Same code vulnerable to RUSTSEC-2023-0024

Question

Same code vulnerable to RUSTSEC-2023-0024

shinmao opened this issue 2 years ago · 0 comments

Code of X509Extension::new at line 759 is also vulnerable to the null pointer dereference and should apply the patch based on RUSTSEC-2023-0024.

pub fn new(
        ...
    ) -> Result<X509Extension, ErrorStack> {
        ...
        unsafe {
            ffi::init();
            let conf = conf.map_or(ptr::null_mut(), ConfRef::as_ptr);
            let context = context.map_or(ptr::null_mut(), X509v3Context::as_ptr);    // should be patched
            let name = name.as_ptr() as *mut _;
            let value = value.as_ptr() as *mut _;

            cvt_p(ffi::X509V3_EXT_nconf(conf, context, name, value))
                .map(|p| X509Extension::from_ptr(p))
        }
    }

Do you think it should be reported to RUSTSEC because they are actually different crates (boring vs. openssl)?