Skip to content

Commit

Permalink
Update gh-pages
Browse files Browse the repository at this point in the history
  • Loading branch information
github-actions committed Dec 9, 2023
1 parent ba2d8ee commit 74faaf3
Show file tree
Hide file tree
Showing 11 changed files with 959 additions and 191 deletions.
297 changes: 297 additions & 0 deletions advisories/RUSTSEC-2023-0073.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,297 @@
<!DOCTYPE html>

<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta charset="utf-8">

<meta name="author" content="Rust Project Developers">
<meta name="description" content="Security advisory database for Rust crates published through https://crates.io">
<title>RUSTSEC-2023-0073: candid: Infinite decoding loop through specially crafted payload › RustSec Advisory Database</title>

<link href="//fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,300italic,400italic" rel="stylesheet">
<link href="/css/basic.css" rel="stylesheet">
<link href="/css/highlight.css" rel="stylesheet">
<link href="/css/index.css" rel="stylesheet">

<script src="/js/index.js" defer></script>
<script src="/js/search.js" defer></script>

<header>
<div class="header-top">
<h1><a href="/"><img class="logo-image" src="/img/rustsec-logo.svg" /></a></h1>

<div class="search">
<form onsubmit="return searchform();">
<input type="search" id="search-term"
placeholder="Look up package or ID..." required
size="20">
</form>
</div>

</div>
<nav>
<div>
<a href="/">About</a>
<a href="/advisories/">Advisories</a>
<a href="/contributing.html">Report Vulnerabilities</a>
</div>
<div>
<a href="https://rust-lang.zulipchat.com/login/#narrow/stream/146229-wg-secure-code/" title="Zulip" aria-label="Zulip"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M473.09 122.97c0 22.69-10.19 42.85-25.72 55.08L296.61 312.69c-2.8 2.4-6.44-1.47-4.42-4.7l55.3-110.72c1.55-3.1-.46-6.91-3.64-6.91H129.36c-33.22 0-60.4-30.32-60.4-67.37 0-37.06 27.18-67.37 60.4-67.37h283.33c33.22-.02 60.4 30.3 60.4 67.35zM129.36 506.05h283.33c33.22 0 60.4-30.32 60.4-67.37 0-37.06-27.18-67.37-60.4-67.37H198.2c-3.18 0-5.19-3.81-3.64-6.91l55.3-110.72c2.02-3.23-1.62-7.1-4.42-4.7L94.68 383.6c-15.53 12.22-25.72 32.39-25.72 55.08 0 37.05 27.18 67.37 60.4 67.37zm522.5-124.15l124.78-179.6v-1.56H663.52v-48.98h190.09v34.21L731.55 363.24v1.56h124.01v48.98h-203.7V381.9zm338.98-230.14V302.6c0 45.09 17.1 68.03 47.43 68.03 31.1 0 48.2-21.77 48.2-68.03V151.76h59.09V298.7c0 80.86-40.82 119.34-109.24 119.34-66.09 0-104.96-36.54-104.96-120.12V151.76h59.48zm244.91 0h59.48v212.25h104.18v49.76h-163.66V151.76zm297 0v262.01h-59.48V151.76h59.48zm90.18 3.5c18.27-3.11 43.93-5.44 80.08-5.44 36.54 0 62.59 7 80.08 20.99 16.72 13.22 27.99 34.99 27.99 60.64 0 25.66-8.55 47.43-24.1 62.2-20.21 19.05-50.15 27.6-85.13 27.6-7.77 0-14.77-.39-20.21-1.17v93.69h-58.7V155.26zm58.7 118.96c5.05 1.17 11.27 1.55 19.83 1.55 31.49 0 50.92-15.94 50.92-42.76 0-24.1-16.72-38.49-46.26-38.49-12.05 0-20.21 1.17-24.49 2.33v77.37z"/></svg></a>
<a href="https://twitter.com/RustSec/" title="Twitter" aria-label="Twitter"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" style="height:1em;fill:currentColor"><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg></a>
<a href="https://github.com/RustSec/" title="GitHub" aria-label="GitHub"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512" style="height:1em;fill:currentColor"><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg></a>
<a href="/feed.xml" title="Atom Feed" aria-label="Atom Feed"><svg xmlns="http://www.w3.org/2000/svg" style="height:1em" viewBox="0 0 8 8">
<style type="text/css">
.button {stroke: none; fill: currentColor;}
.symbol {stroke: none; fill-opacity=0;}
</style>
<rect class="button" width="8" height="8" rx="1.5" />
<circle class="symbol" cx="2" cy="6" r="1" />
<path class="symbol" d="m 1,4 a 3,3 0 0 1 3,3 h 1 a 4,4 0 0 0 -4,-4 z" />
<path class="symbol" d="m 1,2 a 5,5 0 0 1 5,5 h 1 a 6,6 0 0 0 -6,-6 z" />
</svg></a>
</div>
</nav>
</header>

