RUSTSEC-2023-0073
- Source
- https://rustsec.org/advisories/RUSTSEC-2023-0073
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0073.json
- JSON Data
- https://api.osv.dev/v1/vulns/RUSTSEC-2023-0073
- Aliases
-
- CVE-2023-6245
- GHSA-7787-p7x6-fq3j
- Published
- 2023-12-08T12:00:00Z
- Modified
- 2023-12-09T10:26:19.388920Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Infinite decoding loop through specially crafted payload
- Details
-
The Candid library causes a Denial of Service while parsing a specially crafted payload with
emptydata type. For example, if the payload isrecord { * ; empty }and the canister interface expectsrecord { * }then the rust candid decoder treatsemptyas an extra field required by the type. The problem with typeemptyis that the candid rust library wrongly categorizesemptyas a recoverable error when skipping the field and thus causing an infinite decoding loop.Canisters using affected versions of candid are exposed to denial of service by causing the decoding to run indefinitely until the canister traps due to reaching maximum instruction limit per execution round. Repeated exposure to the payload will result in degraded performance of the canister.
For asset canister users,
dfxversions>= 0.14.4to<= 0.15.2-beta.0ships asset canister with an affected version of candid.Unaffected
- Rust canisters using candid
< 0.9.0or>= 0.9.10 - Rust canister interfaces of type other than
record { * } - Motoko based canisters
- dfx (for asset canister)
<= 0.14.3or>= 0.15.2
References
- Rust canisters using candid
- Database specific
{ "license": "CC0-1.0" }- References
Affected packages
crates.io / candid
Package
- Name
- candid
- View open source insights on deps.dev
- Purl
- pkg:cargo/candid