Debian Bug report logs -
#860960
capnproto: CVE-2017-7892
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Apr 2017 17:45:02 UTC
Severity: minor
Tags: fixed-upstream, security, upstream
Found in version capnproto/0.5.3-2
Fixed in version capnproto/0.6.1-1
Done: Tom Lee <debian@tomlee.co>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tom Lee <debian@tomlee.co>:
Bug#860960; Package src:capnproto.
(Sat, 22 Apr 2017 17:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tom Lee <debian@tomlee.co>.
(Sat, 22 Apr 2017 17:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: capnproto
Version: 0.5.3-2
Severity: minor
Tags: upstream security fixed-upstream
Hi,
the following vulnerability was published for capnproto.
CVE-2017-7892[0]:
| Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to a
| compiler optimization. A remote attacker can trigger a segfault in a
| 32-bit libcapnp application because Cap'n Proto relies on pointer
| arithmetic calculations that overflow. An example compiler with
| optimization that elides a bounds check in such calculations is Apple
| LLVM version 8.1.0 (clang-802.0.41). The attack vector is a crafted far
| pointer within a message.
So far only Apple's compiler has been shown to apply the problematic
optimization. The issue though is fixed in 0.5.3.1 and this bugreport
is to help track the fix so that we can properly update the fixing
version once the fix lands in the archive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7892
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7892
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#860960; Package src:capnproto.
(Sat, 22 Apr 2017 19:54:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Tom Lee <debian@tomlee.co>:
Extra info received and forwarded to list.
(Sat, 22 Apr 2017 19:54:07 GMT) (full text, mbox, link).
Message #10 received at 860960@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Thanks for the reminder Salvatore -- I'll get this sorted out.
On Sat, Apr 22, 2017 at 10:43 AM, Salvatore Bonaccorso <carnil@debian.org>
wrote:
> Source: capnproto
> Version: 0.5.3-2
> Severity: minor
> Tags: upstream security fixed-upstream
>
> Hi,
>
> the following vulnerability was published for capnproto.
>
> CVE-2017-7892[0]:
> | Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to a
> | compiler optimization. A remote attacker can trigger a segfault in a
> | 32-bit libcapnp application because Cap'n Proto relies on pointer
> | arithmetic calculations that overflow. An example compiler with
> | optimization that elides a bounds check in such calculations is Apple
> | LLVM version 8.1.0 (clang-802.0.41). The attack vector is a crafted far
> | pointer within a message.
>
> So far only Apple's compiler has been shown to apply the problematic
> optimization. The issue though is fixed in 0.5.3.1 and this bugreport
> is to help track the fix so that we can properly update the fixing
> version once the fix lands in the archive.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-7892
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7892
>
> Regards,
> Salvatore
>
--
*Tom Lee */ http://tomlee.co / @tglee <http://twitter.com/tglee>
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#860960; Package src:capnproto.
(Tue, 25 Apr 2017 07:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Tom Lee <debian@tomlee.co>:
Extra info received and forwarded to list.
(Tue, 25 Apr 2017 07:15:05 GMT) (full text, mbox, link).
Message #15 received at 860960@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Salvatore,
Assuming you raised this on behalf of the security team (and per
https://www.debian.org/intro/organization#security I'm assuming you are):
For a moment I thought it might be worth applying upstream's patch as a
precaution & requesting an unblock, but it really seems like it's just a
band-aid for a specific instances of the potential bad behavior rather than
a full-throated fix.
Per their info from the CVE:
> This change has been shown to fix the problem in practice. However, this
> quick fix does not technically avoid undefined behavior, as the code still
> computes pointers that point to invalid locations before they are checked.
> A technically-correct solution has been implemented in the next
> commit,2ca8e41140ebc618b8fb314b393b0a507568cf21. However, as this required
> more extensive refactoring, it is not appropriate for cherry-picking, and
> will only land in versions 0.6 and up.
