[Pkg-rust-maintainers] Bug#1025821: rust-capnp: CVE-2022-46149
tony mancill
tmancill at debian.org
Mon Dec 19 15:11:17 GMT 2022
Hi,
On Fri, Dec 09, 2022 at 11:08:56PM +0100, Salvatore Bonaccorso wrote:
> Source: rust-capnp
> Version: 0.14.7-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for rust-capnp.
>
> CVE-2022-46149[0]:
> | Cap'n Proto is a data interchange format and remote procedure call
> | (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and
> | 0.10.3, as well as versions of Cap'n Proto's Rust implementation prior
> | to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read
> | due to logic error handling list-of-list. This issue may lead someone
> | to remotely segfault a peer by sending it a malicious message, if the
> | victim performs certain actions on a list-of-pointer type.
> | Exfiltration of memory is possible if the victim performs additional
> | certain actions on a list-of-pointer type. To be vulnerable, an
> | application must perform a specific sequence of actions, described in
> | the GitHub Security Advisory. The bug is present in inlined code,
> | therefore the fix will require rebuilding dependent applications.
> | Cap'n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2,
> | and 0.10.3. The `capnp` Rust crate has fixes available in versions
> | 0.13.7, 0.14.11, and 0.15.2.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2022-46149
> https://www.cve.org/CVERecord?id=CVE-2022-46149
> [1] https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx
> [2] https://rustsec.org/advisories/RUSTSEC-2022-0068.html
I have prepared an upload of rust-capnp 0.14.11 to address the
vulnerability. I reached out to the Uploaders on December 8th with my
offer to upload the new version, but have not received a response.
If there are no objections, I intend to perform a delayed NMU with the
update on December 20th.
Thank you,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20221219/5bb0d8a2/attachment.sig>
More information about the Pkg-rust-maintainers
mailing list