Debian Bug report logs -
#1056615
capnproto: CVE-2023-48230: WebSocket message can cause crash
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Tom Lee <debian@tomlee.co>:
Bug#1056615; Package src:capnproto.
(Thu, 23 Nov 2023 21:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Tom Lee <debian@tomlee.co>.
(Thu, 23 Nov 2023 21:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: capnproto
Version: 1.0.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for capnproto.
CVE-2023-48230[0]:
| Cap'n Proto is a data interchange format and capability-based RPC
| system. In versions 1.0 and 1.0.1, when using the KJ HTTP library
| with WebSocket compression enabled, a buffer underrun can be caused
| by a remote peer. The underrun always writes a constant value that
| is not attacker-controlled, likely resulting in a crash, enabling a
| remote denial-of-service attack. Most Cap'n Proto and KJ users are
| unlikely to have this functionality enabled and so unlikely to be
| affected. Maintainers suspect only the Cloudflare Workers Runtime is
| affected. If KJ HTTP is used with WebSocket compression enabled, a
| malicious peer may be able to cause a buffer underrun on a heap-
| allocated buffer. KJ HTTP is an optional library bundled with Cap'n
| Proto, but is not directly used by Cap'n Proto. WebSocket
| compression is disabled by default. It must be enabled via a setting
| passed to the KJ HTTP library via `HttpClientSettings` or
| `HttpServerSettings`. The bytes written out-of-bounds are always a
| specific constant 4-byte string `{ 0x00, 0x00, 0xFF, 0xFF }`.
| Because this string is not controlled by the attacker, maintainers
| believe it is unlikely that remote code execution is possible.
| However, it cannot be ruled out. This functionality first appeared
| in Cap'n Proto 1.0. Previous versions are not affected. This issue
| is fixed in Cap'n Proto 1.0.1.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48230
https://www.cve.org/CVERecord?id=CVE-2023-48230
[1] https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3
[2] https://github.com/capnproto/capnproto/commit/5d5d734b0350c6f2e36c3155753e6a19fbfeda9a
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Nov 24 08:16:13 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon