Source: capnproto Version: 0.5.3-2 Severity: minor Tags: upstream security fixed-upstream
Hi, the following vulnerability was published for capnproto. CVE-2017-7892[0]: | Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to a | compiler optimization. A remote attacker can trigger a segfault in a | 32-bit libcapnp application because Cap'n Proto relies on pointer | arithmetic calculations that overflow. An example compiler with | optimization that elides a bounds check in such calculations is Apple | LLVM version 8.1.0 (clang-802.0.41). The attack vector is a crafted far | pointer within a message. So far only Apple's compiler has been shown to apply the problematic optimization. The issue though is fixed in 0.5.3.1 and this bugreport is to help track the fix so that we can properly update the fixing version once the fix lands in the archive. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7892 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7892 Regards, Salvatore
