From 335bb872bcf9c86e0b806cc042af36b36018be6a Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Mon, 23 Sep 2024 12:01:22 +0200 Subject: [PATCH 1/3] Add 007/008 to index --- CWAs/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CWAs/README.md b/CWAs/README.md index 9b8d0cc..d98c425 100644 --- a/CWAs/README.md +++ b/CWAs/README.md @@ -4,6 +4,8 @@ | Severity[^1] | Scope[^2] | ID | Aliases | | ------------ | --------- | ----------------------------------------------------------------------- | ------------------------------------------ | +| Medium | VM | [CWA-2024-008][CWA-2024-008] | | +| Medium | VM | [CWA-2024-007][CWA-2024-007] | | | Medium | x/wasm | [CWA-2024-006: Non-deterministic module_query_safe query][CWA-2024-006] | [GHSA-fpgj-cr28-fvpx] | | High | x/wasm | [CWA-2024-005: Stackoverflow in wasmd][CWA-2024-005] | [GHSA-g8w7-7vgg-x7xg] | | Medium | VM | [CWA-2024-004: Gas mispricing in cosmwasm-vm][CWA-2024-004] | [RUSTSEC-2024-0361], [GHSA-rg2q-2jh9-447q] | @@ -11,6 +13,8 @@ | Medium | Contracts | [CWA-2024-002: Arithmetic overflows in cosmwasm-std][CWA-2024-002] | [RUSTSEC-2024-0338], [GHSA-8724-5xmm-w5xq] | | Low | Contracts | [CWA-2024-001: Stack overflow in serde-json-wasm][CWA-2024-001] | [RUSTSEC-2024-0012], [GHSA-rr69-rxr6-8qwf] | +[CWA-2024-008]: ./CWA-2024-008.md +[CWA-2024-007]: ./CWA-2024-007.md [CWA-2024-006]: ./CWA-2024-006.md [CWA-2024-005]: ./CWA-2024-005.md [CWA-2024-004]: ./CWA-2024-004.md From 4ec78d3e9d9eaad84c5ac42b2c47443e9216115e Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Mon, 23 Sep 2024 12:10:39 +0200 Subject: [PATCH 2/3] Fill CWA-2024-007 and CWA-2024-008 --- CWAs/CWA-2024-007.md | 53 ++++++++++++++++++++++++++++++++++++++++++++ CWAs/CWA-2024-008.md | 53 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+) diff --git a/CWAs/CWA-2024-007.md b/CWAs/CWA-2024-007.md index b127bba..fd23b31 100644 --- a/CWAs/CWA-2024-007.md +++ b/CWAs/CWA-2024-007.md @@ -1 +1,54 @@ # CWA-2024-007 + +**Severity** + +Medium (Moderate + Likely)[^1] + +**Affected versions:** + +- wasmvm >= 2.1.0, < 2.1.3 +- wasmvm >= 2.0.0, < 2.0.4 +- wasmvm < 1.5.5 +- cosmwasm-vm >= 2.1.0, < 2.1.4 +- cosmwasm-vm >= 2.0.0, < 2.0.7 +- cosmwasm-vm < 1.5.8 + +**Patched versions:** + +- wasmvm 1.5.5, 2.0.4, 2.1.3 +- cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 + +## Description of the bug + +(Blank for now. We'll add more detail once chains had a chance to upgrade.) + +## Applying the patch + +The patch will be shipped in releases of wasmvm. You can update more or less as follows: + +1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` +2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; `go mod tidy`; commit. +3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. +4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.5, 2.0.4, 2.1.3. +5. Follow your regular practices to deploy chain upgrades. + +To double check if the correct library version is loaded at runtime, use this query: +` query wasm libwasmvm-version`. It must show 1.5.5, 2.0.4 or 2.1.3. + +The patch is consensus breaking and requires a coordinated upgrade. + +## Acknowledgement + +This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne. + +If you believe you have found a bug in the Interchain Stack or would like to contribute to the +program by reporting a bug, please see . + +## Timeline + +- 2024-08-28: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. +- 2024-08-30: Confio security contributors confirm the report. +- 2024-09-02: Confio developed the patch internally. +- 2024-09-23: Patch is released. + +[^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md diff --git a/CWAs/CWA-2024-008.md b/CWAs/CWA-2024-008.md index d9a2911..8b459ac 100644 --- a/CWAs/CWA-2024-008.md +++ b/CWAs/CWA-2024-008.md @@ -1 +1,54 @@ # CWA-2024-008 + +**Severity** + +Medium (Moderate + Likely)[^1] + +**Affected versions:** + +- wasmvm >= 2.1.0, < 2.1.3 +- wasmvm >= 2.0.0, < 2.0.4 +- wasmvm < 1.5.5 +- cosmwasm-vm >= 2.1.0, < 2.1.4 +- cosmwasm-vm >= 2.0.0, < 2.0.7 +- cosmwasm-vm < 1.5.8 + +**Patched versions:** + +- wasmvm 1.5.5, 2.0.4, 2.1.3 +- cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 + +## Description of the bug + +(Blank for now. We'll add more detail once chains had a chance to upgrade.) + +## Applying the patch + +The patch will be shipped in releases of wasmvm. You can update more or less as follows: + +1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` +2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; `go mod tidy`; commit. +3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly. +4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.5, 2.0.4, 2.1.3. +5. Follow your regular practices to deploy chain upgrades. + +To double check if the correct library version is loaded at runtime, use this query: +` query wasm libwasmvm-version`. It must show 1.5.5, 2.0.4 or 2.1.3. + +The patch is consensus breaking and requires a coordinated upgrade. + +## Acknowledgement + +This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne. + +If you believe you have found a bug in the Interchain Stack or would like to contribute to the +program by reporting a bug, please see . + +## Timeline + +- 2024-08-22: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. +- 2024-08-23: Confio security contributors confirm the report. +- 2024-09-09: Confio developed the patch internally. +- 2024-09-23: Patch is released. + +[^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md From 42e0d1277221ad77afc7c9ea637febb010408104 Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Mon, 23 Sep 2024 12:23:40 +0200 Subject: [PATCH 3/3] Add links to patch --- CWAs/CWA-2024-007.md | 6 ++++++ CWAs/CWA-2024-008.md | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/CWAs/CWA-2024-007.md b/CWAs/CWA-2024-007.md index fd23b31..4906df1 100644 --- a/CWAs/CWA-2024-007.md +++ b/CWAs/CWA-2024-007.md @@ -22,6 +22,12 @@ Medium (Moderate + Likely)[^1] (Blank for now. We'll add more detail once chains had a chance to upgrade.) +## Patch + +- 1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea +- 2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9 +- 2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492 + ## Applying the patch The patch will be shipped in releases of wasmvm. You can update more or less as follows: diff --git a/CWAs/CWA-2024-008.md b/CWAs/CWA-2024-008.md index 8b459ac..9e5a386 100644 --- a/CWAs/CWA-2024-008.md +++ b/CWAs/CWA-2024-008.md @@ -22,6 +22,12 @@ Medium (Moderate + Likely)[^1] (Blank for now. We'll add more detail once chains had a chance to upgrade.) +## Patch + +- 1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd +- 2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4 +- 2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb + ## Applying the patch The patch will be shipped in releases of wasmvm. You can update more or less as follows: