Salvatore, Assuming you raised this on behalf of the security team (and per https://www.debian.org/intro/organization#security I'm assuming you are):
For a moment I thought it might be worth applying upstream's patch as a precaution & requesting an unblock, but it really seems like it's just a band-aid for a specific instances of the potential bad behavior rather than a full-throated fix. Per their info from the CVE: > This change has been shown to fix the problem in practice. However, this > quick fix does not technically avoid undefined behavior, as the code still > computes pointers that point to invalid locations before they are checked. > A technically-correct solution has been implemented in the next > commit,2ca8e41140ebc618b8fb314b393b0a507568cf21. However, as this required > more extensive refactoring, it is not appropriate for cherry-picking, and > will only land in versions 0.6 and up. > > Given that, the fact there doesn't seem to be any evidence of the practical aspects of the CVE outside of the Apple ecosystem and the fact we're in the middle of a freeze, I think I'm going to defer any changes directed at a "fix" until after the freeze lifts. Does that work for you? Lastly: I'll work with my sponsor to get the 0.5.3.1-1 release uploaded as soon as I can once the freeze does lift, but should we perhaps leave this bug open until we see 0.6+ roll down from upstream with the "technically-correct" solution? Thanks again for flagging this. Cheers, Tom On Sat, Apr 22, 2017 at 12:50 PM, Tom Lee <deb...@tomlee.co> wrote: > Thanks for the reminder Salvatore -- I'll get this sorted out. > > On Sat, Apr 22, 2017 at 10:43 AM, Salvatore Bonaccorso <car...@debian.org> > wrote: > >> Source: capnproto >> Version: 0.5.3-2 >> Severity: minor >> Tags: upstream security fixed-upstream >> >> Hi, >> >> the following vulnerability was published for capnproto. >> >> CVE-2017-7892[0]: >> | Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to a >> | compiler optimization. A remote attacker can trigger a segfault in a >> | 32-bit libcapnp application because Cap'n Proto relies on pointer >> | arithmetic calculations that overflow. An example compiler with >> | optimization that elides a bounds check in such calculations is Apple >> | LLVM version 8.1.0 (clang-802.0.41). The attack vector is a crafted far >> | pointer within a message. >> >> So far only Apple's compiler has been shown to apply the problematic >> optimization. The issue though is fixed in 0.5.3.1 and this bugreport >> is to help track the fix so that we can properly update the fixing >> version once the fix lands in the archive. >> >> If you fix the vulnerability please also make sure to include the >> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >> >> For further information see: >> >> [0] https://security-tracker.debian.org/tracker/CVE-2017-7892 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7892 >> >> Regards, >> Salvatore >> > > > > -- > *Tom Lee */ http://tomlee.co / @tglee <http://twitter.com/tglee> > > -- *Tom Lee */ http://tomlee.co / @tglee <http://twitter.com/tglee>
