From 5211a9ba753fa8fc004f80c1bc2de77be5a439ce Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Tue, 10 Dec 2024 17:25:09 +0100 Subject: [PATCH 1/2] Add GHSA for CWA-2024-009 --- CWAs/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CWAs/README.md b/CWAs/README.md index 64a4e3c..efa95d1 100644 --- a/CWAs/README.md +++ b/CWAs/README.md @@ -4,7 +4,7 @@ | Severity[^1] | Scope[^2] | ID | Aliases | | ------------ | --------- | ---------------------------------------------------------------------------- | ------------------------------------------ | -| Low | VM | [CWA-2024-009][CWA-2024-009] | +| Low | VM | [CWA-2024-009][CWA-2024-009] | [GHSA-vmg2-r3xv-r3xf] | | Medium | VM | [CWA-2024-008: Panic in wasmvm can slow down block production][CWA-2024-008] | [GHSA-vmqh-5232-v43r] | | Medium | VM | [CWA-2024-007: Incorrect metering][CWA-2024-007] | [GHSA-2q97-m5rc-p3gp] | | Medium | x/wasm | [CWA-2024-006: Non-deterministic module_query_safe query][CWA-2024-006] | [GHSA-fpgj-cr28-fvpx] | @@ -34,6 +34,7 @@ [GHSA-fpgj-cr28-fvpx]: https://github.com/advisories/GHSA-fpgj-cr28-fvpx [GHSA-2q97-m5rc-p3gp]: https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-2q97-m5rc-p3gp [GHSA-vmqh-5232-v43r]: https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-vmqh-5232-v43r +[GHSA-vmg2-r3xv-r3xf]: https://github.com/CosmWasm/wasmd/security/advisories/GHSA-vmg2-r3xv-r3xf ## 2023 From aa51acf233fac476cd4f3287f8cc9a28e21beaa8 Mon Sep 17 00:00:00 2001 From: Simon Warta Date: Tue, 10 Dec 2024 17:25:59 +0100 Subject: [PATCH 2/2] Bump patch release to 0.53.2 for 009 --- CWAs/CWA-2024-009.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CWAs/CWA-2024-009.md b/CWAs/CWA-2024-009.md index 2056811..37e3dac 100644 --- a/CWAs/CWA-2024-009.md +++ b/CWAs/CWA-2024-009.md @@ -10,7 +10,7 @@ Low (Marginal + Likely)[^1] **Patched versions:** -- wasmd 0.53.1 +- wasmd 0.53.2 (please note that wasmd 0.53.1 is broken and must not be used) ## Description of the bug @@ -29,9 +29,9 @@ The patch will be shipped in a wasmd release. You will also have to update `libw If you already use the latest / close to latest wasmd, you can update more or less as follows: 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` -2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.1 (Cosmos SDK 0.50 compatible); `go mod tidy`; commit. +2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.53.2 (Cosmos SDK 0.50 compatible); `go mod tidy`; commit. 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same version as your wasmvm version. -4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.1. +4. Check the updated wasmd version: `go list -m github.com/CosmWasm/wasmd` and ensure you see 0.53.2. 5. Follow your regular practices to deploy chain upgrades. To double check if the correct library version is loaded at runtime, use this query: @@ -42,7 +42,7 @@ If you are instead using wasmvm 2.1.2, then upgrading to 2.1.4 includes the cons ### DIY Patch -If you are unable to upgrade to the latest version, you can backport the wasmd patch to your version. The patch is available at [Wasmd 0.53.1](https://github.com/CosmWasm/wasmd/compare/v0.53.0...v0.53.1). +If you are unable to upgrade to the latest version, you can backport the wasmd patch to your version. The patch is available at [Wasmd 0.53.2](https://github.com/CosmWasm/wasmd/compare/v0.53.0...v0.53.2). However, if you are on an older version of wasmd, you will also be using a different version of wasmvm. We provide the required patches for wasmvm in versions 2.1.4, 2.0.5, 1.5.6. To upgrade using this method: