Mercurial > hg > sv-dependency-builds

annotate src/capnproto-0.6.0/security-advisories/2015-03-05-0-c++-addl-cpu-amplification.md @ 152:ffc6df9c760c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
List of exclusions from the appimage repo
author Chris Cannam <cannam@all-day-breakfast.com>
date Thu, 28 Jun 2018 15:29:59 +0100
parents 45360b968bf4
children
rev   line source
cannam@147 1 Problem
cannam@147 2 =======
cannam@147 3
cannam@147 4 CPU usage amplification attack, similar to previous vulnerability
cannam@147 5 [2015-03-02-2][1].
cannam@147 6
cannam@147 7 Discovered by
cannam@147 8 =============
cannam@147 9
cannam@147 10 David Renshaw &lt;david@sandstorm.io>
cannam@147 11
cannam@147 12 Announced
cannam@147 13 =========
cannam@147 14
cannam@147 15 2015-03-05
cannam@147 16
cannam@147 17 CVE
cannam@147 18 ===
cannam@147 19
cannam@147 20 CVE-2015-2313
cannam@147 21
cannam@147 22 Impact
cannam@147 23 ======
cannam@147 24
cannam@147 25 - Remotely cause a peer to execute a tight `for` loop counting from 0 to
cannam@147 26 2^29, possibly repeatedly, by sending it a small message. This could enable
cannam@147 27 a DoS attack by consuming CPU resources.
cannam@147 28
cannam@147 29 Fixed in
cannam@147 30 ========
cannam@147 31
cannam@147 32 - git commit [80149744bdafa3ad4eedc83f8ab675e27baee868][0]
cannam@147 33 - release 0.5.1.2:
cannam@147 34 - Unix: https://capnproto.org/capnproto-c++-0.5.1.2.tar.gz
cannam@147 35 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.2.zip
cannam@147 36 - release 0.4.1.1:
cannam@147 37 - Unix: https://capnproto.org/capnproto-c++-0.4.1.2.tar.gz
cannam@147 38 - release 0.6 (future)
cannam@147 39
cannam@147 40 [0]: https://github.com/sandstorm-io/capnproto/commit/80149744bdafa3ad4eedc83f8ab675e27baee868
cannam@147 41
cannam@147 42 Details
cannam@147 43 =======
cannam@147 44
cannam@147 45 Advisory [2015-03-02-2][1] described a bug allowing a remote attacker to
cannam@147 46 consume excessive CPU time or other resources using a specially-crafted message.
cannam@147 47 The present advisory is simply another case of the same bug which was initially
cannam@147 48 missed.
cannam@147 49
cannam@147 50 The new case occurs only if the application invokes the `totalSize()` method
cannam@147 51 on an object reader.
cannam@147 52
cannam@147 53 The new case is somewhat less severe, in that it only spins in a tight `for`
cannam@147 54 loop that doesn't call any application code. Only CPU time is possibly
cannam@147 55 consumed, not RAM or other resources. However, it is still possible to create
cannam@147 56 significant delays for the receiver with a specially-crafted message.
cannam@147 57
cannam@147 58 [1]: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-2-all-cpu-amplification.md
cannam@147 59
cannam@147 60 Preventative measures
cannam@147 61 =====================
cannam@147 62
cannam@147 63 Our fuzz test actually covered this case, but we didn't notice the problem
cannam@147 64 because the loop actually completes in less than a second. We've added a new
cannam@147 65 test case which is more demanding, and will make sure that when we do extended
cannam@147 66 testing with American Fuzzy Lop, we treat unexpectedly long run times as
cannam@147 67 failures.