>
> Given that, the fact there doesn't seem to be any evidence of the
practical aspects of the CVE outside of the Apple ecosystem and the fact
we're in the middle of a freeze, I think I'm going to defer any changes
directed at a "fix" until after the freeze lifts. Does that work for you?
Lastly: I'll work with my sponsor to get the 0.5.3.1-1 release uploaded as
soon as I can once the freeze does lift, but should we perhaps leave this
bug open until we see 0.6+ roll down from upstream with the
"technically-correct" solution?
Thanks again for flagging this.
Cheers,
Tom
On Sat, Apr 22, 2017 at 12:50 PM, Tom Lee <debian@tomlee.co> wrote:
> Thanks for the reminder Salvatore -- I'll get this sorted out.
>
> On Sat, Apr 22, 2017 at 10:43 AM, Salvatore Bonaccorso <carnil@debian.org>
> wrote:
>
>> Source: capnproto
>> Version: 0.5.3-2
>> Severity: minor
>> Tags: upstream security fixed-upstream
>>
>> Hi,
>>
>> the following vulnerability was published for capnproto.
>>
>> CVE-2017-7892[0]:
>> | Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to a
>> | compiler optimization. A remote attacker can trigger a segfault in a
>> | 32-bit libcapnp application because Cap'n Proto relies on pointer
>> | arithmetic calculations that overflow. An example compiler with
>> | optimization that elides a bounds check in such calculations is Apple
>> | LLVM version 8.1.0 (clang-802.0.41). The attack vector is a crafted far
>> | pointer within a message.
>>
>> So far only Apple's compiler has been shown to apply the problematic
>> optimization. The issue though is fixed in 0.5.3.1 and this bugreport
>> is to help track the fix so that we can properly update the fixing
>> version once the fix lands in the archive.
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2017-7892
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7892
>>
>> Regards,
>> Salvatore
>>
>
>
>
> --
> *Tom Lee */ http://tomlee.co / @tglee <http://twitter.com/tglee>
>
>
--
*Tom Lee */ http://tomlee.co / @tglee <http://twitter.com/tglee>
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Tom Lee <debian@tomlee.co>:
Bug#860960; Package src:capnproto.
(Tue, 25 Apr 2017 07:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Tom Lee <debian@tomlee.co>.
(Tue, 25 Apr 2017 07:30:04 GMT) (full text, mbox, link).
Message #20 received at 860960@bugs.debian.org (full text, mbox, reply):
Hi Tom,
On Tue, Apr 25, 2017 at 12:12:11AM -0700, Tom Lee wrote:
> Salvatore,
>
> Assuming you raised this on behalf of the security team (and per
> https://www.debian.org/intro/organization#security I'm assuming you are):
>
> For a moment I thought it might be worth applying upstream's patch as a
> precaution & requesting an unblock, but it really seems like it's just a
> band-aid for a specific instances of the potential bad behavior rather than
> a full-throated fix.
>
> Per their info from the CVE:
>
> > This change has been shown to fix the problem in practice. However, this
> > quick fix does not technically avoid undefined behavior, as the code still
> > computes pointers that point to invalid locations before they are checked.
> > A technically-correct solution has been implemented in the next
> > commit,2ca8e41140ebc618b8fb314b393b0a507568cf21. However, as this required
> > more extensive refactoring, it is not appropriate for cherry-picking, and
> > will only land in versions 0.6 and up.
> >
> > Given that, the fact there doesn't seem to be any evidence of the
> practical aspects of the CVE outside of the Apple ecosystem and the fact
> we're in the middle of a freeze, I think I'm going to defer any changes
> directed at a "fix" until after the freeze lifts. Does that work for you?
>
> Lastly: I'll work with my sponsor to get the 0.5.3.1-1 release uploaded as
> soon as I can once the freeze does lift, but should we perhaps leave this
> bug open until we see 0.6+ roll down from upstream with the
> "technically-correct" solution?
