Security Bug - Memory leak when calling a canister method via `ic_cdk::call`

Dear all,

We recently discovered a memory leak in the ic_cdk::call* implementation in @dfinity/cdk-rs. Canisters built in Rust with ic_cdk and ic_cdk_timers are affected. If these canisters call a canister method, use timers or heartbeat, they will likely leak a small amount of memory on every such operation. In the worst case, this could lead to heap memory exhaustion triggered by an attacker.

This is a high severity security issue and the patch has been backported to all minor versions between >= 0.8.0, <= 0.15.0. The patched versions available are 0.8.2, 0.9.3, 0.10.1, 0.11.6, 0.12.2, 0.13.5, 0.14.1, 0.15.1 and their previous versions have been yanked. Please see the GitHub Security Advisory for more information.

We encourage the ICP community to report any new issues or bugs found responsibly. Please refer to the Bug Bounty program for more information.

Please reach out to us in this thread or privately if you have any questions.

9 Likes

Sharing for visibility: According to this post, the security advisory on crates might contain a typo regarding the safest latest version, listing v16.0.0 instead of v0.16.0

my bad, too many versions. I have made a PR for the fix

1 Like