CVE-2022-1941 (https://cloud.google.com/support/bulletins#GCP-2022-019): A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated. Please bump to 3.20.2.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ff3e7e2d1447f4377cdeb6824f1563aa79a560e commit 7ff3e7e2d1447f4377cdeb6824f1563aa79a560e Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-06-27 19:40:24 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-06-27 20:14:35 +0000 dev-libs/protobuf: drop 3.19.3, 3.19.6, 3.20.1-r1, 3.20.3, 21.8 Bug: https://bugs.gentoo.org/905797 Bug: https://bugs.gentoo.org/872434 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/protobuf/Manifest | 5 - ...protobuf-3.16.0-protoc_input_output_files.patch | 240 --------------------- dev-libs/protobuf/protobuf-21.8.ebuild | 148 ------------- dev-libs/protobuf/protobuf-3.19.3.ebuild | 146 ------------- dev-libs/protobuf/protobuf-3.19.6.ebuild | 151 ------------- dev-libs/protobuf/protobuf-3.20.1-r1.ebuild | 143 ------------ dev-libs/protobuf/protobuf-3.20.3.ebuild | 148 ------------- 7 files changed, 981 deletions(-)
Cleanup done after maintainer timeout.
