Product Research Enterprise Plans Docs

PyPi: Wasmtime

CVE-2021-39219

Transitive

Safety vulnerability ID: 41963

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 17, 2021 Updated at Apr 23, 2024

Scan your Python projects for vulnerabilities →

Advisory

Wasmtime version 0.30.0 (Python bindings) downloads a new precompiled version of Wastime core that includes security fixes.

Affected package

wasmtime

Latest version: 20.0.0

A WebAssembly runtime powered by Wasmtime

Affected versions

Fixed versions

Vulnerability changelog

Released 2021-09-17.

Security Fixes

* [CVE-2021-39216](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-v4cp-h94r-m7xf):
Fixed a use after free passing `externref`s to Wasm in Wasmtime.

* [CVE-2021-39218](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4873-36h9-wv49):
Fixed an out-of-bounds read/write and invalid free with `externref`s and GC
safepoints in Wasmtime.

* [CVE-2021-39219](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q879-9g95-56mx):
Fixed a bug where using two different `Engine`s with the same `Linker`-define
functions caused unsafety without `unsafe` blocks.

Added

* Added experimental support for the in-progress 64-bit memories Wasm proposal.

* Added support to build Wasmtime without the compiler. This lets you run
pre-compiled Wasm modules, without the ability (or potential attack surface)
of compiling new Wasm modules. The compilation functionality is gated by the
on-by-default `cranelift` cargo feature.

* Added support for NaN canonicalization with SIMD vectors.

* Added support for differential fuzzing against V8's Wasm engine.

* Added support for fuzzing against the Wasm spec interpreter.

* Enabled SIMD fuzzing on oss-fuzz.

Changed

* A variety of performance improvements to loading pre-compiled modules.

* A variety of performance improvements to function calls, both through Rust and
the C API.

* Leaf functions that do not use the stack no longer bump the frame pointer on
aarch64 and s390x.

* Many updates and expanded instruction support to the in-progress CLIF
interpreter.

* Expanded fuzzing of reference types and GC.

Fixed

* A number of fixes to both aarch64 and x86_64 support for the Wasm SIMD
proposal and the underlying CLIF vector instructions.

* Fixed a potential infinite loop in the SSA computation for
`cranelift-frontend`. This was not reachable from `cranelift-wasm` or
Wasmtime, but might have affected general Cranelift users.

Removed

* The `wasmtime wasm2obj` subcommand has been removed. Generating raw object
files for linking natively is no longer supported. Use the `wasmtime compile`
subcommand to pre-compile a Wasm module and `wasmtime run` to run pre-compiled
Wasm modules.

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39219

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.3

CVSS v3 Details

MEDIUM 6.3

Attack Vector (AV): LOCAL
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): HIGH
Availability Availability (A): HIGH

CVSS v2 Details

LOW 3.3

Access Vector (AV): LOCAL
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL