Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 876903 (CVE-2022-3171, CVE-2022-3509, CVE-2022-3510) - <dev-java/protobuf-java-{3.19.6,3.20.3}: DoS via long garbage collection pauses
Summary: <dev-java/protobuf-java-{3.19.6,3.20.3}: DoS via long garbage collection pauses
Status: RESOLVED FIXED
Alias: CVE-2022-3171, CVE-2022-3509, CVE-2022-3510
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/protocolbuffers/pr...
Whiteboard: B3 [glsa+]
Keywords: PullRequest
Depends on: 878319
Blocks:
  Show dependency tree
 
Reported: 2022-10-13 01:37 UTC by John Helmert III
Modified: 2023-01-11 05:24 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-13 01:37:16 UTC
CVE-2022-3171:

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Please bump to at least 3.20.3.
Comment 1 Thibaud CANALE 2022-10-14 18:52:20 UTC
Hello,

Here a MR on Github to answer to this bump request:
https://github.com/gentoo/gentoo/pull/26888
Comment 2 Larry the Git Cow gentoo-dev 2022-10-25 21:55:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d5369b6275cb384c0e8bd6e1efcd3107d110c1f

commit 8d5369b6275cb384c0e8bd6e1efcd3107d110c1f
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-06-24 11:11:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-25 21:55:00 +0000

    dev-java/protobuf-java: add 3.19.6, 3.20.3, 3.21.8 (bug #876903)
    
    * Adding Java team to maintainers since the only known consumer of this package
    is dev-java/jdbc-mysql which is maintained by Java team. (cherry-picked
    from PR 26066)
    
    * Also respond to CVE-2022-3171 (bug 876903).
    
    Bug: https://bugs.gentoo.org/876903
    Signed-off-by: Thibaud CANALE <thican@thican.net>
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/26066
    Closes: https://github.com/gentoo/gentoo/pull/26888
    (cherry picked from commit a119081e17f64f19094278220680e449e01da386)
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-java/protobuf-java/Manifest                    |   3 +
 dev-java/protobuf-java/metadata.xml                |   3 +
 dev-java/protobuf-java/protobuf-java-3.19.6.ebuild | 102 ++++++++++++++++++++
 dev-java/protobuf-java/protobuf-java-3.20.3.ebuild | 102 ++++++++++++++++++++
 dev-java/protobuf-java/protobuf-java-3.21.8.ebuild | 102 ++++++++++++++++++++
 dev-java/protobuf-java/protobuf-java-9999.ebuild   | 103 +++++++++++++++------
 6 files changed, 389 insertions(+), 26 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-25 22:11:58 UTC
Thanks! Please stabilize when ready.
Comment 4 Larry the Git Cow gentoo-dev 2022-10-26 10:54:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f850916a7422cb578d6a6e79397aeedfedc61ba

commit 5f850916a7422cb578d6a6e79397aeedfedc61ba
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-10-26 06:42:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-26 10:54:20 +0000

    dev-java/protobuf-java: drop 3.20.1
    
    Bug: https://bugs.gentoo.org/876903
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/27957
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-java/protobuf-java/Manifest                    |  1 -
 dev-java/protobuf-java/protobuf-java-3.20.1.ebuild | 54 ----------------------
 2 files changed, 55 deletions(-)
Comment 5 Thibaud CANALE 2022-10-30 11:13:52 UTC
Please don’t close this ticket while dev-java/protobuf-java-3.19.3 is still present in Portage tree, it is still affected by this vulnerability.
Source: protobuf-java’s Maven repo[0]

IMHO we should restore the LTS[0] version 3.19.6 which was deleted in commit fc8ebcedde52077364feb69dbed85a5ce41320fb[1] (and also 3.20.3); however we need to fix the ebuild with this patch (picked from commit 1f351af5b3d2d7bc69285d5d1c547de7bdb5db98[2]):
```
-       cp "../src/google/protobuf/${core_protos[@]}.proto" \
-               "${JAVA_RESOURCE_DIRS}/google/protobuf" || die
+       local core_proto
+       for core_proto in "${core_protos[@]}"; do
+               cp "../src/google/protobuf/${core_proto}.proto" \
+                  "${JAVA_RESOURCE_DIRS}/google/protobuf" \
+                       || die
+       done
```

0: https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java/3.19.3
1: https://github.com/protocolbuffers/protobuf/commit/0a722f1573e629f8c3adc8fd4d298522b667548c
2: https://github.com/gentoo/gentoo/commit/fc8ebcedde52077364feb69dbed85a5ce41320fb
3: https://github.com/gentoo/gentoo/commit/1f351af5b3d2d7bc69285d5d1c547de7bdb5db98
Comment 6 Larry the Git Cow gentoo-dev 2022-11-03 19:00:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e9de17e277796207a057c5d4a0bd6d9a735e848f

commit e9de17e277796207a057c5d4a0bd6d9a735e848f
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-11-03 18:52:30 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2022-11-03 19:00:13 +0000

    dev-java/protobuf-java: drop 3.19.3
    
    Bug: https://bugs.gentoo.org/876903
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/28126
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-java/protobuf-java/Manifest                    |  1 -
 dev-java/protobuf-java/protobuf-java-3.19.3.ebuild | 55 ----------------------
 2 files changed, 56 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-04 03:35:32 UTC
Thanks!
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 18:14:53 UTC
GLSA request filed
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-15 06:17:20 UTC
CVE-2022-3509 (https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9):

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-15 06:19:14 UTC
CVE-2022-3510 (https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48):

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Comment 11 Larry the Git Cow gentoo-dev 2023-01-11 05:22:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=da9b5483883fcc611753d44d34c0ede9188ce21c

commit da9b5483883fcc611753d44d34c0ede9188ce21c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-01-11 05:19:53 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-11 05:22:11 +0000

    [ GLSA 202301-09 ] protobuf-java: Denial of Service
    
    Bug: https://bugs.gentoo.org/876903
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202301-09.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-11 05:24:36 UTC
GLSA released, all done!