Mercurial > hg > sv-dependency-builds

annotate src/capnproto-git-20161025/security-advisories/2015-03-05-0-c++-addl-cpu-amplification.md @ 169:223a55898ab9 tip default

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add null config files
author Chris Cannam <cannam@all-day-breakfast.com>
date Mon, 02 Mar 2020 14:03:47 +0000
parents 1ac99bfc383d
children
rev   line source
cannam@133 1 Problem
cannam@133 2 =======
cannam@133 3
cannam@133 4 CPU usage amplification attack, similar to previous vulnerability
cannam@133 5 [2015-03-02-2][1].
cannam@133 6
cannam@133 7 Discovered by
cannam@133 8 =============
cannam@133 9
cannam@133 10 David Renshaw &lt;david@sandstorm.io>
cannam@133 11
cannam@133 12 Announced
cannam@133 13 =========
cannam@133 14
cannam@133 15 2015-03-05
cannam@133 16
cannam@133 17 CVE
cannam@133 18 ===
cannam@133 19
cannam@133 20 CVE-2015-2313
cannam@133 21
cannam@133 22 Impact
cannam@133 23 ======
cannam@133 24
cannam@133 25 - Remotely cause a peer to execute a tight `for` loop counting from 0 to
cannam@133 26 2^29, possibly repeatedly, by sending it a small message. This could enable
cannam@133 27 a DoS attack by consuming CPU resources.
cannam@133 28
cannam@133 29 Fixed in
cannam@133 30 ========
cannam@133 31
cannam@133 32 - git commit [80149744bdafa3ad4eedc83f8ab675e27baee868][0]
cannam@133 33 - release 0.5.1.2:
cannam@133 34 - Unix: https://capnproto.org/capnproto-c++-0.5.1.2.tar.gz
cannam@133 35 - Windows: https://capnproto.org/capnproto-c++-win32-0.5.1.2.zip
cannam@133 36 - release 0.4.1.1:
cannam@133 37 - Unix: https://capnproto.org/capnproto-c++-0.4.1.2.tar.gz
cannam@133 38 - release 0.6 (future)
cannam@133 39
cannam@133 40 [0]: https://github.com/sandstorm-io/capnproto/commit/80149744bdafa3ad4eedc83f8ab675e27baee868
cannam@133 41
cannam@133 42 Details
cannam@133 43 =======
cannam@133 44
cannam@133 45 Advisory [2015-03-02-2][1] described a bug allowing a remote attacker to
cannam@133 46 consume excessive CPU time or other resources using a specially-crafted message.
cannam@133 47 The present advisory is simply another case of the same bug which was initially
cannam@133 48 missed.
cannam@133 49
cannam@133 50 The new case occurs only if the application invokes the `totalSize()` method
cannam@133 51 on an object reader.
cannam@133 52
cannam@133 53 The new case is somewhat less severe, in that it only spins in a tight `for`
cannam@133 54 loop that doesn't call any application code. Only CPU time is possibly
cannam@133 55 consumed, not RAM or other resources. However, it is still possible to create
cannam@133 56 significant delays for the receiver with a specially-crafted message.
cannam@133 57
cannam@133 58 [1]: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-2-all-cpu-amplification.md
cannam@133 59
cannam@133 60 Preventative measures
cannam@133 61 =====================
cannam@133 62
cannam@133 63 Our fuzz test actually covered this case, but we didn't notice the problem
cannam@133 64 because the loop actually completes in less than a second. We've added a new
cannam@133 65 test case which is more demanding, and will make sure that when we do extended
cannam@133 66 testing with American Fuzzy Lop, we treat unexpectedly long run times as
cannam@133 67 failures.