Bug 830935 (CVE-2021-22569)

Summary:	dev-java/protobuf-java: A potential DoS issue in protobuf-java in the parsing procedure for binary data (CVE-2021-22569)
Product:	Gentoo Security	Reporter:	filip ambroz <filip.ambroz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	minor	CC:	arfrever.fta, java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://nvd.nist.gov/vuln/detail/CVE-2021-22569
Whiteboard:	B3 [ebuild]
Package list:		Runtime testing required:	---

Description filip ambroz 2022-01-10 18:03:07 UTC

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses.

URLs:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
https://cloud.google.com/support/bulletins#gcp-2022-001

Fixed in versions: 3.16.1, 3.18.2, 3.19.2

Reproducible: Always

Comment 1 Arfrever Frehtes Taifersar Arahesis 2022-01-11 20:11:53 UTC

I am working on it.
3.16.1 will be skipped. 3.16.* will be deleted soon.
Some reverse dependencies depend on <3.19, so 3.18.2 will be added too.

Comment 2 John Helmert III archtester

2022-01-11 20:32:44 UTC

(In reply to Arfrever Frehtes Taifersar Arahesis from comment #1)
> I am working on it.
> 3.16.1 will be skipped. 3.16.* will be deleted soon.
> Some reverse dependencies depend on <3.19, so 3.18.2 will be added too.

Why?

Comment 3 John Helmert III archtester

2022-01-11 20:34:36 UTC

Test case was closed as invalid and the bug marked as reproducible, so I guess this is invalid.

Comment 4 Arfrever Frehtes Taifersar Arahesis 2022-01-12 20:32:41 UTC

https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67