Hi, The following vulnerabilities were published for wabt. CVE-2023-27115[0]: | WebAssembly v1.0.29 was discovered to contain a segmentation fault via | the component wabt::cat_compute_size. https://github.com/WebAssembly/wabt/issues/1938 https://github.com/WebAssembly/wabt/issues/1992 CVE-2023-27116[1]: | WebAssembly v1.0.29 discovered to contain an abort in | CWriter::MangleType. https://github.com/WebAssembly/wabt/issues/1984 https://github.com/WebAssembly/wabt/pull/2119 https://github.com/WebAssembly/wabt/commit/8a7b7497bdf78f9099f8d5a3a2c9bde87ddd52da CVE-2023-27117[2]: | WebAssembly v1.0.29 was discovered to contain a heap overflow via the | component component wabt::Node::operator. https://github.com/WebAssembly/wabt/issues/1989 CVE-2023-27119[3]: | WebAssembly v1.0.29 was discovered to contain a segmentation fault via | the component wabt::Decompiler::WrapChild. https://github.com/WebAssembly/wabt/issues/1990 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27115 https://www.cve.org/CVERecord?id=CVE-2023-27115 [1] https://security-tracker.debian.org/tracker/CVE-2023-27116 https://www.cve.org/CVERecord?id=CVE-2023-27116 [2] https://security-tracker.debian.org/tracker/CVE-2023-27117 https://www.cve.org/CVERecord?id=CVE-2023-27117 [3] https://security-tracker.debian.org/tracker/CVE-2023-27119 https://www.cve.org/CVERecord?id=CVE-2023-27119 Please adjust the affected versions in the BTS as needed.
With version 1.0.36+dfsg+~cs1.0.36-1 (just uploaded), I can't reproduce any of those. https://github.com/WebAssembly/wabt/issues/1938 so this one should be good. However the four other issues concern asan-debug builds, supposedly there is no crash with regular builds. Jérémy