Merge pull request #53 from CosmWasm/fill-007-008

Fill CWA-2024-007 and CWA-2024-008
CosmWasm · Sep 23, 2024 · 40aacb4 · 40aacb4
2 parents 468d641 + 42e0d12
commit 40aacb4
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 0 deletions.
diff --git a/CWAs/CWA-2024-007.md b/CWAs/CWA-2024-007.md
@@ -1 +1,60 @@
 # CWA-2024-007
+
+**Severity**
+
+Medium (Moderate + Likely)[^1]
+
+**Affected versions:**
+
+- wasmvm >= 2.1.0, < 2.1.3
+- wasmvm >= 2.0.0, < 2.0.4
+- wasmvm < 1.5.5
+- cosmwasm-vm >= 2.1.0, < 2.1.4
+- cosmwasm-vm >= 2.0.0, < 2.0.7
+- cosmwasm-vm < 1.5.8
+
+**Patched versions:**
+
+- wasmvm 1.5.5, 2.0.4, 2.1.3
+- cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
+
+## Description of the bug
+
+(Blank for now. We'll add more detail once chains had a chance to upgrade.)
+
+## Patch
+
+- 1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea
+- 2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9
+- 2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492
+
+## Applying the patch
+
+The patch will be shipped in releases of wasmvm. You can update more or less as follows:
+
+1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm`
+2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; `go mod tidy`; commit.
+3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly.
+4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.5, 2.0.4, 2.1.3.
+5. Follow your regular practices to deploy chain upgrades.
+
+To double check if the correct library version is loaded at runtime, use this query:
+`<appd> query wasm libwasmvm-version`. It must show 1.5.5, 2.0.4 or 2.1.3.
+
+The patch is consensus breaking and requires a coordinated upgrade.
+
+## Acknowledgement
+
+This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
+
+If you believe you have found a bug in the Interchain Stack or would like to contribute to the
+program by reporting a bug, please see <https://hackerone.com/cosmos>.
+
+## Timeline
+
+- 2024-08-28: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
+- 2024-08-30: Confio security contributors confirm the report.
+- 2024-09-02: Confio developed the patch internally.
+- 2024-09-23: Patch is released.
+
+[^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md
diff --git a/CWAs/CWA-2024-008.md b/CWAs/CWA-2024-008.md
@@ -1 +1,60 @@
 # CWA-2024-008
+
+**Severity**
+
+Medium (Moderate + Likely)[^1]
+
+**Affected versions:**
+
+- wasmvm >= 2.1.0, < 2.1.3
+- wasmvm >= 2.0.0, < 2.0.4
+- wasmvm < 1.5.5
+- cosmwasm-vm >= 2.1.0, < 2.1.4
+- cosmwasm-vm >= 2.0.0, < 2.0.7
+- cosmwasm-vm < 1.5.8
+
+**Patched versions:**
+
+- wasmvm 1.5.5, 2.0.4, 2.1.3
+- cosmwasm-vm 1.5.8, 2.0.7, 2.1.4
+
+## Description of the bug
+
+(Blank for now. We'll add more detail once chains had a chance to upgrade.)
+
+## Patch
+
+- 1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd
+- 2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4
+- 2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb
+
+## Applying the patch
+
+The patch will be shipped in releases of wasmvm. You can update more or less as follows:
+
+1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm`
+2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1.3 depending on which minor version you are; `go mod tidy`; commit.
+3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, update them accordingly.
+4. Check the updated wasmvm version: `go list -m github.com/CosmWasm/wasmvm` and ensure you see 1.5.5, 2.0.4, 2.1.3.
+5. Follow your regular practices to deploy chain upgrades.
+
+To double check if the correct library version is loaded at runtime, use this query:
+`<appd> query wasm libwasmvm-version`. It must show 1.5.5, 2.0.4 or 2.1.3.
+
+The patch is consensus breaking and requires a coordinated upgrade.
+
+## Acknowledgement
+
+This issue was found by meadow101 who reported it to the Cosmos Bug Bounty Program on HackerOne.
+
+If you believe you have found a bug in the Interchain Stack or would like to contribute to the
+program by reporting a bug, please see <https://hackerone.com/cosmos>.
+
+## Timeline
+
+- 2024-08-22: Confio receives a report through the Cosmos bug bounty program maintained by Amulet.
+- 2024-08-23: Confio security contributors confirm the report.
+- 2024-09-09: Confio developed the patch internally.
+- 2024-09-23: Patch is released.
+
+[^1]: following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md
diff --git a/CWAs/README.md b/CWAs/README.md
@@ -4,13 +4,17 @@
 
 | Severity[^1] | Scope[^2] | ID                                                                      | Aliases                                    |
 | ------------ | --------- | ----------------------------------------------------------------------- | ------------------------------------------ |
+| Medium       | VM        | [CWA-2024-008][CWA-2024-008]                                            |                                            |
+| Medium       | VM        | [CWA-2024-007][CWA-2024-007]                                            |                                            |
 | Medium       | x/wasm    | [CWA-2024-006: Non-deterministic module_query_safe query][CWA-2024-006] | [GHSA-fpgj-cr28-fvpx]                      |
 | High         | x/wasm    | [CWA-2024-005: Stackoverflow in wasmd][CWA-2024-005]                    | [GHSA-g8w7-7vgg-x7xg]                      |
 | Medium       | VM        | [CWA-2024-004: Gas mispricing in cosmwasm-vm][CWA-2024-004]             | [RUSTSEC-2024-0361], [GHSA-rg2q-2jh9-447q] |
 | Low          | x/wasm    | [CWA-2024-003: Large address count in ValidateBasic][CWA-2024-003]      | [GHSA-m3rh-cvr5-x6q4]                      |
 | Medium       | Contracts | [CWA-2024-002: Arithmetic overflows in cosmwasm-std][CWA-2024-002]      | [RUSTSEC-2024-0338], [GHSA-8724-5xmm-w5xq] |
 | Low          | Contracts | [CWA-2024-001: Stack overflow in serde-json-wasm][CWA-2024-001]         | [RUSTSEC-2024-0012], [GHSA-rr69-rxr6-8qwf] |
 
+[CWA-2024-008]: ./CWA-2024-008.md
+[CWA-2024-007]: ./CWA-2024-007.md
 [CWA-2024-006]: ./CWA-2024-006.md
 [CWA-2024-005]: ./CWA-2024-005.md
 [CWA-2024-004]: ./CWA-2024-004.md