Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Latest version of google.golang.org/protobuf (v1.33.0) is no longer compatible with the latest version of github.com/golang/protobuf (v1.5.3) #1596

Closed
vadimsht opened this issue Mar 5, 2024 · 9 comments

Comments

@vadimsht
Copy link

vadimsht commented Mar 5, 2024

What version of protobuf and what language are you using?
google.golang.org/protobuf (v1.33.0)
github.com/golang/protobuf (v1.5.3)

What did you do?
Trying to compile a package that imports github.com/golang/protobuf/protoc-gen-go/descriptor results in

# github.com/golang/protobuf/protoc-gen-go/descriptor
../../../../../../../golang/modcache/github.com/golang/protobuf@v1.5.3/protoc-gen-go/descriptor/descriptor.pb.go:106:61: undefined: descriptorpb.Default_FileOptions_PhpGenericServices

What did you expect to see?

No build errors :)

What did you see instead?

Build errors :)

This seems to be a combination of protocolbuffers/protobuf-go@99e193e#diff-ae68ca51f2811349cc1f596970cc40bb7fa15fd893bea35e199f3cbd7ca2b486L2247 that removed Default_FileOptions_PhpGenericServices and https://github.com/golang/protobuf/blob/master/protoc-gen-go/descriptor/descriptor.pb.go#L106 that still references it.

@vadimsht
Copy link
Author

vadimsht commented Mar 5, 2024

This blocks picking up a fix for https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/m/oLMrdq_GBQAJ in code bases that still uses deprecated Go package. While the "correct" solution is to stop using the deprecated package, it is not really possible to do fast. And running vulnerable code is not nice... Please consider releasing a new compatible github.com/golang/protobuf version.

@rootulp
Copy link

rootulp commented Mar 5, 2024

+1 I encountered this on celestiaorg/celestia-app#3155. See this error.

@neild
Copy link
Contributor

neild commented Mar 5, 2024

Gah, apologies, I didn't expect that.

I think we have to make an updated version of github.com/golang/protobuf that updates descriptor.pb.go, thanks to a backwards-incompatible change in descriptor.proto.

neild added a commit that referenced this issue Mar 5, 2024
A recent change to the upstream descriptor.proto, appearing in
google.golang.org/protobuf@v1.33.0, removed the long-deprecated
FileOptions.php_generic_services field. This backwards-incompatible
change results in an incompatibility between the
github.com/golang/protobuf and google.golang.org/protobuf
modules.

Bump the google.golang.org/protobuf version in go.mod, regenerate
descriptors.

For #1596
neild added a commit that referenced this issue Mar 5, 2024
A recent change to the upstream descriptor.proto, appearing in
google.golang.org/protobuf@v1.33.0, removed the long-deprecated
FileOptions.php_generic_services field. This backwards-incompatible
change results in an incompatibility between the
github.com/golang/protobuf and google.golang.org/protobuf
modules.

Bump the google.golang.org/protobuf version in go.mod, regenerate
descriptors.

Increase the minimum Go version requirement to go1.17 (the minimum
supported by v1.33.0).

For #1596
neild added a commit that referenced this issue Mar 5, 2024
A recent change to the upstream descriptor.proto, appearing in
google.golang.org/protobuf@v1.33.0, removed the long-deprecated
FileOptions.php_generic_services field. This backwards-incompatible
change results in an incompatibility between the
github.com/golang/protobuf and google.golang.org/protobuf
modules.

Bump the google.golang.org/protobuf version in go.mod, regenerate
descriptors.

Increase the minimum Go version requirement to go1.17 (the minimum
supported by v1.33.0).

Run gofmt to update formatting to go1.22 standards.

For #1596
@jerrybean
Copy link

Does google.golang.org/protobuf need a newer version than v1.33.0? I saw github.com/golang/protobuf (v1.5.4) already.

@rootulp
Copy link

rootulp commented Mar 6, 2024

Seems resolved via #1597 because https://github.com/golang/protobuf/releases/tag/v1.5.4 works for me.

