Bug#1056615: capnproto: CVE-2023-48230: WebSocket message can cause crash

Thu, 23 Nov 2023 13:45:15 -0800 

Source: capnproto
Version: 1.0.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for capnproto.

CVE-2023-48230[0]:
| Cap'n Proto is a data interchange format and capability-based RPC
| system. In versions 1.0 and 1.0.1, when using the KJ HTTP library
| with WebSocket compression enabled, a buffer underrun can be caused
| by a remote peer. The underrun always writes a constant value that
| is not attacker-controlled, likely resulting in a crash, enabling a
| remote denial-of-service attack. Most Cap'n Proto and KJ users are
| unlikely to have this functionality enabled and so unlikely to be
| affected. Maintainers suspect only the Cloudflare Workers Runtime is
| affected.  If KJ HTTP is used with WebSocket compression enabled, a
| malicious peer may be able to cause a buffer underrun on a heap-
| allocated buffer. KJ HTTP is an optional library bundled with Cap'n
| Proto, but is not directly used by Cap'n Proto. WebSocket
| compression is disabled by default. It must be enabled via a setting
| passed to the KJ HTTP library via `HttpClientSettings` or
| `HttpServerSettings`. The bytes written out-of-bounds are always a
| specific constant 4-byte string `{ 0x00, 0x00, 0xFF, 0xFF }`.
| Because this string is not controlled by the attacker, maintainers
| believe it is unlikely that remote code execution is possible.
| However, it cannot be ruled out. This functionality first appeared
| in Cap'n Proto 1.0. Previous versions are not affected.  This issue
| is fixed in Cap'n Proto 1.0.1.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48230
    https://www.cve.org/CVERecord?id=CVE-2023-48230
[1] 
https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3
[2] 
https://github.com/capnproto/capnproto/commit/5d5d734b0350c6f2e36c3155753e6a19fbfeda9a

Regards,
Salvatore

Reply via email to