Advisories for Cargo/Cosmwasm-Vm package

CWA-2024-008 Severity Medium (Moderate + Likely)[^1] Affected versions: wasmvm >= 2.1.0, < 2.1.3 wasmvm >= 2.0.0, < 2.0.4 wasmvm < 1.5.5 cosmwasm-vm >= 2.1.0, < 2.1.4 cosmwasm-vm >= 2.0.0, < 2.0.7 cosmwasm-vm < 1.5.8 Patched versions: wasmvm 1.5.5, 2.0.4, 2.1.3 cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 Description of the bug (Blank for now. We'll add more detail once chains had a chance to upgrade.) Patch 1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd 2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4 2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb Applying …

CWA-2024-007 Severity Medium (Moderate + Likely)[^1] Affected versions: wasmvm >= 2.1.0, < 2.1.3 wasmvm >= 2.0.0, < 2.0.4 wasmvm < 1.5.5 cosmwasm-vm >= 2.1.0, < 2.1.4 cosmwasm-vm >= 2.0.0, < 2.0.7 cosmwasm-vm < 1.5.8 Patched versions: wasmvm 1.5.5, 2.0.4, 2.1.3 cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 Description of the bug (Blank for now. We'll add more detail once chains had a chance to upgrade.) Patch 1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea 2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9 2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492 Applying …

A specifically crafted Wasm file can cause the VM to consume excessive amounts of memory when compiling a contract. This can lead to high memory usage, slowdowns, potentially a crash and can poison a lock in the VM, preventing any further interaction with contracts. For more information, see CWA-2023-004.

Component: wasmvm Criticality: Medium (ACMv1: I:Moderate; L:Likely) Patched versions: wasmvm 1.5.4, 2.0.3, 2.1.2