Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update CapnProto to v0.10.3 to avoid CVE-2022-46149 #46139

Merged
merged 1 commit into from
Feb 8, 2023
Merged

update CapnProto to v0.10.3 to avoid CVE-2022-46149 #46139

merged 1 commit into from
Feb 8, 2023

Conversation

SadiHassan
Copy link
Contributor

Update CapnProto to v0.10.3 to avoid CVE-2022-46149.

Changelog category (leave one):

  • Improvement

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Update CapnProto to v0.10.3 to avoid CVE-2022-46149

Documentation entry for user-facing changes

  • Documentation is written (mandatory for new features)

Information about CI checks: https://clickhouse.com/docs/en/development/continuous-integration/

@robot-clickhouse-ci-1 robot-clickhouse-ci-1 added pr-improvement Pull request with some product improvements submodule changed At least one submodule changed in this PR. labels Feb 7, 2023
@evillique evillique added the can be tested Allows running workflows for external contributors label Feb 7, 2023
@alexey-milovidov
Copy link
Member

Let's add a test. Is there a payload to trigger the out-of-bounds access?

@SadiHassan
Copy link
Contributor Author

@alexey-milovidov 1) Is there any existing (or similar) test for this submodule you can refer? it will be helpful for my enlightenment and implement. 2) I am not aware of any payload yet, but we can search or may be create one. 3) Also, I see Integration tests (tsan) is failing, doesn't look like caused by this PR. Could you please confirm that? Thanks!

@Avogar
Copy link
Member

Avogar commented Feb 8, 2023
edited

Integration tests (tsan) failure is not related to changes.

I guess, maybe there is a way to make a test by creating a corrupted CapnProto file and then reading it using ClickHouse. But I think it's really difficult or even impossible, I am not sure if we use this code that contains a bug, because our CapnProto reader is implemented through arrow orc adapter (and as I can see in the issue, this bug can be triggered under some special conditions of using the api)
UPD: Sorry, I confused ORC and CapnProto, arrow lib is not related

Let's merge it without a test

@Avogar Avogar self-assigned this Feb 8, 2023
@Avogar Avogar merged commit 979ccda into ClickHouse:master Feb 8, 2023
@SadiHassan
Copy link
Contributor Author

@Avogar , Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Avogar Avogar

Labels
can be tested Allows running workflows for external contributors pr-improvement Pull request with some product improvements submodule changed At least one submodule changed in this PR.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@SadiHassan @alexey-milovidov @Avogar @evillique @robot-clickhouse-ci-1