Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xcWZmLTR2dzQtZjZoeM4AAwJU

Cap'n Proto and its Rust implementation vulnerable to out-of-bounds read due to logic error handling list-of-list

The Cap'n Proto library and capnp Rust package are vulnerable to out-of-bounds read due to logic error handling list-of-list. If a message consumer expects data of type "list of pointers", and if the consumer performs certain specific actions on such data, then a message producer can cause the consumer to read out-of-bounds memory. This could trigger a process crash in the consumer, or in some cases could allow exfiltration of private in-memory data.

Impact

Fixed in

Unfortunately, the bug is present in inlined code, therefore the fix will require rebuilding dependent applications.

C++ fix:

Rust fix:

Details

A specially-crafted pointer could escape bounds checking by exploiting inconsistent handling of pointers when a list-of-structs is downgraded to a list-of-pointers.

For an in-depth explanation of how this bug works, see David Renshaw's blog post. This details below focus only on determining whether an application is vulnerable.

In order to be vulnerable, an application must have certain properties.

First, the application must accept messages with a schema in which a field has list-of-pointer type. This includes List(Text), List(Data), List(List(T)), or List(C) where C is an interface type. In the following discussion, we will assume this field is named foo.

Second, the application must accept a message of this schema from a malicious source, where the attacker can maliciously encode the pointer representing the field foo.

Third, the application must call getFoo() to obtain a List<T>::Reader for the field, and then use it in one of the following two ways:

  1. Pass it as the parameter to another message's setFoo(), thus copying the field into a new message. Note that copying the parent struct as a whole will not trigger the bug; the bug only occurs if the specific field foo is get/set on its own.

  2. Convert it into AnyList::Reader, and then attempt to access it through that. This is much less likely; very few apps use the AnyList API.

The dynamic API equivalents of these actions (capnp/dynamic.h) are also affected.

If the application does these steps, the attacker may be able to cause the Cap'n Proto implementation to read beyond the end of the message. This could induce a segmentation fault. Or, worse, data that happened to be in memory immediately after the message might be returned as if it were part of the message. In the latter case, if the application then forwards that data back to the attacker or sends it to another third party, this could result in exfiltration of secrets.

Any exfiltration of data would have the following limitations:

Permalink: https://github.com/advisories/GHSA-qqff-4vw4-f6hx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcWZmLTR2dzQtZjZoeM4AAwJU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: almost 2 years ago


CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

Identifiers: GHSA-qqff-4vw4-f6hx, CVE-2022-46149
References: Repository: https://github.com/capnproto/capnproto
Blast Radius: 13.3

Affected Packages

cargo:capnp
Dependent packages: 74
Dependent repositories: 294
Downloads: 4,470,577 total
Affected Version Ranges: < 0.13.7, >= 0.14.0, < 0.14.11, >= 0.15.0, < 0.15.2
Fixed in: 0.13.7, 0.14.11, 0.15.2
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.20, 0.0.21, 0.0.22, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.28, 0.1.29, 0.1.30, 0.1.31, 0.1.32, 0.1.33, 0.1.34, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.8.14, 0.8.15, 0.8.16, 0.8.17, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.14.9, 0.14.10, 0.15.0, 0.15.1
All unaffected versions: 0.13.7, 0.14.11, 0.15.2, 0.15.3, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.17.2, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.18.6, 0.18.7, 0.18.8, 0.18.9, 0.18.10, 0.18.11, 0.18.12, 0.18.13, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.19.6, 0.19.7, 0.19.8, 0.20.0, 0.20.1, 0.20.2, 0.20.3