@neild
Copy link
Contributor

neild commented Mar 6, 2024

Sorry for the inconvenience! github.com/golang/protobuf v1.5.4 should be compatible with google.golang.org/protobuf v1.33.0.

The problem, for reference, is that:

  • descriptor.proto (part of the upstream protobuf project) dropped the FileOptions.php_generic_services field.
  • google.golang.org/protobuf includes the generated package for descriptor.proto.
  • google.golang.org/protobuf v1.33.0 updates descriptor.proto, resulting in the const descriptorpb.Default_FileOptions_PhpGenericServices being removed.
  • github.com/golang/protobuf, for historical reasons, includes a stub version of descriptor.proto that forwards all its symbols to the canonical one in google.golang.org/protobuf.
  • github.com/golang/protobuf v1.5.3 is now incompatible with google.golang.org/protobuf v1.33.0, because it references a symbol that doesn't exist.

This is fixed in v1.5.4 by regenerating the forwarding package.

In retrospect, a better fix might have been in google.golang.org/protobuf: We could have added a declaration for Default_FileOptions_PhpGenericServices to that package for backwards compatibility. If we'd detected the problem in time, we could have done that in the v1.33.0 release and maintained compatibility with v1.5.3.

We should have a test that ensures this doesn't happen again in the future.

@neild neild closed this as completed Mar 6, 2024
ghstahl added a commit to fluffy-bunny/fluffycore-rage-identity that referenced this issue Mar 7, 2024
golang/protobuf#1596
fixed by
bump google.golang.org/protobuf from 1.32.0 to 1.33.0 and bump github.com/golang/protobuf from 1.5.3 to 1.5.4
2uasimojo added a commit to 2uasimojo/hive that referenced this issue Mar 13, 2024
...to address these snyk-found vulns:

```
✗ Medium severity vulnerability found in google.golang.org/protobuf/internal/encoding/json
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFINTERNALENCODINGJSON-6393704
  Introduced through: google.golang.org/api/option@0.149.0, github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, google.golang.org/api/cloudresourcemanager/v1@0.149.0, google.golang.org/api/compute/v1@0.149.0, google.golang.org/api/dns/v1@0.149.0, google.golang.org/api/serviceusage/v1@0.149.0, github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd
  From: google.golang.org/api/option@0.149.0 > google.golang.org/grpc@1.61.0 > google.golang.org/grpc/internal/transport@1.61.0 > google.golang.org/grpc/internal/pretty@1.61.0 > google.golang.org/protobuf/encoding/protojson@1.32.0 > google.golang.org/protobuf/internal/encoding/json@1.32.0
  From: github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd > google.golang.org/api/option@0.149.0 > google.golang.org/grpc@1.61.0 > google.golang.org/grpc/internal/transport@1.61.0 > google.golang.org/grpc/internal/pretty@1.61.0 > google.golang.org/protobuf/encoding/protojson@1.32.0 > google.golang.org/protobuf/internal/encoding/json@1.32.0
  From: google.golang.org/api/cloudresourcemanager/v1@0.149.0 > google.golang.org/api/transport/http@0.149.0 > google.golang.org/api/option@0.149.0 > google.golang.org/grpc@1.61.0 > google.golang.org/grpc/internal/transport@1.61.0 > google.golang.org/grpc/internal/pretty@1.61.0 > google.golang.org/protobuf/encoding/protojson@1.32.0 > google.golang.org/protobuf/internal/encoding/json@1.32.0
  and 5 more...
  Fixed in: 1.33.0
✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6393703
  Introduced through: google.golang.org/api/cloudresourcemanager/v1@0.149.0, google.golang.org/api/compute/v1@0.149.0, google.golang.org/api/dns/v1@0.149.0, google.golang.org/api/serviceusage/v1@0.149.0, github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd, google.golang.org/api/option@0.149.0, github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f
  From: google.golang.org/api/cloudresourcemanager/v1@0.149.0 > google.golang.org/api/internal/gensupport@0.149.0 > github.com/googleapis/gax-go/v2/apierror@2.12.0 > google.golang.org/protobuf/encoding/protojson@1.32.0
  From: google.golang.org/api/compute/v1@0.149.0 > google.golang.org/api/internal/gensupport@0.149.0 > github.com/googleapis/gax-go/v2/apierror@2.12.0 > google.golang.org/protobuf/encoding/protojson@1.32.0
  From: google.golang.org/api/dns/v1@0.149.0 > google.golang.org/api/internal/gensupport@0.149.0 > github.com/googleapis/gax-go/v2/apierror@2.12.0 > google.golang.org/protobuf/encoding/protojson@1.32.0
  and 28 more...
  Fixed in: 1.33.0
```

