars&type=code)>. `native_tls <= 0.2.12` may do so in certain configurations . +## Fix and Mitigation + The crate's author released a fix in versions `>=0.1.6` which marks these functions as `#[deprecated]` and adds new `unsafe` equivalents with safety guidance . -## Alternative Mitigations +The correct fix is to [use the new `load_verify_locations` method available in `openssl` >= 0.10.69](https://docs.rs/openssl/latest/openssl/ssl/struct.SslConnectorBuilder.html#method.load_verify_locations): + + - https://github.com/neonmoe/minreq/commit/4bc16dba61ae19e3f81de33b80c8a3c0c8a33a0d + - https://github.com/sfackler/rust-native-tls/commit/a35127a5cc6d0519c4d6b4dce1fb14ab945ad347 + +### Alternative Mitigations In the case of glibc users, some future thread-safety improvements may protect you from `setenv`/`getenv` clashes which were introduced in , From f079478e175426a90134595952d969580036f4f7 Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 30 Jan 2025 17:29:03 -0500 Subject: [PATCH 13/13] Update RUSTSEC-0000-0000.md --- crates/openssl-probe/RUSTSEC-0000-0000.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crates/openssl-probe/RUSTSEC-0000-0000.md b/crates/openssl-probe/RUSTSEC-0000-0000.md index ab71fc6c3..2bb7f214f 100644 --- a/crates/openssl-probe/RUSTSEC-0000-0000.md +++ b/crates/openssl-probe/RUSTSEC-0000-0000.md @@ -67,7 +67,8 @@ do so in certain configurations =0.1.6` which marks these functions as `#[deprecated]` and adds new `unsafe` equivalents with safety guidance . -The correct fix is to [use the new `load_verify_locations` method available in `openssl` >= 0.10.69](https://docs.rs/openssl/latest/openssl/ssl/struct.SslConnectorBuilder.html#method.load_verify_locations): +The correct fix is to use the safe `openssl_probe::probe` method to fetch the certificate location, and pass that to +[the new `load_verify_locations` method](https://docs.rs/openssl/latest/openssl/ssl/struct.SslConnectorBuilder.html#method.load_verify_locations) available in `openssl` >= 0.10.69: - https://github.com/neonmoe/minreq/commit/4bc16dba61ae19e3f81de33b80c8a3c0c8a33a0d - https://github.com/sfackler/rust-native-tls/commit/a35127a5cc6d0519c4d6b4dce1fb14ab945ad347