2150074 – (CVE-2022-46149) CVE-2022-46149 capnproto: out of bounds read when handling a list of lists.

Bug 2150074 (CVE-2022-46149) - CVE-2022-46149 capnproto: out of bounds read when handling a list of lists.

Summary: CVE-2022-46149 capnproto: out of bounds read when handling a list of lists.

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-46149
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2150075 2150076 2150077 2150078
Blocks:	2149764
TreeView+	depends on / blocked

Reported:	2022-12-01 19:20 UTC by Anten Skrabec
Modified:	2023-06-26 23:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:	capnp 0.15.2, capnp 0.14.11, capnp 0.13.7, capnproto 0.7.1, capnproto 0.8.1, capnproto 0.9.2, capnproto 0.10.3
Doc Type:	---
Doc Text:	A flaw was found in capnproto and capnp projects where a specially-crafted pointer could escape bounds checking by exploiting inconsistent handling of pointers when a list-of-structs is downgraded to a list-of-pointers.
Clone Of:
Environment:
Last Closed:	2023-03-27 19:47:29 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:1408	0	None	None	None	2023-03-27 15:12:03 UTC

Description Anten Skrabec 2022-12-01 19:20:11 UTC

Cap'n Proto is a data interchange format and remote procedure call (RPC) system. Cap'n Proro prior to versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3, as well as versions of Cap'n Proto's Rust implementation prior to 0.13.7, 0.14.11, and 0.15.2 are vulnerable to out-of-bounds read due to logic error handling list-of-list. This issue may lead someone to remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. Exfiltration of memory is possible if the victim performs additional certain actions on a list-of-pointer type. To be vulnerable, an application must perform a specific sequence of actions, described in the GitHub Security Advisory. The bug is present in inlined code, therefore the fix will require rebuilding dependent applications. Cap'n Proto has C++ fixes available in versions 0.7.1, 0.8.1, 0.9.2, and 0.10.3. The `capnp` Rust crate has fixes available in versions 0.13.7, 0.14.11, and 0.15.2.

Comment 2 Anten Skrabec 2022-12-01 19:20:42 UTC

Created capnproto tracking bugs for this issue:

Affects: epel-all [bug 2150075]
Affects: fedora-all [bug 2150076]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2150078]


Created rust-capnp tracking bugs for this issue:

Affects: fedora-all [bug 2150077]

Comment 4 errata-xmlrpc 2023-03-27 15:12:01 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:1408 https://access.redhat.com/errata/RHSA-2023:1408

Comment 5 Product Security DevOps Team 2023-03-27 19:47:27 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-46149

Note You need to log in before you can comment on or make changes to this bug.