![]() ![]() We will additionally add fuzz testing with American Fuzzy Lop to our.A fuzz test of each pointer type has been added to the standard unit test.To that end, here’s what we’re doing doing to avoid problems like these in the future: It is our policy that any time a security problem is found, we will not only fix the problem, but also implement new measures to prevent the class of problems from occurring again. ![]() However, this third bug is not as serious as the other two. The third bug probably affects all languages, and as of this writing only the C++ implementation (and wrappers around it) is fixed. To be clear, the first two bugs affect only the C++ implementation of Cap’n Proto implementations in other languages are likely safe. If you are linking Cap’n Proto as a shared library, you only need to update the library, not re-compile your app. Note that we added a “nano” component to the version number (rather than use 0.5.2/0.4.2) to indicate that this release is ABI-compatible with the previous release. I have backported the fixes to the last two release branches – 0.5 and 0.4: Integer underflow in pointer validation.Integer overflow in pointer validation.You can read details about each bug in our new security advisories directory: The security of Cap’n Proto is in fact essential to the security of Sandstorm.io, Cap’n Proto’s parent project, in which sandboxed apps communicate with each other and the platform via Cap’n Proto RPC.Ī few days ago, the first major security bugs were found in Cap’n Proto C++ – two by security guru Ben Laurie and one by myself during subsequent review (see below). That said, security is obviously a high priority for the project. Get Email Updates Follow on Twitter News Security Advisory - And how to catch integer overflows with template metaprogrammingĪs the installation page has always stated, I do not yet recommend using Cap’n Proto’s C++ library for handling possibly-malicious input, and will not recommend it until it undergoes a formal security review. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |