904423 – (CVE-2022-48468) <dev-libs/protobuf-c-1.4.1: unsigned integer overflow

Bug 904423 (CVE-2022-48468) - <dev-libs/protobuf-c-1.4.1: unsigned integer overflow

Summary: <dev-libs/protobuf-c-1.4.1: unsigned integer overflow

Status:	CONFIRMED

Alias:	CVE-2022-48468

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/protobuf-c/protobu...
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	905098 866440 905101
Blocks:
	Show dependency tree

Reported:	2023-04-17 04:15 UTC by John Helmert III
Modified:	2023-10-02 16:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-04-17 04:15:30 UTC

CVE-2022-48468:

protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member.

Fix, in 1.4.1: https://github.com/protobuf-c/protobuf-c/commit/ec3d900001a13ccdaa8aef996b34c61159c76217

Comment 1 Larry the Git Cow gentoo-dev

2023-10-02 16:53:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18f7c3dc5579906aceb8ba0426c9d913519709e9

commit 18f7c3dc5579906aceb8ba0426c9d913519709e9
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2023-10-02 16:52:43 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-02 16:53:27 +0000

    dev-libs/protobuf-c: drop 1.4.0-r1
    
    Bug: https://bugs.gentoo.org/904423
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-libs/protobuf-c/Manifest                   |  1 -
 dev-libs/protobuf-c/protobuf-c-1.4.0-r1.ebuild | 53 --------------------------
 2 files changed, 54 deletions(-)