<main class="advisory">
<article>

<span class="floating-menu">
<a href="https://github.com/RustSec/advisory-db/commits/main/crates/candid/RUSTSEC-2023-0073.md">History</a>
<a href="https://github.com/RustSec/advisory-db/edit/main/crates/candid/RUSTSEC-2023-0073.md">Edit</a>
<a href="https://api.osv.dev/v1/vulns/RUSTSEC-2023-0073">JSON (OSV)</a>
</span>


<header>
<h1>

RUSTSEC-2023-0073

</h1>
<span class="subtitle"><p>Infinite decoding loop through specially crafted payload</p>
</span>
</header>



<dl>
<dt id="reported">Reported</dt>
<dd>
<time datetime="2023-12-08">
December 8, 2023
</time>
</dd>

<dt id="issued">Issued</dt>
<dd>
<time datetime="2023-12-09">
December 9, 2023
</time>

</dd>

<dt id="package">Package</dt>
<dd>


<a href="/packages/candid.html">candid</a>
(<a href="https://crates.io/crates/candid">crates.io</a>)


</dd>

<dt id="type">Type</dt>
<dd>

Vulnerability

</dd>


<dt id="categories">Categories</dt>
<dd>
<ul>

<li><a href="/categories/denial-of-service.html">denial-of-service</a></li>

</ul>
</dd>



<dt id="keywords">Keywords</dt>
<dd>

<a href="/keywords/candid.html">#candid</a>

<a href="/keywords/canister.html">#canister</a>

<a href="/keywords/icp.html">#icp</a>

</dd>



<dt id="aliases">Aliases</dt>
<dd>
<ul>

<li>

<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6245">CVE-2023-6245</a>

</li>

<li>

<a href="https://github.com/advisories/GHSA-7787-p7x6-fq3j">GHSA-7787-p7x6-fq3j</a>

</li>

</ul>
</dd>



<dt id="details">References</dt>
<dd>
<ul>

<li>
<a href="https://github.com/dfinity/candid/pull/478">
https://github.com/dfinity/candid/pull/478
</a>
</li>


</ul>
</dd>





<dt id="cvss_score">CVSS Score</dt>
<dd>7.5 <span class="tag high">
HIGH
</span></dd>

<dt id="cvss_details">CVSS Details</dt>
<dd>
<dl>

<dt>Attack vector</dt><dd>Network</dd>



<dt>Attack complexity</dt><dd>Low</d>



<dt>Privileges required</dt><dd>None</dd>



<dt>User interaction</dt><dd>None</dd>



<dt>Scope</dt><dd>Unchanged</dd>



<dt>Confidentiality</dt><dd>None</dd>



<dt>Integrity</dt><dd>None</dd>



<dt>Availability</dt><dd>High</dd>

</dl>
</dd>

<dt id="cvss">CVSS Vector</dt>
<dd><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</a></dd>



