Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 919887 (CVE-2023-6193)

Summary: <net-libs/quiche-0.20.0: excessive resource consumption
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: candrews
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Christopher Fore 2023-12-14 15:18:36 UTC 
CVE-2023-6193 (https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm):

quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption.

QUIC path validation (RFC 9000 Section 8.2) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received, leading to storage of path validation data in an unbounded queue.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-07 01:20:11 UTC 
Maintainer, please cleanup
Comment 2 Larry the Git Cow gentoo-dev 2024-01-07 01:30:40 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7d1d28c4208dc4bc5623639d3d34205c89b8c25

commit c7d1d28c4208dc4bc5623639d3d34205c89b8c25
Author:     Craig Andrews <candrews@gentoo.org>
AuthorDate: 2024-01-07 01:29:44 +0000
Commit:     Craig Andrews <candrews@gentoo.org>
CommitDate: 2024-01-07 01:30:37 +0000

    net-libs/quiche: drop versions
    
    Closes: https://bugs.gentoo.org/919887
    Signed-off-by: Craig Andrews <candrews@gentoo.org>

 net-libs/quiche/Manifest                | 220 ---------------------------
 net-libs/quiche/quiche-0.14.0.ebuild    | 236 ----------------------------
 net-libs/quiche/quiche-0.15.0.ebuild    | 236 ----------------------------
 net-libs/quiche/quiche-0.16.0.ebuild    | 236 ----------------------------
 net-libs/quiche/quiche-0.17.1.ebuild    | 240 -----------------------------
 net-libs/quiche/quiche-0.17.2-r1.ebuild | 240 -----------------------------
 net-libs/quiche/quiche-0.17.2.ebuild    | 240 -----------------------------
 net-libs/quiche/quiche-0.18.0.ebuild    | 248 ------------------------------
 net-libs/quiche/quiche-0.19.0.ebuild    | 262 --------------------------------
 9 files changed, 2158 deletions(-)