Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory
#394
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gnunicorn
commented
Sep 25, 2020
| """ | ||
|
|
||
| [versions] | ||
| patched = [] |
There was a problem hiding this comment.
As said in the description, we tried to contact the maintainers, but it seems the crate isn't actively maintained, so no fixed version has been published yet. I know this is a mandatory field, so I'd like to know how we want to deal with this.
There was a problem hiding this comment.
We could file another advisory marking ws-rs unmaintained and suggesting your fork instead; see e.g. https://rustsec.org/advisories/RUSTSEC-2016-0005.html
gnunicorn
changed the title
ws allows remote attacker to run the process out of memory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We've recently been made aware that the memory leak we were seeing in the rpc components in one of our software comes from the
ws-crate and can even be exploited to kill the process by forcing it to allocate too much memory.Unfortunately, despite us attempting to contact the original authors of the crate, and the providing a patch, a fixed version has not been published yet. We have a published a fork with the patch applied however, but the advisory format doesn't quite allow us to specify that. The problem itself has been reported over a year ago on the repository and is included in the latest published version. An attempt to hand over maintainership has not been successful so far and it is unclear when a fix to the original crate will be provided, so we took the hard decision to go public with this vulnerability to not put the community and others building upon it to risk.