Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2022-46149

Source

Debian Bug report logs - #1025821
rust-capnp: CVE-2022-46149

Package: src:rust-capnp; Maintainer for src:rust-capnp is Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 9 Dec 2022 22:12:01 UTC

Severity: important

Tags: security, upstream

Found in version rust-capnp/0.14.7-2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>:
Bug#1025821; Package src:rust-capnp. (Fri, 09 Dec 2022 22:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>. (Fri, 09 Dec 2022 22:12:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: rust-capnp
Version: 0.14.7-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for rust-capnp.

CVE-2022-46149[0]:
| Cap'n Proto is a data interchange format and remote procedure call
| (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and
| 0.10.3, as well as versions of Cap'n Proto's Rust implementation prior
| to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read
| due to logic error handling list-of-list. This issue may lead someone
| to remotely segfault a peer by sending it a malicious message, if the
| victim performs certain actions on a list-of-pointer type.
| Exfiltration of memory is possible if the victim performs additional
| certain actions on a list-of-pointer type. To be vulnerable, an
| application must perform a specific sequence of actions, described in
| the GitHub Security Advisory. The bug is present in inlined code,
| therefore the fix will require rebuilding dependent applications.
| Cap'n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2,
| and 0.10.3. The `capnp` Rust crate has fixes available in versions
| 0.13.7, 0.14.11, and 0.15.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-46149
    https://www.cve.org/CVERecord?id=CVE-2022-46149
[1] https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx
[2] https://rustsec.org/advisories/RUSTSEC-2022-0068.html

Regards,
Salvatore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Dec 10 07:19:10 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

rust-capnp: CVE-2022-46149

Debian Bug report logs - #1025821
rust-capnp: CVE-2022-46149

Vulmon Search

About

Products

Connect

rust-capnp: CVE-2022-46149

Debian Bug report logs - #1025821 rust-capnp: CVE-2022-46149

Vulmon Search

About

Products

Connect

Debian Bug report logs - #1025821
rust-capnp: CVE-2022-46149