<dt id="patched">Patched</dt>
<dd>

<ul>

<li><code>&gt;=0.9.10</code></li>

</ul>

</dd>


<dt id="unaffected">Unaffected</dt>
<dd>
<ul>

<li><code>&lt;0.9.0</code></li>

</ul>
</dd>







</dl>



<dl>
<dt>Affected Functions</dt>
<dd>Version</dd>

<dt><code>candid::Decode</code></dt>
<dd>
<ul>

<li><code>&gt;=0.9.0, &lt;0.9.10</code></li>

</ul>
</dd>

</dl>




<h3 id="description">Description</h3>
<p>The Candid library causes a Denial of Service while parsing a specially crafted payload with <code>empty</code> data type. For example, if the payload is <code>record { * ; empty }</code> and the canister interface expects <code>record { * }</code> then the rust candid decoder treats <code>empty</code> as an extra field required by the type. The problem with type <code>empty</code> is that the candid rust library wrongly categorizes <code>empty</code> as a recoverable error when skipping the field and thus causing an infinite decoding loop.</p>
<p>Canisters using affected versions of candid are exposed to denial of service by causing the decoding to run indefinitely until the canister traps due to reaching maximum instruction limit per execution round. Repeated exposure to the payload will result in degraded performance of the canister.</p>
<p>For asset canister users, <code>dfx</code> versions <code>&gt;= 0.14.4</code> to <code>&lt;= 0.15.2-beta.0</code> ships asset canister with an affected version of candid.</p>
<h3>Unaffected</h3>
<ul>
<li>Rust canisters using candid <code>&lt; 0.9.0</code> or <code>&gt;= 0.9.10</code></li>
<li>Rust canister interfaces of type other than <code>record { * }</code></li>
<li>Motoko based canisters</li>
<li>dfx (for asset canister) <code>&lt;= 0.14.3</code> or <code>&gt;= 0.15.2</code></li>
</ul>
<h3>References</h3>
<ul>
<li><a href="https://github.com/dfinity/candid/security/advisories/GHSA-7787-p7x6-fq3j">GitHub Security Advisory (GHSA-7787-p7x6-fq3j)</a></li>
<li><a href="https://github.com/dfinity/candid/pull/478">dfinity/candid/pull/478</a></li>
<li><a href="https://internetcomputer.org/docs/current/references/candid-ref">Candid Library Reference</a></li>
<li><a href="https://github.com/dfinity/candid/blob/master/spec/Candid.md">Candid Specification</a></li>
<li><a href="https://internetcomputer.org/docs/current/references/ic-interface-spec">Internet Computer Specification</a></li>
</ul>


<p id="license" class="license">Advisory available under <a href="https://spdx.org/licenses/CC0-1.0.html">CC0-1.0</a>
license.


</p>
</article>
</main>
19 changes: 19 additions & 0 deletions advisories/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,25 @@ <h1><a href="/"><img class="logo-image" src="/img/rustsec-logo.svg" /></a></h1>

<ul>

<li>
<time datetime="2023-12-09">
December 9, 2023
</time>


<h3>

<span class="tag high">HIGH</span>

<a href="/advisories/RUSTSEC-2023-0073.html">
RUSTSEC-2023-0073: Vulnerability in candid
</a>
</h3>
<span><p>Infinite decoding loop through specially crafted payload</p>
</span>

</li>

<li>
<time datetime="2023-11-28">
November 28, 2023
Expand Down
19 changes: 19 additions & 0 deletions categories/denial-of-service.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,25 @@ <h1>Advisories in category &#x27;denial-of-service&#x27;</h1>

<ul>

<li>
<time datetime="2023-12-09">
December 9, 2023
</time>


<h3>

<span class="tag high">HIGH</span>

<a href="/advisories/RUSTSEC-2023-0073.html">
RUSTSEC-2023-0073: Vulnerability in candid
</a>
</h3>
<span><p>Infinite decoding loop through specially crafted payload</p>
</span>

</li>

<li>
<time datetime="2023-09-29">
September 29, 2023
Expand Down
Loading

0 comments on commit 74faaf3

Please sign in to comment.