Source: rust-wasmtime Version: 26.0.1+dfsg-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for rust-wasmtime. CVE-2025-53901[0]: | Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, | 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 | set of import functions can lead to a WebAssembly guest inducing a | panic in the host (embedder). The specific bug is triggered by | calling `path_open` after calling `fd_renumber` with either two | equal argument values or a second argument being equal to a | previously-closed file descriptor number value. The corrupt state | introduced in `fd_renumber` will lead to the subsequent opening of a | file descriptor to panic. This panic cannot introduce memory | unsafety or allow WebAssembly to break outside of its sandbox, | however. There is no possible heap corruption or memory unsafety | from this panic. This bug is in the implementation of Wasmtime's | `wasmtime-wasi` crate which provides an implementation of WASIp1. | The bug requires a specially crafted call to `fd_renumber` in | addition to the ability to open a subsequent file descriptor. | Opening a second file descriptor is only possible when a preopened | directory was provided to the guest, and this is common amongst | embeddings. A panic in the host is considered a denial-of-service | vector for WebAssembly embedders and is thus a security issue in | Wasmtime. This bug does not affect WASIp2 and embedders using | components. In accordance with Wasmtime's release process, patch | releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other | release of Wasmtime are recommended to move to a supported release | of Wasmtime. Embedders who are using components or are not providing | guest access to create more file descriptors (e.g. via a preopened | filesystem directory) are not affected by this issue. Otherwise, | there is no workaround at this time, and affected embeddings are | recommended to update to a patched version which will not cause a | panic in the host. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53901 https://www.cve.org/CVERecord?id=CVE-2025-53901 [1] https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc Regards, Salvatore