I completely agree with you on that! Just to make clear: I just raised
this to the BTS to have it tracked outside of the security-tracker and
be able to record the fix once it enters unstable at some point with
0.6+.
Regards and thanks a lot for your work!
Salvatore
Reply sent
to Tom Lee <debian@tomlee.co>:
You have taken responsibility.
(Mon, 28 Aug 2017 10:03:29 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 28 Aug 2017 10:03:29 GMT) (full text, mbox, link).
Message #25 received at 860960-close@bugs.debian.org (full text, mbox, reply):
Source: capnproto
Source-Version: 0.6.1-1
We believe that the bug you reported is fixed in the latest version of
capnproto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860960@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tom Lee <debian@tomlee.co> (supplier of updated capnproto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 26 Aug 2017 10:54:20 -0700
Source: capnproto
Binary: libcapnp-0.6.1 libcapnp-dev capnproto
Architecture: source amd64
Version: 0.6.1-1
Distribution: unstable
Urgency: medium
Maintainer: Tom Lee <debian@tomlee.co>
Changed-By: Tom Lee <debian@tomlee.co>
Description:
capnproto - tool for working with the Cap'n Proto data interchange format
libcapnp-0.6.1 - Cap'n Proto C++ library
libcapnp-dev - Cap'n Proto C++ library (development files)
Closes: 809065 853342 853539 860960 866525
Changes:
capnproto (0.6.1-1) unstable; urgency=medium
.
* Imported Upstream version 0.6.1 (Closes: #866525) which includes:
- a fix for CVE-2017-7892 (Closes: #860960)
- a fix for broken GCC 7 builds (Closes: #853342, #853539)
- a possible fix for the hurd-i386 FTBFS in #804122
* MultiArch support (Closes: #809065)
* Clean up some Lintian gripes
* Updated to debhelper 9, Standards-Version 4.0.0
* License in debian/copyright changed from BSD-2-clause to MIT
Checksums-Sha1:
66c459a3671a93938f32cf72fa4bfea7633d8d0b 2076 capnproto_0.6.1-1.dsc
745dc4c60c02d0a664574a63ec85ef7a03c57676 1241927 capnproto_0.6.1.orig.tar.gz
aa6a6a1af56e5fb8f3be88220475142cfc45f56e 8472 capnproto_0.6.1-1.debian.tar.xz
0f4a68b0fd8ab34dcd51e5faaa7858cb5ede4d53 2317266 capnproto-dbgsym_0.6.1-1_amd64.deb
c515966aadfbc5969f93c0429c4bc6ef2194a369 7238 capnproto_0.6.1-1_amd64.buildinfo
43a6e0783aedd2128dfbb85e0c57a3b5dd1134e8 228140 capnproto_0.6.1-1_amd64.deb
3a785a2155d94e39f465fc9945cec5817e1d9233 7333004 libcapnp-0.6.1-dbgsym_0.6.1-1_amd64.deb
999a1c8f89803f35a51cdaba9b99019b82e7aff1 660748 libcapnp-0.6.1_0.6.1-1_amd64.deb
6ef220fd0ae138ab8a928c9f9eca501d90265d6f 970886 libcapnp-dev_0.6.1-1_amd64.deb
Checksums-Sha256:
82a7a6584db6d5a01c126830151e4b5b9c97a96731fe76ee7d6d420a7b8c1a7d 2076 capnproto_0.6.1-1.dsc
