Bug 1223240 - VUL-0: CVE-2024-32650: spotifyd: rust-rustls: Infinite loop in rustls::conn::ConnectionCommon:complete_io() with proper client input
Summary: VUL-0: CVE-2024-32650: spotifyd: rust-rustls: Infinite loop in rustls::conn::...
Status: REOPENED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Matthias Mailänder
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/402742/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-32650:7.5:(AV:...
Keywords:
Depends on:
Blocks: CVE-2024-32650
  Show dependency treegraph
 
Reported: 2024-04-22 11:41 UTC by Carlos López
Modified: 2024-04-29 14:36 UTC (History)
14 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2024-04-22 11:41:32 UTC 
spotifyd embeds rust-rustls:

Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server's `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-32650
https://bugzilla.redhat.com/show_bug.cgi?id=2276085
https://www.cve.org/CVERecord?id=CVE-2024-32650
https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d
https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e
https://github.com/rustls/rustls/commit/f45664fbded03d833dffd806503d3c8becd1b71e
https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
Comment 1 Dave Plater 2024-04-22 13:04:31 UTC 
The current version of spotifyd is the latest available version 0.3.5. Although the reporter suggests that the vulnerability is fixed in lesser versions I'm assuming the fix is still there. Spotifyd isn't present in distributions Leap:15.5 and less.
Comment 2 Carlos López 2024-04-22 13:09:50 UTC 
(In reply to Dave Plater from comment #1)
> The current version of spotifyd is the latest available version 0.3.5.
> Although the reporter suggests that the vulnerability is fixed in lesser
> versions I'm assuming the fix is still there. Spotifyd isn't present in
> distributions Leap:15.5 and less.

0.20.x is affected according to the Github advisory:

> Verified at 0.22 and 0.23 rustls, but 0.21 and 0.20 release lines are also affected.

https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj
Comment 3 Dave Plater 2024-04-22 13:38:02 UTC 
I have no knowledge of rust and as far as spotify goes the only player that works for me is the snap pak
I've found this commit message:
 Bump rustls from 0.21.10 to 0.21.11

Bumps [rustls](https://github.com/rustls/rustls) from 0.21.10 to 0.21.11.
- [Release notes](https://github.com/rustls/rustls/releases)
- [Changelog](https://github.com/rustls/rustls/blob/main/CHANGELOG.md)
- [Commits](rustls/rustls@v/0.21.10...v/0.21.11)

So somebody needs to update spotifyd to the latest git
Comment 10 Takashi Iwai 2024-04-29 14:36:32 UTC 
FWIW, spotifyd was dropped from FACTORY due to the long-time build error in the end, irrelevantly from this report itself.