Your message dated Sat, 25 Nov 2023 17:34:01 +0000
with message-id <[email protected]>
and subject line Bug#1056615: fixed in capnproto 1.0.1-3
has caused the Debian Bug report #1056615,
regarding capnproto: CVE-2023-48230: WebSocket message can cause crash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056615: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056615
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: capnproto
Version: 1.0.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for capnproto.
CVE-2023-48230[0]:
| Cap'n Proto is a data interchange format and capability-based RPC
| system. In versions 1.0 and 1.0.1, when using the KJ HTTP library
| with WebSocket compression enabled, a buffer underrun can be caused
| by a remote peer. The underrun always writes a constant value that
| is not attacker-controlled, likely resulting in a crash, enabling a
| remote denial-of-service attack. Most Cap'n Proto and KJ users are
| unlikely to have this functionality enabled and so unlikely to be
| affected. Maintainers suspect only the Cloudflare Workers Runtime is
| affected. If KJ HTTP is used with WebSocket compression enabled, a
| malicious peer may be able to cause a buffer underrun on a heap-
| allocated buffer. KJ HTTP is an optional library bundled with Cap'n
| Proto, but is not directly used by Cap'n Proto. WebSocket
| compression is disabled by default. It must be enabled via a setting
| passed to the KJ HTTP library via `HttpClientSettings` or
| `HttpServerSettings`. The bytes written out-of-bounds are always a
| specific constant 4-byte string `{ 0x00, 0x00, 0xFF, 0xFF }`.
| Because this string is not controlled by the attacker, maintainers
| believe it is unlikely that remote code execution is possible.
| However, it cannot be ruled out. This functionality first appeared
| in Cap'n Proto 1.0. Previous versions are not affected. This issue
| is fixed in Cap'n Proto 1.0.1.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48230
https://www.cve.org/CVERecord?id=CVE-2023-48230
[1]
https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3
[2]
https://github.com/capnproto/capnproto/commit/5d5d734b0350c6f2e36c3155753e6a19fbfeda9a
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: capnproto
Source-Version: 1.0.1-3
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
capnproto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated capnproto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 24 Nov 2023 21:14:08 -0800
Source: capnproto
Architecture: source
Version: 1.0.1-3
Distribution: unstable
Urgency: medium
Maintainer: Tom Lee <[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 1056615
Changes:
capnproto (1.0.1-3) unstable; urgency=medium
.
* Add upstream patch to resolve CVE-2023-48230 (Closes: #1056615)
Debian's patched 1.0.1 is equivalent to upstream 1.0.1.1.
Checksums-Sha1:
b744d345da01f6a98921d32a565855de1735bebb 2225 capnproto_1.0.1-3.dsc
5144cf656812f8b803756111695f8228960c0a75 16044 capnproto_1.0.1-3.debian.tar.xz
177483a9dfc6097cd424598f0a99d404f54f1738 8451 capnproto_1.0.1-3_amd64.buildinfo
Checksums-Sha256:
d762e4669888b6791e473c597004aafa8b32747be34e1cc7635b9fa89e219898 2225
capnproto_1.0.1-3.dsc
c166e805f4300e2218ef9391645efdadf9bbabf5fc0bd55bd04a3b0e6c08e5a5 16044
capnproto_1.0.1-3.debian.tar.xz
ca10f489e53bb381598566773aa90cd4408be0e17b755c4a37b5f20cf40f8d30 8451
capnproto_1.0.1-3_amd64.buildinfo
Files:
41f3d4f6cdef3df511dd3c9e0d6bc102 2225 devel optional capnproto_1.0.1-3.dsc
27673f248c920b1607b9e1bebd6181da 16044 devel optional
capnproto_1.0.1-3.debian.tar.xz
94d115640d008fa699b193d1bbf02ce9 8451 devel optional
capnproto_1.0.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmViLOkUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpY+RxAAmU2o/NNxPxXAxHdr9tE5U4KH1mrc
WeZo0wk4mq3NnYO7EzGDNDooN+8+S6iWtEjXvzf3MCYQFYirkarVKjp2B+D+12jN
13FEvXXpVJ2yctrbnLqBXdlgJLAVKaR2vRmupeScLIFmICzyNtE2m/psRBZwDv85
3S5vi6gpdNGRWwAP3vOO+19AX9PBVkhNk9UkyjORUqOTu+kF1JxUTqXVHLSs94Xu
UxgQ5xK0kOdNkudOqhpvdqTl1BcIE+1YLgBtRvSD//MbIfgBtjaA6peLvejCxCRZ
fKh6Wgi8mEG3mGldmgdM6oY/HPiq6tE8oaFYwbR0NMIuNtsEWDzXsCpR0ar5tdkB
HvlxjYO7MZbbfq08Q0djhTaXekpmnGcSzvkv23zmIX2PzY0Zm69UNI9kFvWIlvI6
TFUO+HDyqCEJt5NMmagjMVXDzoKFVNcU80n5kDIKgsnM3FtVadJC8SA4STTr3LNE
gIaW6xJEFpNV8cMN0XdhDVHSRz5PtfS5eHB6j4AxQzWzR+AwYQMvXhvXWHtNu72k
I9jnMgxcsDNHDSrWTKAsjqh+QrpjL/Q2U97UmoD0TseL13QAoUVs5GKXgQxMCeQp
CQ65SuZ64WlZcjM8t5OM6oVbSrzd/eEbGhnN5525VdoFs/681j4dvmg2XlNiS3Ja
SA0TMokxBR+rGeM=
=CwGW
-----END PGP SIGNATURE-----
--- End Message ---