Debian Rust-Wasmtime vulnerabilities

CVE-2022-23636 [MEDIUM] CVE-2022-23636: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.3... Wasmtime is an open source runtime for WebAssembly & WASI. Prior to versions 0.34.1 and 0.33.1, there exists a bug in the pooling instance allocator in Wasmtime's runtime where a failure to instantiate an instance for a module that defines an `externref` global will result in an invalid drop of a `VMExternRef` via an uninitialized pointer. A number of condit

CVE-2022-39393 [HIGH] CVE-2022-39393: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.... Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should

CVE-2022-39394 [LOW] CVE-2022-39394: rust-wasmtime - Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there ... Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the `wasmtime_trap_code` does not match its declared signature in the `wasmtime/trap.h` header file. This discrepancy causes the function implementation to perform a 4-byte write into a 1-byte buffer provided by the

CVE-2022-24791 [HIGH] CVE-2022-24791: rust-wasmtime - Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. The... Wasmtime is a standalone JIT-style runtime for WebAssembly, using Cranelift. There is a use after free vulnerability in Wasmtime when both running Wasm that uses externrefs and enabling epoch interruption in Wasmtime. If you are not explicitly enabling epoch interruption (it is disabled by default) then you are not affected. If you are explicitly disabling the

CVE-2021-39218 [MEDIUM] CVE-2021-39218: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from vers... Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmtime. To trigger this bug, Wasmtime needs to be running Wasm that uses `externref

CVE-2021-39216 [MEDIUM] CVE-2021-39216: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from vers... Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.19.0 and before version 0.30.0 there was a use-after-free bug when passing `externref`s from the host to guest Wasm content. To trigger the bug, you have to explicitly pass multiple `externref`s from the host to a Wasm instance at the same time, either by passing multiple `

CVE-2021-39219 [MEDIUM] CVE-2021-39219: rust-wasmtime - Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before versi... Wasmtime is an open source runtime for WebAssembly & WASI. Wasmtime before version 0.30.0 is affected by a type confusion vulnerability. As a Rust library the `wasmtime` crate clearly marks which functions are safe and which are `unsafe`, guaranteeing that if consumers never use `unsafe` then it should not be possible to have memory unsafety issues in their