TROVE-2024-009: openssl undefined behavior in MemBio::get_buf
In openssl < 0.10.66, MemBio::get_buf has UB when called on an empty BIO. See RUSTSEC-2024-0357.
This was addressed in !2276 (merged). This ticket is just for discussing RUSTSEC-2024-0357's impact on arti, and whether we need a TROVE for it.
MemBio doesn't seem to be exported in the openssl crate's public API (despite being pub), but MemBio::get_buf is used internally (in openssl) in several places:
- the
Displayimpls of ASN.1 time structures (used by the X509 cert building functions) - to convert private keys to DER-formatted PKCS#8
- various PKCS#7/CMS processing functions
- the to_pem() impls of multiple different key types
According to the RUSTSEC report, the invariant violation from MemBio::get_buf would manifest itself as a panic (assertion failure) in debug builds. AFAICT, we never hit that code path in our tests (and I haven't seen it in my manual testing either). This suggests there is a decent chance we are not affected, but given the number of places where MemBio::get_buf is used, I'm not sure it's actually impossible to exercise the unhappy UB-ridden path. So IOW, I think there should be a TROVE for it.