[Bugs] [Bug 13527] New: [CVE 21] grpc 1.30.2 CVEs found

Ср Авг 23 23:19:45 MSK 2023

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13527

          Platform: 2021.1
            Bug ID: 13527
           Summary: [CVE 21] grpc 1.30.2  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-32732, CVE-2023-33953,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package grpc version 1.30.2

INFO (CVEs are): grpc 1.30.2
 cves found
CVE-2023-32732
Desc: gRPC contains a vulnerability whereby a client can cause a termination of
connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for
`-bin` suffixed headers will result in a disconnection by the gRPC server, but
is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit
in  https://github.com/grpc/grpc/pull/32309 https://www.google.com/url 

Link: https://nvd.nist.gov/vuln/detail/CVE-2023-32732
Severity: MEDIUM
CVE-2023-33953
Desc: gRPC contains a vulnerability that allows hpack table accounting errors
could lead to unwanted disconnects between clients and servers in exceptional
cases/ Three vectors were found that allow the following DOS attacks:

- Unbounded memory buffering in the HPACK parser
- Unbounded CPU consumption in the HPACK parser

The unbounded CPU consumption is down to a copy that occurred per-input-block
in the parser, and because that could be unbounded due to the memory copy bug
we end up with an O(n^2) parsing loop, with n selected by the client.

The unbounded memory buffering bugs:

- The header size limit check was behind the string reading code, so we needed
to first buffer up to a 4 gigabyte string before rejecting it as longer than 8
or 16kb.
- HPACK varints have an encoding quirk whereby an infinite number of 0’s can be
added at the start of an integer. gRPC’s hpack parser needed to read all of
them before concluding a parse.
- gRPC’s metadata overflow check was performed per frame, so that the following
sequence of frames could cause infinite buffering: HEADERS: containing a: 1
CONTINUATION: containing a: 2 CONTINUATION: containing a: 3 etc…
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-33953
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено&hellip;
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/567935d5/attachment.html>