swift package update
Slightly longer version
After an initial report from @Pushkar_N_Kulkarni (thank you!) we recently identified a severe security vulnerability in SwiftNIO's ByteBuffer code which was fixed in the following releases: 1.0.1, 1.1.1, 1.2.2, 1.3.2, 1.4.3, 1.5.2, 1.6.2, 1.7.3, 1.8.0, all other SwiftNIO versions are affected.
What should I do?
- please run
swift package updatein any project that uses SwiftNIO
- make sure that after running this command, you're using one of the unaffected SwiftNIO versions (to see what version you're currently using, run
cat Package.resolved | grep -A7 '"swift-nio"' | grep version)
Optional further steps:
- to make sure your application can not ever be run with an affected SwiftNIO version, change the SwiftNIO dependency to
.package(url: "https://github.com/apple/swift-nio.git", from: "1.8.0")
In all prior NIO releases (that means all except for 1.0.1, 1.1.1, 1.2.2, 1.3.2, 1.4.3, 1.5.2, 1.6.2, 1.7.3, 1.8.0)
ByteBuffer had a very bad (exploitable!) security vulnerability if the following conditions are all true:
- user writes to a
ByteBufferwhich is a slice (
slice.lowerBound != 0)
- the slice is uniquely referenced (ie. the buffer that it was sliced
from is gone)
- the write triggers a re-allocation
Then the slice is actually larger than the overall available capacity so another write to said
ByteBuffer could end up out of bounds.