From 2b86c1bd29f564bc96b7c16b7b74bde637e6ec30 Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Wed, 21 Aug 2024 10:46:58 +0200 Subject: [PATCH] Fill CWA-2024-005 and CWA-2024-006 --- CWAs/CWA-2024-005.md | 31 +++++++++++++++++++++++++++++++ CWAs/CWA-2024-006.md | 30 ++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/CWAs/CWA-2024-005.md b/CWAs/CWA-2024-005.md index 0521ba6..f98b1b7 100644 --- a/CWAs/CWA-2024-005.md +++ b/CWAs/CWA-2024-005.md @@ -10,3 +10,34 @@ High (Critical + Likely) - wasmd < 0.46.0 **Patched versions:** wasmd 0.53.0, 0.46.0 + +## Description of the bug + +(Blank for now. We'll add more detail once chains had a chance to upgrade.) + +## Applying the patch + +The patch will be shipped in a wasmd release. You can update more or less as follows: + +1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` +2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.0 (Cosmos SDK 0.50 compatible) or 0.46.0 (Cosmos SDK 0.47 compatible) depending on which version you are on right now; `go mod tidy`; commit. +3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. +4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.0 or 0.46.0. +5. Follow your regular practices to deploy chain upgrades. + +## Acknowledgement + +This issue was found by [unknown feature](https://github.com/unknownfeature) who reported it to the Cosmos Bug Bounty Program on +HackerOne. + +If you believe you have found a bug in the Interchain Stack or would like to contribute to the +program by reporting a bug, please see . + +## Timeline + +- 2024-06-28: IBC Team receives a report through the Cosmos bug bounty program maintained by Amulet. +- 2024-07-18: Confio receives information about the report from the IBC Team. +- 2024-08-02: Confio developed the patch internally. +- 2024-08-19: Patch release announced though notifications list. +- 2024-08-20: Patch release announced on X: . +- 2024-08-21: Patch released. diff --git a/CWAs/CWA-2024-006.md b/CWAs/CWA-2024-006.md index 938a764..cf5ee1e 100644 --- a/CWAs/CWA-2024-006.md +++ b/CWAs/CWA-2024-006.md @@ -9,3 +9,33 @@ Medium (Moderate + Likely) - wasmd 0.52.0 **Patched versions:** wasmd 0.53.0 + +## Description of the bug + +(Blank for now. We'll add more detail once chains had a chance to upgrade.) + +## Applying the patch + +The patch will be shipped in a wasmd release. You can update more or less as follows: + +1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` +2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.0; `go mod tidy`; commit. +3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. +4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.0. +5. Follow your regular practices to deploy chain upgrades. + +## Acknowledgement + +This issue was found by [amimart](https://github.com/amimart) who reported it to the +Cosmos Bug Bounty Program on HackerOne. + +If you believe you have found a bug in the Interchain Stack or would like to contribute to the +program by reporting a bug, please see . + +## Timeline + +- 2024-07-25: Confio receives a report through the Cosmos bug bounty program maintained by Amulet. +- 2024-08-13: Confio developed the patch internally. +- 2024-08-19: Patch release announced though notifications list. +- 2024-08-20: Patch release announced on X: . +- 2024-08-21: Patch released.