mirror
/
capnproto
mirror of https://github.com/capnproto/capnproto.git
Code Releases Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
v2
dlapid/fix_windows_useSystemTrustStore
felix/120424-warning-fixes
felix/110324-include-move
master
kenton/3ph
kenton/3ph-part4-cap-embargoes
kenton/3ph-part3-basic-3ph
harris/try-to-fix-obscure-trace-promise-uaf
maizatskyi/2024-06-07-async-read-api
maizatskyi/2024-05-16-async-write
kenton/fix-isolated-websocket-disconnect
kenton/refactor-rpc
release-1.0.2
maizatskyi/2024-05-24-ubsan
maizatskyi/2024-05-17-constexpr-kjb
maizatskyi/2024-05-20-split
maizatskyi/2024-05-14-tidy
maizatskyi/2024-05-13-single
jsnell/compression-stream-flush-option
maizatskyi/2024-04-23-kj-api
maizatskyi/2024-04-16-membrane-rc
jsnell/kjexception-detail
maizatskyi/2024-03-15-pin-ptr
maizatskyi/2024-03-19-disable-old-refcount
maizatskyi/2024-03-18-regenerate
maizatskyi/2024-01-30-pin
kenton/concurrency-limit-uaf
kenton/concurrency-limiter-add-debug
felix/bazel-capability-cleanup
revert-1885-milan/ws-compress-pref
jsnell/copy-on-write-rc
is-anyone-listening
kenton/debug-message-reader
release-1.0.1.1
fix-48230
revert/ae82277
harris/coroutine-conversion-web-socket
felix/bzl-lib-headers
maizatskyi/2023-09-08-fix-lazy-output-stream
harris/revert-small-array
maizatskyi/2023-09-06-coro-tls
maizatskyi/2023-09-07-coroutine-promise-node
harris/coroutine-conversion-http-entity-body-writer
release-1.0.1
maizatskyi/2023-08-31-exclusive-join
maizatskyi/2023-09-06-coreturn-coawait
maizatskyi/2023-07-31-kj-shared2
maizatskyi/2023-09-05-vector-insert
harris/coroutinify-http
harris/co-exclusive-join
maizatskyi/2023-06-27-kj-shared
release-1.0.0
harris/maybe-coroutine
harris/fix-web-socket-application-error-handling
harris/kj-if-maybe-no-raw-pointer
release-0.10.4
kenton/optimize-gettype
harris/readiness-tracking
maizatskyi/2023-05-02-clang-16-fixes
harris/implement-async-environments-with-arenas-fixes
felix/brotlify-exp
harris/implement-async-environments-with-arenas
harris/http-over-capnp-starttls
harris/implement-async-environments-3
harris/implement-async-environments-2
srs
byte-stream-explicit-end
guard-canceled-http-read
fix-sendForPipeline-UAF
harris/temporary-for-release
maizatskyi/2023-01-13-generated_capnp_fix
release-0.10.3
release-0.5.4
release-0.9.2
release-0.8.1
release-0.7.1
buffered-rpc
harris/maybe-maybe-map-reduce
harris/implement-async-environments
no-file-ids
fix-release-mingw
release-0.10.2
release-0.10.1
release-0.10.0
disallow-io-destructors
fix-musl
release-0.9.1
revert-1318-doc-improvements
fix-uninitialized-kind
release-0.9.0
blog-0.9
defer-soon
fix-release-build
harris/tmp
maybe-ref-null-on-move
release-0.8.0
read-cancelation
environment
optimize-websocket-pump
gateway-tag
debug-stuff
debug-corrupt-taskset
retain-stack-trace-in-disconnect-exception
bhoerner/blockedpumpto-cancel
fix-tail-call-cancel-race
fix-dpi-bugs
kenton/fix-websocket-rpc-cancellation
jlee/encoding-doc-clarification
harris/add-vagrant-win10
no-ninja
peer-identity
complete-cmake
release-tests2
release-tests
debug-canceler
fix-byte-stream-path-shortening-WIP
jlee/two-party-test-fix
harris/try-get-uncaught-exception
http-over-capnp-premature-websocket-termination
harris/expose-atomic-refcount
kenton/fix-889
some-wip-hacks
http-over-capnp
url-encode-dotdot
async-io-refactor
harris/http-error-hook
async-io-refactor-old3
release-0.7.0
fix-sendStream
streaming
bsd-make-compat
fix-http-body-delimiting
skip-qemu-failure
fix-const-array-disposer
fix-http-client-adapter
fix-http-client-adapter-cancelation
harris/replace-tee-try-catches
debug-event-use-after-free
rpc-scratch-space
harris/disallow-refcounted-copy
harris/expose-http-connection-headers-count
promise-tuple
harris/read-all-bytes-safely
synchronous-gzip
harris/add-percent-decode-url-flag
release-0.6.1
http-body-cancellation
harris/fix-percent-encoding-restringification-regression
harris/round-trip-eq-sign-in-url-query
full-bodied-gets
harris/fix-relative-url-parse-bug
permissive-http-headers
release-0.6.0
tweaks
release-0.5.3
tls
detect-amplification-better
afl
source-info
release-0.5.2
release-0.5.1
release-0.4.1
overflow-safe
release-0.5.0
gh-pages
release-0.4.0
release-0.3.0
release-0.2.1
v0.1.0
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.1.1
v0.4.1.2
v0.5.0
v0.5.1
v0.5.1.1
v0.5.1.2
v0.5.2
v0.5.3
v0.5.3.1
v0.5.4
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.9.0
v0.9.1
v0.9.2
v1.0.0
v1.0.1
v1.0.1.1
v1.0.2
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
capnproto/doc/_posts/2022-11-30-CVE-2022-46149-s...

14 lines
1.2 KiB
Markdown
Raw Permalink Blame History

---
layout: post
title: "CVE-2022-46149: Possible out-of-bounds read related to list-of-pointers"
author: kentonv
---
David Renshaw, the author of the Rust implementation of Cap'n Proto, discovered a security vulnerability affecting both the C++ and Rust implementations of Cap'n Proto. The vulnerability was discovered using fuzzing. In theory, the vulnerability could lead to out-of-bounds reads which could cause crashes or perhaps exfiltration of memory.
The vulnerability is exploitable only if an application performs a certain unusual set of actions. As of this writing, we are not aware of any applications that are actually affected. However, out of an abundance of caution, we are issuing a security advisory and advising everyone to patch.
[Our security advisory](https://github.com/capnproto/capnproto/blob/master/security-advisories/2022-11-30-0-pointer-list-bounds.md) explains the impact of the bug, what an app must do to be affected, and where to find the fix.
Check out [David's blog post](https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html) for an in-depth explanation of the bug itself, including some of the inner workings of Cap'n Proto.
View Git Blame Copy Permalink