Hi Jiangtao, Wanted to follow up and see if you had a chance to evaluate the impact and if a CVE will be opened.
Thanks, Uri From: Jiangtao Li <[email protected]> Date: Monday, August 26, 2019 at 6:55 PM To: Uri Eden <[email protected]> Cc: "grpc.io" <[email protected]>, "[email protected]" <[email protected]>, Lev Pachmanov <[email protected]> Subject: Re: [grpc-io] Re: Report vulnerability Uri and Lev, Thank you very much for reporting and pull requests! I have approved the PR. We will evaluate the impact of this vulnerability. Thanks, Jiangtao On Sun, Aug 25, 2019 at 6:18 AM Uri Eden <[email protected]<mailto:[email protected]>> wrote: Hi, Below please find the details of the vulnerability with an open PR - https://github.com/grpc/grpc/pull/19766 found by our system architect – Lev Pachmanov (CC’d). The problem is in the src/core/lib/iomgr/tcp_server_custom.cc: tcp_server_add_port When the initializing of the socket object fails: grpc_custom_socket_vtable->init(socket, family); The error is value is not checked causing reference to an invalid pointer later in add_socket_to_server. We encountered this scenario running on a platform where getaddrinfo returns an IPv6 address while socket(AF_INET6, …) returns EAFNOSUPPORT. This vulnerability might be exploited using common null pointer dereferences<https://cwe.mitre.org/data/definitions/476.html>. Hope this helps. Uri + Lev From: "jiangtao via grpc.io<http://grpc.io>" <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, August 21, 2019 at 7:50 PM To: "grpc.io<http://grpc.io>" <[email protected]<mailto:[email protected]>> Subject: [grpc-io] Re: Report vulnerability Thank you very much for keeping us in the loop. Could you please email detailed vulnerabilities to the private [email protected]<mailto:[email protected]> list? Production security engineers will evaluate the vulnerability within 3 workdays. gRPC CVE process can be found in https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md Thanks, Jiangtao On Wednesday, August 21, 2019 at 3:18:58 AM UTC-7, [email protected]<mailto:[email protected]> wrote: Hi, Our team has recently discovered a Null Pointer Dereference security vulnerability in gRPC. How do we disclose it and open a CVE. Thanks! -- You received this message because you are subscribed to a topic in the Google Groups "grpc.io<http://grpc.io>" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/xAzkJAWBkmc/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/e43d36ab-5a99-46bc-b654-a24ea984a6a8%40googlegroups.com<https://groups.google.com/d/msgid/grpc-io/e43d36ab-5a99-46bc-b654-a24ea984a6a8%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/SN4PR0501MB38700FD607625CD75206C5AAF0B80%40SN4PR0501MB3870.namprd05.prod.outlook.com.
