Bug#1056615: capnproto: CVE-2023-48230: WebSocket message can cause crash
Hi Tony, On Fri, Nov 24, 2023 at 11:04:07AM -0800, tony mancill wrote: > On Thu, Nov 23, 2023 at 10:42:24PM +0100, Salvatore Bonaccorso wrote: > > Source: capnproto > > Version: 1.0.1-1 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > Hi, > > > > The following vulnerability was published for capnproto. > > > > CVE-2023-48230[0]: > > > > (SNIP) > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-48230 > > https://www.cve.org/CVERecord?id=CVE-2023-48230 > > [1] > > https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3 > > [2] > > https://github.com/capnproto/capnproto/commit/5d5d734b0350c6f2e36c3155753e6a19fbfeda9a > > Thank you for the bug report and for the Security Tracker entry. > > I have prepared a package for 1.0.1.1, but want to take a moment before > uploading to experimental to consider whether there is a way to patch > the vulnerability in 1.0.1 and thereby not have to perform a transition > from 1.0.1 -> 1.0.1.1. Sure, take the time required for it. Regards, Salvatore
Bug#1056615: capnproto: CVE-2023-48230: WebSocket message can cause crash
On Thu, Nov 23, 2023 at 10:42:24PM +0100, Salvatore Bonaccorso wrote: > Source: capnproto > Version: 1.0.1-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerability was published for capnproto. > > CVE-2023-48230[0]: > > (SNIP) > > [0] https://security-tracker.debian.org/tracker/CVE-2023-48230 > https://www.cve.org/CVERecord?id=CVE-2023-48230 > [1] > https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3 > [2] > https://github.com/capnproto/capnproto/commit/5d5d734b0350c6f2e36c3155753e6a19fbfeda9a Thank you for the bug report and for the Security Tracker entry. I have prepared a package for 1.0.1.1, but want to take a moment before uploading to experimental to consider whether there is a way to patch the vulnerability in 1.0.1 and thereby not have to perform a transition from 1.0.1 -> 1.0.1.1. Cheers, tony
Bug#1056615: capnproto: CVE-2023-48230: WebSocket message can cause crash
Source: capnproto
Version: 1.0.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for capnproto.
CVE-2023-48230[0]:
| Cap'n Proto is a data interchange format and capability-based RPC
| system. In versions 1.0 and 1.0.1, when using the KJ HTTP library
| with WebSocket compression enabled, a buffer underrun can be caused
| by a remote peer. The underrun always writes a constant value that
| is not attacker-controlled, likely resulting in a crash, enabling a
| remote denial-of-service attack. Most Cap'n Proto and KJ users are
| unlikely to have this functionality enabled and so unlikely to be
| affected. Maintainers suspect only the Cloudflare Workers Runtime is
| affected. If KJ HTTP is used with WebSocket compression enabled, a
| malicious peer may be able to cause a buffer underrun on a heap-
| allocated buffer. KJ HTTP is an optional library bundled with Cap'n
| Proto, but is not directly used by Cap'n Proto. WebSocket
| compression is disabled by default. It must be enabled via a setting
| passed to the KJ HTTP library via `HttpClientSettings` or
| `HttpServerSettings`. The bytes written out-of-bounds are always a
| specific constant 4-byte string `{ 0x00, 0x00, 0xFF, 0xFF }`.
| Because this string is not controlled by the attacker, maintainers
| believe it is unlikely that remote code execution is possible.
| However, it cannot be ruled out. This functionality first appeared
| in Cap'n Proto 1.0. Previous versions are not affected. This issue
| is fixed in Cap'n Proto 1.0.1.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48230
https://www.cve.org/CVERecord?id=CVE-2023-48230
[1]
https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3
[2]
https://github.com/capnproto/capnproto/commit/5d5d734b0350c6f2e36c3155753e6a19fbfeda9a
Regards,
Salvatore
