CVE-2022-3171: A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. Please bump to at least 3.20.3.
Hello, Here a MR on Github to answer to this bump request: https://github.com/gentoo/gentoo/pull/26888
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d5369b6275cb384c0e8bd6e1efcd3107d110c1f commit 8d5369b6275cb384c0e8bd6e1efcd3107d110c1f Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-06-24 11:11:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-25 21:55:00 +0000 dev-java/protobuf-java: add 3.19.6, 3.20.3, 3.21.8 (bug #876903) * Adding Java team to maintainers since the only known consumer of this package is dev-java/jdbc-mysql which is maintained by Java team. (cherry-picked from PR 26066) * Also respond to CVE-2022-3171 (bug 876903). Bug: https://bugs.gentoo.org/876903 Signed-off-by: Thibaud CANALE <thican@thican.net> Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/26066 Closes: https://github.com/gentoo/gentoo/pull/26888 (cherry picked from commit a119081e17f64f19094278220680e449e01da386) Signed-off-by: Sam James <sam@gentoo.org> dev-java/protobuf-java/Manifest | 3 + dev-java/protobuf-java/metadata.xml | 3 + dev-java/protobuf-java/protobuf-java-3.19.6.ebuild | 102 ++++++++++++++++++++ dev-java/protobuf-java/protobuf-java-3.20.3.ebuild | 102 ++++++++++++++++++++ dev-java/protobuf-java/protobuf-java-3.21.8.ebuild | 102 ++++++++++++++++++++ dev-java/protobuf-java/protobuf-java-9999.ebuild | 103 +++++++++++++++------ 6 files changed, 389 insertions(+), 26 deletions(-)
Thanks! Please stabilize when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f850916a7422cb578d6a6e79397aeedfedc61ba commit 5f850916a7422cb578d6a6e79397aeedfedc61ba Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-10-26 06:42:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-10-26 10:54:20 +0000 dev-java/protobuf-java: drop 3.20.1 Bug: https://bugs.gentoo.org/876903 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/27957 Signed-off-by: Sam James <sam@gentoo.org> dev-java/protobuf-java/Manifest | 1 - dev-java/protobuf-java/protobuf-java-3.20.1.ebuild | 54 ---------------------- 2 files changed, 55 deletions(-)
Please don’t close this ticket while dev-java/protobuf-java-3.19.3 is still present in Portage tree, it is still affected by this vulnerability. Source: protobuf-java’s Maven repo[0] IMHO we should restore the LTS[0] version 3.19.6 which was deleted in commit fc8ebcedde52077364feb69dbed85a5ce41320fb[1] (and also 3.20.3); however we need to fix the ebuild with this patch (picked from commit 1f351af5b3d2d7bc69285d5d1c547de7bdb5db98[2]): ``` - cp "../src/google/protobuf/${core_protos[@]}.proto" \ - "${JAVA_RESOURCE_DIRS}/google/protobuf" || die + local core_proto + for core_proto in "${core_protos[@]}"; do + cp "../src/google/protobuf/${core_proto}.proto" \ + "${JAVA_RESOURCE_DIRS}/google/protobuf" \ + || die + done ``` 0: https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java/3.19.3 1: https://github.com/protocolbuffers/protobuf/commit/0a722f1573e629f8c3adc8fd4d298522b667548c 2: https://github.com/gentoo/gentoo/commit/fc8ebcedde52077364feb69dbed85a5ce41320fb 3: https://github.com/gentoo/gentoo/commit/1f351af5b3d2d7bc69285d5d1c547de7bdb5db98
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9de17e277796207a057c5d4a0bd6d9a735e848f commit e9de17e277796207a057c5d4a0bd6d9a735e848f Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-11-03 18:52:30 +0000 Commit: Arthur Zamarin <arthurzam@gentoo.org> CommitDate: 2022-11-03 19:00:13 +0000 dev-java/protobuf-java: drop 3.19.3 Bug: https://bugs.gentoo.org/876903 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/28126 Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org> dev-java/protobuf-java/Manifest | 1 - dev-java/protobuf-java/protobuf-java-3.19.3.ebuild | 55 ---------------------- 2 files changed, 56 deletions(-)
Thanks!
GLSA request filed
CVE-2022-3509 (https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9): A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
CVE-2022-3510 (https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48): A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=da9b5483883fcc611753d44d34c0ede9188ce21c commit da9b5483883fcc611753d44d34c0ede9188ce21c Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-01-11 05:19:53 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-11 05:22:11 +0000 [ GLSA 202301-09 ] protobuf-java: Denial of Service Bug: https://bugs.gentoo.org/876903 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202301-09.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
GLSA released, all done!