872434 – (CVE-2022-1941) <dev-libs/protobuf-{3.19.6,3.20.3} <dev-python/protobuf-python-3.19.6: denial of service via OOM

Bug 872434 (CVE-2022-1941) - <dev-libs/protobuf-{3.19.6,3.20.3} <dev-python/protobuf-python-3.19.6: denial of service via OOM

Summary: <dev-libs/protobuf-{3.19.6,3.20.3} <dev-python/protobuf-python-3.19.6: denial...

Status:	RESOLVED FIXED

Alias:	CVE-2022-1941

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/protocolbuffers/pr...
Whiteboard:	A3 [glsa+]
Keywords:	PullRequest

Depends on:	905797
Blocks:
	Show dependency tree

Reported:	2022-09-23 02:50 UTC by John Helmert III
Modified:	2024-08-12 07:21 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/31647
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-09-23 02:50:23 UTC

CVE-2022-1941 (https://cloud.google.com/support/bulletins#GCP-2022-019):

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Please bump to 3.20.2.

Comment 1 Larry the Git Cow gentoo-dev

2023-06-27 20:14:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ff3e7e2d1447f4377cdeb6824f1563aa79a560e

commit 7ff3e7e2d1447f4377cdeb6824f1563aa79a560e
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-06-27 19:40:24 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-06-27 20:14:35 +0000

    dev-libs/protobuf: drop 3.19.3, 3.19.6, 3.20.1-r1, 3.20.3, 21.8
    
    Bug: https://bugs.gentoo.org/905797
    Bug: https://bugs.gentoo.org/872434
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/protobuf/Manifest                         |   5 -
 ...protobuf-3.16.0-protoc_input_output_files.patch | 240 ---------------------
 dev-libs/protobuf/protobuf-21.8.ebuild             | 148 -------------
 dev-libs/protobuf/protobuf-3.19.3.ebuild           | 146 -------------
 dev-libs/protobuf/protobuf-3.19.6.ebuild           | 151 -------------
 dev-libs/protobuf/protobuf-3.20.1-r1.ebuild        | 143 ------------
 dev-libs/protobuf/protobuf-3.20.3.ebuild           | 148 -------------
 7 files changed, 981 deletions(-)

Comment 2 Andreas Sturmlechner gentoo-dev

2023-06-27 20:17:04 UTC

Cleanup done after maintainer timeout.

Comment 3 Larry the Git Cow gentoo-dev

2024-08-12 07:20:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2f6aff36eb5357a44986d0796e5e12a82f047517

commit 2f6aff36eb5357a44986d0796e5e12a82f047517
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-08-12 07:20:36 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-08-12 07:20:43 +0000

    [ GLSA 202408-31 ] protobuf, protobuf-python: Denial of Service
    
    Bug: https://bugs.gentoo.org/872434
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202408-31.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)