From 42b34df60bdfc87c2ef34b0891a364f476c6f7c0 Mon Sep 17 00:00:00 2001 From: David Renshaw Date: Wed, 30 Nov 2022 17:15:35 -0500 Subject: [PATCH] add capnp bug: CVE-2022-46149 (#1476) * add capnp bug: CVE-2022-46149 * change canonical URL, add references and aliases Co-authored-by: Sergey "Shnatsel" Davidoff --- crates/capnp/RUSTSEC-0000-0000.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 crates/capnp/RUSTSEC-0000-0000.md diff --git a/crates/capnp/RUSTSEC-0000-0000.md b/crates/capnp/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..cc6d919 --- /dev/null +++ b/crates/capnp/RUSTSEC-0000-0000.md @@ -0,0 +1,27 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "capnp" +date = "2022-11-30" +url = "https://github.com/capnproto/capnproto/tree/master/security-advisories/2022-11-30-0-pointer-list-bounds.md" +references = ["https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html", "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"] +categories = ["memory-exposure"] +aliases = ["CVE-2022-46149", "GHSA-qqff-4vw4-f6hx"] + +[versions] +patched = [">= 0.15.2", "^0.14.11", "^0.13.7"] +``` + +# out-of-bounds read possible when setting list-of-pointers + +If a message consumer expects data +of type "list of pointers", +and if the consumer performs certain specific actions on such data, +then a message producer can cause the consumer to read out-of-bounds memory. +This could trigger a process crash in the consumer, +or in some cases could allow exfiltration of private in-memory data. + +The C++ Cap'n Proto library is also affected by this bug. +See the [advisory](https://github.com/capnproto/capnproto/tree/master/security-advisories/2022-11-30-0-pointer-list-bounds.md) +on the main Cap'n Proto repo for a succinct description of +the exact circumstances in which the problem can arise.