Source: grpc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for grpc. CVE-2023-33953[0]: | gRPC contains a vulnerability that allows hpack table accounting | errors could lead to unwanted disconnects between clients and | servers in exceptional cases/ Three vectors were found that allow | the following DOS attacks: - Unbounded memory buffering in the | HPACK parser - Unbounded CPU consumption in the HPACK parser The | unbounded CPU consumption is down to a copy that occurred per-input- | block in the parser, and because that could be unbounded due to the | memory copy bug we end up with an O(n^2) parsing loop, with n | selected by the client. The unbounded memory buffering bugs: - The | header size limit check was behind the string reading code, so we | needed to first buffer up to a 4 gigabyte string before rejecting it | as longer than 8 or 16kb. - HPACK varints have an encoding quirk | whereby an infinite number of 0’s can be added at the start of an | integer. gRPC’s hpack parser needed to read all of them before | concluding a parse. - gRPC’s metadata overflow check was performed | per frame, so that the following sequence of frames could cause | infinite buffering: HEADERS: containing a: 1 CONTINUATION: | containing a: 2 CONTINUATION: containing a: 3 etc… https://bugzilla.redhat.com/show_bug.cgi?id=2230890 https://cloud.google.com/support/bulletins#gcp-2023-022 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-33953 https://www.cve.org/CVERecord?id=CVE-2023-33953 Please adjust the affected versions in the BTS as needed.