Headline
CVE-2022-24788: Merge pull request from GHSA-j2x6-9323-fp7h · vyperlang/vyper@049dbdc
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Versions of vyper prior to 0.3.2 suffer from a potential buffer overrun. Importing a function from a JSON interface which returns bytes generates bytecode which does not clamp bytes length, potentially resulting in a buffer overrun. Users are advised to upgrade. There are no known workarounds for this issue.
@@ -6,10 +6,12 @@ check_assign, check_external_call, dummy_node_for_type, get_element_ptr, make_setter, needs_clamp, ) from vyper.codegen.ir_node import Encoding, IRnode from vyper.codegen.types import InterfaceType, TupleType, get_type_for_exact_size from vyper.codegen.types.convert import new_type_to_old_type from vyper.exceptions import StateAccessViolation, TypeCheckFailure
@@ -59,22 +61,19 @@ def _pack_arguments(contract_sig, args, context): return buf, mstore_method_id + [encode_args], args_ofst, args_len
def _returndata_encoding(contract_sig): if contract_sig.is_from_json: return Encoding.JSON_ABI return Encoding.ABI def _unpack_returndata(buf, contract_sig, skip_contract_check, context, expr): # expr.func._metadata[“type”].return_type is more accurate # than contract_sig.return_type in the case of JSON interfaces. ast_return_t = expr.func._metadata[“type”].return_type
def _unpack_returndata(buf, contract_sig, skip_contract_check, context): return_t = contract_sig.return_type if return_t is None: if ast_return_t is None: return [“pass”], 0, 0
# sanity check return_t = new_type_to_old_type(ast_return_t) check_assign(dummy_node_for_type(return_t), dummy_node_for_type(contract_sig.return_type))
return_t = calculate_type_for_external_return(return_t) # if the abi signature has a different type than # the vyper type, we need to wrap and unwrap the type # so that the ABI decoding works correctly should_unwrap_abi_tuple = return_t != contract_sig.return_type
abi_return_t = return_t.abi_type
@@ -88,25 +87,30 @@ def _unpack_returndata(buf, contract_sig, skip_contract_check, context): # revert when returndatasize is not in bounds ret = [] # runtime: min_return_size <= returndatasize # TODO move the -1 optimization to IR optimizer if not skip_contract_check: ret += [["assert", ["gt", "returndatasize", min_return_size - 1]]] ret += [["assert", ["ge", "returndatasize", min_return_size]]]
# add as the last IRnode a pointer to the return data structure encoding = Encoding.ABI
# the return type has been wrapped by the calling contract; # unwrap it so downstream code isn’t confused. # basically this expands to buf+32 if the return type has been wrapped # in a tuple AND its ABI type is dynamic. # in most cases, this simply will evaluate to ret. # in the special case where the return type has been wrapped # in a tuple AND its ABI type is dynamic, it expands to buf+32. buf = IRnode(buf, typ=return_t, encoding=_returndata_encoding(contract_sig), location=MEMORY) buf = IRnode.from_list( buf, typ=return_t, location=MEMORY, encoding=encoding, annotation=f"{expr.node_source_code} returndata buffer", )
if should_unwrap_abi_tuple: buf = get_element_ptr(buf, 0, array_bounds_check=False) assert isinstance(return_t, TupleType) # unpack strictly if needs_clamp(return_t, encoding): buf2 = IRnode.from_list( context.new_internal_variable(return_t), typ=return_t, location=MEMORY )
ret += [buf] ret.append(make_setter(buf2, buf)) ret.append(buf2) else: ret.append(buf)
return ret, ret_ofst, ret_len
@@ -145,7 +149,7 @@ def _external_call_helper( buf, arg_packer, args_ofst, args_len = _pack_arguments(contract_sig, args_ir, context)
ret_unpacker, ret_ofst, ret_len = _unpack_returndata( buf, contract_sig, skip_contract_check, context buf, contract_sig, skip_contract_check, context, expr )
sub += arg_packer @@ -169,15 +173,7 @@ def _external_call_helper( if contract_sig.return_type is not None: sub += ret_unpacker
ret = IRnode.from_list( sub, typ=contract_sig.return_type, location=MEMORY, # set the encoding to ABI here, downstream code will decode and add clampers. encoding=_returndata_encoding(contract_sig), )
return ret return IRnode.from_list(sub, typ=contract_sig.return_type, location=MEMORY)
def _get_special_kwargs(stmt_expr, context):
Related news
An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code.
A vulnerability in the encryption implementation of EBICS messages in the open source librairy ebics-java/ebics-java-client allows an attacker sniffing network traffic to decrypt EBICS payloads. This issue affects: ebics-java/ebics-java-client versions prior to 1.2.
An improper handling of exceptional conditions vulnerability exists in the DNS proxy feature of Palo Alto Networks PAN-OS software that enables a meddler-in-the-middle (MITM) to send specifically crafted traffic to the firewall that causes the service to restart unexpectedly. Repeated attempts to send this request result in denial-of-service to all PAN-OS services by restarting the device in maintenance mode. This issue does not impact Panorama appliances and Prisma Access customers. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.22; PAN-OS 9.0 versions earlier than PAN-OS 9.0.16; PAN-OS 9.1 versions earlier than PAN-OS 9.1.13; PAN-OS 10.0 versions earlier than PAN-OS 10.0.10; PAN-OS 10.1 versions earlier than PAN-OS 10.1.5. This issue does not impact PAN-OS 10.2.
Wire-server is the system server for the wire back-end services. Releases prior to v2022-03-01 are subject to a denial of service attack via a crafted object causing a hash collision. This collision causes the server to spend at least quadratic time parsing it which can lead to a denial of service for a heavily used server. The issue has been fixed in wire-server 2022-03-01 and is already deployed on all Wire managed services. On premise instances of wire-server need to be updated to 2022-03-01, so that their backends are no longer affected. There are no known workarounds for this issue.