Skip to content

Latest commit

 

History

History
50 lines (32 loc) · 2.17 KB

CWA-2024-005.md

File metadata and controls

50 lines (32 loc) · 2.17 KB
Raw

CWA-2024-005: Stackoverflow in wasmd

Severity

High (Critical + Likely)1

Affected versions:

  • wasmd >= 0.50.0, < 0.53.0
  • wasmd < 0.46.0

Patched versions: wasmd 0.53.0, 0.46.0

Description of the bug

(Blank for now. We'll add more detail once chains had a chance to upgrade.)

Patch

Applying the patch

The patch will be shipped in a wasmd release. You can update more or less as follows:

  1. Check the current wasmd version: go list -m github.com/CosmWasm/wasmd
  2. Bump the github.com/CosmWasm/wasmd dependency in your go.mod to 0.53.0 (Cosmos SDK 0.50 compatible) or 0.46.0 (Cosmos SDK 0.47 compatible) depending on which version you are on right now; go mod tidy; commit.
  3. If you use the static libraries libwasmvm_muslc.aarch64.a/libwasmvm_muslc.x86_64.a, make sure that you use the same version as your wasmvm version.
  4. Check the updated wasmd version: go list -m github.com/CosmWasm/wasmd and ensure you see 0.53.0 or 0.46.0.
  5. Follow your regular practices to deploy chain upgrades.

Acknowledgement

This issue was found by unknown feature who reported it to the Cosmos Bug Bounty Program on HackerOne.

If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Timeline

  • 2024-06-28: IBC Team receives a report through the Cosmos bug bounty program maintained by Amulet.
  • 2024-07-18: Confio receives information about the report from the IBC Team.
  • 2024-08-02: Confio developed the patch internally.
  • 2024-08-19: Patch release announced though notifications list.
  • 2024-08-20: Patch release announced on X: https://x.com/CosmWasm/status/1825814580217381334.
  • 2024-08-21: Patch released.

Footnotes

  1. following Amulet's Severity Classification Framework ACMv1: https://github.com/interchainio/security/blob/e0227a1fb4059144aab4f6003eeee7f09912db3a/resources/CLASSIFICATION_MATRIX.md