CVE-2024-0727: Null pointer dereference in PKCS12 parsing

The vulnerability CVE-2024-0727 is a null pointer dereference in OpenSSL's PKCS12 parsing logic. The OpenSSL functions PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes(), and PKCS12_newpass() were identified as vulnerable. The cryptography library, which uses OpenSSL for cryptographic operations, is affected if it uses an unpatched version of OpenSSL. The commit 3519591d255d4506fbcd0d04037d45271903c64d for cryptography shows an update to the OpenSSL versions used in its CI environment, indicating that cryptography itself relies on a patched OpenSSL to mitigate this vulnerability rather than changing its own Python code. Therefore, the vulnerable functions within cryptography are those Python functions that serve as wrappers or utilize these underlying vulnerable OpenSSL C APIs for PKCS12 processing. The functions cryptography.hazmat.primitives.serialization.pkcs12.load_key_and_certificates and cryptography.hazmat.primitives.serialization.pkcs12.load_pkcs12 are the primary interfaces in cryptography for handling PKCS12 files and would thus be the entry points for triggering the vulnerability when used with an affected OpenSSL version. The crash would occur in the OpenSSL C code, but these Python functions would be present in the call stack leading to the crash.