Hi, On Fri, Dec 09, 2022 at 11:08:56PM +0100, Salvatore Bonaccorso wrote: > Source: rust-capnp > Version: 0.14.7-2 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for rust-capnp. > > CVE-2022-46149[0]: > | Cap'n Proto is a data interchange format and remote procedure call > | (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and > | 0.10.3, as well as versions of Cap'n Proto's Rust implementation prior > | to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read > | due to logic error handling list-of-list. This issue may lead someone > | to remotely segfault a peer by sending it a malicious message, if the > | victim performs certain actions on a list-of-pointer type. > | Exfiltration of memory is possible if the victim performs additional > | certain actions on a list-of-pointer type. To be vulnerable, an > | application must perform a specific sequence of actions, described in > | the GitHub Security Advisory. The bug is present in inlined code, > | therefore the fix will require rebuilding dependent applications. > | Cap'n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, > | and 0.10.3. The `capnp` Rust crate has fixes available in versions > | 0.13.7, 0.14.11, and 0.15.2. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-46149 > https://www.cve.org/CVERecord?id=CVE-2022-46149 > [1] > https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx > [2] https://rustsec.org/advisories/RUSTSEC-2022-0068.html
I have prepared an upload of rust-capnp 0.14.11 to address the vulnerability. I reached out to the Uploaders on December 8th with my offer to upload the new version, but have not received a response. If there are no objections, I intend to perform a delayed NMU with the update on December 20th. Thank you, tony
signature.asc
Description: PGP signature
