Your message dated Sun, 25 Dec 2022 16:05:45 +0000
with message-id <[email protected]>
and subject line Bug#1025821: fixed in rust-capnp 0.14.11-1.1
has caused the Debian Bug report #1025821,
regarding rust-capnp: CVE-2022-46149
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1025821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025821
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-capnp
Version: 0.14.7-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-capnp.
CVE-2022-46149[0]:
| Cap'n Proto is a data interchange format and remote procedure call
| (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and
| 0.10.3, as well as versions of Cap'n Proto's Rust implementation prior
| to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read
| due to logic error handling list-of-list. This issue may lead someone
| to remotely segfault a peer by sending it a malicious message, if the
| victim performs certain actions on a list-of-pointer type.
| Exfiltration of memory is possible if the victim performs additional
| certain actions on a list-of-pointer type. To be vulnerable, an
| application must perform a specific sequence of actions, described in
| the GitHub Security Advisory. The bug is present in inlined code,
| therefore the fix will require rebuilding dependent applications.
| Cap'n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2,
| and 0.10.3. The `capnp` Rust crate has fixes available in versions
| 0.13.7, 0.14.11, and 0.15.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46149
https://www.cve.org/CVERecord?id=CVE-2022-46149
[1]
https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx
[2] https://rustsec.org/advisories/RUSTSEC-2022-0068.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-capnp
Source-Version: 0.14.11-1.1
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-capnp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated rust-capnp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 20 Dec 2022 06:40:06 -0800
Source: rust-capnp
Architecture: source
Version: 0.14.11-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1025821
Changes:
rust-capnp (0.14.11-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream version 0.14.11
* Source upload
* Package capnp 0.14.11 from crates.io using debcargo 2.5.0
Addresses CVE-2022-46149 (Closes: #1025821)
Checksums-Sha1:
29eae313d3f42e4aab4523e0cd137f344521e54f 2175 rust-capnp_0.14.11-1.1.dsc
bb270e41383ddc1be047732a26d15e07d138952c 70440 rust-capnp_0.14.11.orig.tar.gz
e725327e1a08a378d68c71f00076a2ba7a84fe27 3508
rust-capnp_0.14.11-1.1.debian.tar.xz
933be2ade3fc9813dd002859c0ea5d4e1318e33e 7633
rust-capnp_0.14.11-1.1_amd64.buildinfo
Checksums-Sha256:
e9a8240b48c08b5a959a19987e390243abddbf2d637a0e45c19788fc989f0c4f 2175
rust-capnp_0.14.11-1.1.dsc
2dca085c2c7d9d65ad749d450b19b551efaa8e3476a439bdca07aca8533097f3 70440
rust-capnp_0.14.11.orig.tar.gz
42a0cc1202fa7c57180f4902deecb138874c150a2e502e7c33df80e6c79ab6d3 3508
rust-capnp_0.14.11-1.1.debian.tar.xz
411be7a2a731b1db7bd5a2aa708f3389cd2febf79682120b50d2d31292f15286 7633
rust-capnp_0.14.11-1.1_amd64.buildinfo
Files:
90969a965be64856fa436da07ed22b64 2175 rust optional rust-capnp_0.14.11-1.1.dsc
f2e7d04331db64fa8c62a777bc5822a9 70440 rust optional
rust-capnp_0.14.11.orig.tar.gz
816e178bb378005234bd54542f5d7447 3508 rust optional
rust-capnp_0.14.11-1.1.debian.tar.xz
6160108e613233a64b496e63a3484cfe 7633 rust optional
rust-capnp_0.14.11-1.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmOh0kYUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpap8w/9H4cFockgiHBJPZVE2pHljkV3Mj3F
kFh5OdShKPdwsdF0DKCmMDPulldHO3aKiMBoKTRXA1SPoi6U63dhCyUEJhwSaTi0
vPYHtQ5r/jJEqG1eZF0DKJh7jepY4beLGLFEuvUmnEj9kwonyf8j1tNCmWM26OOB
GvRgPZfo2MZEA3aUpxP+ghnLnPJoPrknd9PjR2iUR4qSiB6i64z4UJ4320WMp33n
51vhJnQih61Vc9E9Ick+Qrs/tyIsis5EixGpopU8gTBDpXgiurNBjlfouCm+qxU9
ebH51TUSQqSnNDWAbYYgiSvEsZo1TLFKwGFaHGIHaY08tX2Fo89WK5+5Zr+pQR5E
8pf1oLC860rG4LwqmKBo/FIrvQQkeGZ2q2/bZC5LQSb8ih3sU3XxX9+o12enAGjx
9hK4Qs4JMn1J3PPpCJHwv86orYYvEu5ceI8UJRqP/GzF3WBNdyicdGRT3ZYHg3SN
AkjaEMftbInF0R4ZPin6yVNefVoGel4NhgURKBSy0eYX6jzD4CvJCOHVY8gAanc/
hG78cqjZ3/zD6AI7ccDw8mxY4lcT0lY6SveEYC8q82LpEMFQZxnJbOaEwENTAy2k
Me+KQM/Hu3lp5FHdHNEdyXWkUZQxoTeaLGWvLszPV7s0vWiR8wJVqYh2AI7q850Y
4Qb4+IiY7xwpz8g=
=p08x
-----END PGP SIGNATURE-----
--- End Message ---
