Security Advisory for capnproto-c++ and preventative measures going forward

68 views
Skip to first unread message

Kenton Varda

unread,
Mar 2, 2015, 4:42:55 PM3/2/15
to capnproto...@googlegroups.com
Hello capnproto-announce,

Three security flaws have been found in Cap'n Proto that could allow denial of service and possibly exfiltration of memory. If you use the Cap'n Proto C++ implementation to process messages from possibly-malicious sources, you should update immediately to one of the following releases:

Release 0.5.1.1:

Release 0.4.1.1:

We have implemented a number of preventative measures that should catch these kinds of bugs in the future, including multiple kinds of fuzz testing as well as template-metaprogramming-based static analysis. Please read the blog post for details:

https://capnproto.org/news/2015-03-02-security-advisory-and-integer-overflow-protection.html

Thanks to Ben Laurie for reporting two of the problems and American Fuzzy Lop for finding them. (The third problem was found through our new static analysis.)

-Kenton
Reply all
Reply to author
Forward
0 new messages