8082040cd8c3b93c0e4fc72f2799990c72fdcf21c2b5ecdae6611482a14f1a04 1241927 capnproto_0.6.1.orig.tar.gz
6d3049bcd72091dc4855c11bc1f6d7f72d9d7b6b948999bed92c22dcc42081e6 8472 capnproto_0.6.1-1.debian.tar.xz
a309b5d3d593a306650680d008021c1b09677f6ff7ac4beb2e21707190dd8e19 2317266 capnproto-dbgsym_0.6.1-1_amd64.deb
2e6059ac4abf2d6c38f70053b0271787fc8329a01a04da542d8223d1f7f4f2c5 7238 capnproto_0.6.1-1_amd64.buildinfo
ab79af239145811fc8a92b6992acfae11084b39a2b80c0a4b8f312be5fdfe3e8 228140 capnproto_0.6.1-1_amd64.deb
855c8c0cecf5e98ee3487bbddbd5ff3aafaae8fc37d4c9c3ff59af58ddb598fe 7333004 libcapnp-0.6.1-dbgsym_0.6.1-1_amd64.deb
8c2ea70f8f0e2e6229940d1fa546843a1a2a4f016dd913d014e79c2837292db4 660748 libcapnp-0.6.1_0.6.1-1_amd64.deb
8096614360670b8af53d4f92538f1963917f15879581a11e7d06f001588f696a 970886 libcapnp-dev_0.6.1-1_amd64.deb
Files:
e0bbb6c813795e5613d52fd113c54450 2076 devel optional capnproto_0.6.1-1.dsc
d48846a72abe327b44e258bd46294d1e 1241927 devel optional capnproto_0.6.1.orig.tar.gz
0983944ac134fccdc8df91afdae5efc0 8472 devel optional capnproto_0.6.1-1.debian.tar.xz
3d18d75f043fa331670adfa46e7d08ed 2317266 debug extra capnproto-dbgsym_0.6.1-1_amd64.deb
da2af88c52a329e67651404f9d678e32 7238 devel optional capnproto_0.6.1-1_amd64.buildinfo
4d041e0a378079d3f1abe3ded92f58b3 228140 devel optional capnproto_0.6.1-1_amd64.deb
32925e68784729c980c3c40ccb81e899 7333004 debug extra libcapnp-0.6.1-dbgsym_0.6.1-1_amd64.deb
2252a3002fdb69e7f49fa566c7b2b1ec 660748 libs optional libcapnp-0.6.1_0.6.1-1_amd64.deb
679911b9dbc5899d8e4bc29527a39a47 970886 libdevel optional libcapnp-dev_0.6.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEErvI0h4bzccaJpzYAlaQv6DU1JfkFAlmilq0QHGJlcm5hdEBs
dWZmeS5jeAAKCRCVpC/oNTUl+eMwD/9ucAM7OUCz0c02ggqlvIK+sKktGGyC5NHb
dl4XzxXShQCFPlLMya1ncbnF443D9q0/7i1Tlx5GuxO1wp57akLRuFYSVfCQZdOa
Chzl8BmokOPkS+YGcSa+uJ46qcUvMkXaeG4RnmrRqOixNky1ckJEFZUpFltog3qM
v29bb+ZwB8DjCd7UkM9E3Ex/DBfOGaoSssZ1FUV0SZWWuNQaxf7rHqTq2f0/Eran
KxpQe9rwLDviFNe97IkBH3dFEuITVDQC5SMYEehbc0RfVoJ1lUD0nlI5O+JD6G6J
wgBbdKa2l9YYiiXBBhsh4QVcY2A+bfl1oIjYLWunICKLBfjBJuK3cmx4+An8Lwlh
OD0VE9qvXScfX+oovGbrG3cfzqN50t+CXMuVv6YatQE1+5Lki5nwlD45fUJlUOH7
AacSrw8uNxWy5/2DBpYWeCCQitkNbOYC2EZhJTqKzgZ94kArwYHhOvco0fAmZ0kC
0cn0zelYci3MI8aXbANXg3jhwl0QbkoqhtWcbXAaCAcRmEPGqoaNU/33K1GCWZrH
EJr0r+Rty9s4n1jRRIr++1iIHI9IxVizkjOhvZJ+q8GPUOkTBu8TX/BZWFte9WAy
y9kSHGlQwVnxRiNCQ4mj7yBb/YrH7dkUR8ejDsRpBRFvHzhvvpDqPvLIjLa5tp8F
+knPoKfRRw==
=9Gjj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 10 Oct 2017 07:29:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:16:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon