Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 872434 (CVE-2022-1941)

Summary: <dev-libs/protobuf-{3.19.6,3.20.3} <dev-python/protobuf-python-3.19.6: denial of service via OOM
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: arfrever.fta, cjk
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
See Also: https://github.com/gentoo/gentoo/pull/31647
Whiteboard: A3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 905797    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-23 02:50:23 UTC 
CVE-2022-1941 (https://cloud.google.com/support/bulletins#GCP-2022-019):

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

Please bump to 3.20.2.
Comment 1 Larry the Git Cow gentoo-dev 2023-06-27 20:14:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ff3e7e2d1447f4377cdeb6824f1563aa79a560e

commit 7ff3e7e2d1447f4377cdeb6824f1563aa79a560e
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-06-27 19:40:24 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-06-27 20:14:35 +0000

    dev-libs/protobuf: drop 3.19.3, 3.19.6, 3.20.1-r1, 3.20.3, 21.8
    
    Bug: https://bugs.gentoo.org/905797
    Bug: https://bugs.gentoo.org/872434
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/protobuf/Manifest                         |   5 -
 ...protobuf-3.16.0-protoc_input_output_files.patch | 240 ---------------------
 dev-libs/protobuf/protobuf-21.8.ebuild             | 148 -------------
 dev-libs/protobuf/protobuf-3.19.3.ebuild           | 146 -------------
 dev-libs/protobuf/protobuf-3.19.6.ebuild           | 151 -------------
 dev-libs/protobuf/protobuf-3.20.1-r1.ebuild        | 143 ------------
 dev-libs/protobuf/protobuf-3.20.3.ebuild           | 148 -------------
 7 files changed, 981 deletions(-)
Comment 2 Andreas Sturmlechner gentoo-dev 2023-06-27 20:17:04 UTC 
Cleanup done after maintainer timeout.