An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. URLs: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 https://cloud.google.com/support/bulletins#gcp-2022-001 Fixed in versions: 3.16.1, 3.18.2, 3.19.2 Reproducible: Always
I am working on it. 3.16.1 will be skipped. 3.16.* will be deleted soon. Some reverse dependencies depend on <3.19, so 3.18.2 will be added too.
(In reply to Arfrever Frehtes Taifersar Arahesis from comment #1) > I am working on it. > 3.16.1 will be skipped. 3.16.* will be deleted soon. > Some reverse dependencies depend on <3.19, so 3.18.2 will be added too. Why?
Test case was closed as invalid and the bug marked as reproducible, so I guess this is invalid.
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67