Bug#1056615: capnproto: CVE-2023-48230: WebSocket message can cause crash
Hi Tony, On Fri, Nov 24, 2023 at 11:04:07AM -0800, tony mancill wrote: > On Thu, Nov 23, 2023 at 10:42:24PM +0100, Salvatore Bonaccorso wrote: > > Source: capnproto > > Version: 1.0.1-1 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > Hi, > > > > The following vulnerability was published for capnproto. > > > > CVE-2023-48230[0]: > > > > (SNIP) > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-48230 > > https://www.cve.org/CVERecord?id=CVE-2023-48230 > > [1] > > https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3 > > [2] > > https://github.com/capnproto/capnproto/commit/5d5d734b0350c6f2e36c3155753e6a19fbfeda9a > > Thank you for the bug report and for the Security Tracker entry. > > I have prepared a package for 1.0.1.1, but want to take a moment before > uploading to experimental to consider whether there is a way to patch > the vulnerability in 1.0.1 and thereby not have to perform a transition > from 1.0.1 -> 1.0.1.1. Sure, take the time required for it. Regards, Salvatore
Bug#1056615: capnproto: CVE-2023-48230: WebSocket message can cause crash
On Thu, Nov 23, 2023 at 10:42:24PM +0100, Salvatore Bonaccorso wrote: > Source: capnproto > Version: 1.0.1-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerability was published for capnproto. > > CVE-2023-48230[0]: > > (SNIP) > > [0] https://security-tracker.debian.org/tracker/CVE-2023-48230 > https://www.cve.org/CVERecord?id=CVE-2023-48230 > [1] > https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3 > [2] > https://github.com/capnproto/capnproto/commit/5d5d734b0350c6f2e36c3155753e6a19fbfeda9a Thank you for the bug report and for the Security Tracker entry. I have prepared a package for 1.0.1.1, but want to take a moment before uploading to experimental to consider whether there is a way to patch the vulnerability in 1.0.1 and thereby not have to perform a transition from 1.0.1 -> 1.0.1.1. Cheers, tony
Bug#1056615: capnproto: CVE-2023-48230: WebSocket message can cause crash
Source: capnproto Version: 1.0.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for capnproto. CVE-2023-48230[0]: | Cap'n Proto is a data interchange format and capability-based RPC | system. In versions 1.0 and 1.0.1, when using the KJ HTTP library | with WebSocket compression enabled, a buffer underrun can be caused | by a remote peer. The underrun always writes a constant value that | is not attacker-controlled, likely resulting in a crash, enabling a | remote denial-of-service attack. Most Cap'n Proto and KJ users are | unlikely to have this functionality enabled and so unlikely to be | affected. Maintainers suspect only the Cloudflare Workers Runtime is | affected. If KJ HTTP is used with WebSocket compression enabled, a | malicious peer may be able to cause a buffer underrun on a heap- | allocated buffer. KJ HTTP is an optional library bundled with Cap'n | Proto, but is not directly used by Cap'n Proto. WebSocket | compression is disabled by default. It must be enabled via a setting | passed to the KJ HTTP library via `HttpClientSettings` or | `HttpServerSettings`. The bytes written out-of-bounds are always a | specific constant 4-byte string `{ 0x00, 0x00, 0xFF, 0xFF }`. | Because this string is not controlled by the attacker, maintainers | believe it is unlikely that remote code execution is possible. | However, it cannot be ruled out. This functionality first appeared | in Cap'n Proto 1.0. Previous versions are not affected. This issue | is fixed in Cap'n Proto 1.0.1.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-48230 https://www.cve.org/CVERecord?id=CVE-2023-48230 [1] https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3 [2] https://github.com/capnproto/capnproto/commit/5d5d734b0350c6f2e36c3155753e6a19fbfeda9a Regards, Salvatore