Note that in this branch we also had to bump
google.golang.org/golang/protobuf to v1.5.4 due to
golang/protobuf#1596. Why this wasn't
necessary in the other branches... no idea.
:shakes-fist-at-golang-deps:

Manual cherry-pick of openshift#2239 / f7cf469
which was a
Manual cherry-pick of openshift#2231 / 2efba4b
@2uasimojo
Copy link

So this is weird. I upgraded google.golang.org/protobuf to 1.33.0 in my master branch (openshift/hive#2231) where github.com/golang/protobuf was still at 1.5.3. Worked fine.

Applied that same change to a recent release branch (openshift/hive#2239). Worked fine.

Applied that same change to an earlier release branch (openshift/hive#2240) and ran into this problem.

All three branches started with github.com/golang/protobuf at 1.5.3. But only that third one broke.

2uasimojo added a commit to 2uasimojo/hive that referenced this issue Mar 13, 2024
...to address these snyk-found vulns:

```
✗ Medium severity vulnerability found in google.golang.org/protobuf/internal/encoding/json
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFINTERNALENCODINGJSON-6393704
  Introduced through: google.golang.org/api/option@0.149.0, github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, google.golang.org/api/cloudresourcemanager/v1@0.149.0, google.golang.org/api/compute/v1@0.149.0, google.golang.org/api/dns/v1@0.149.0, google.golang.org/api/serviceusage/v1@0.149.0, github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd
  From: google.golang.org/api/option@0.149.0 > google.golang.org/grpc@1.61.0 > google.golang.org/grpc/internal/transport@1.61.0 > google.golang.org/grpc/internal/pretty@1.61.0 > google.golang.org/protobuf/encoding/protojson@1.32.0 > google.golang.org/protobuf/internal/encoding/json@1.32.0
  From: github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd > google.golang.org/api/option@0.149.0 > google.golang.org/grpc@1.61.0 > google.golang.org/grpc/internal/transport@1.61.0 > google.golang.org/grpc/internal/pretty@1.61.0 > google.golang.org/protobuf/encoding/protojson@1.32.0 > google.golang.org/protobuf/internal/encoding/json@1.32.0
  From: google.golang.org/api/cloudresourcemanager/v1@0.149.0 > google.golang.org/api/transport/http@0.149.0 > google.golang.org/api/option@0.149.0 > google.golang.org/grpc@1.61.0 > google.golang.org/grpc/internal/transport@1.61.0 > google.golang.org/grpc/internal/pretty@1.61.0 > google.golang.org/protobuf/encoding/protojson@1.32.0 > google.golang.org/protobuf/internal/encoding/json@1.32.0
  and 5 more...
  Fixed in: 1.33.0
✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6393703
  Introduced through: google.golang.org/api/cloudresourcemanager/v1@0.149.0, google.golang.org/api/compute/v1@0.149.0, google.golang.org/api/dns/v1@0.149.0, google.golang.org/api/serviceusage/v1@0.149.0, github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd, google.golang.org/api/option@0.149.0, github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f
  From: google.golang.org/api/cloudresourcemanager/v1@0.149.0 > google.golang.org/api/internal/gensupport@0.149.0 > github.com/googleapis/gax-go/v2/apierror@2.12.0 > google.golang.org/protobuf/encoding/protojson@1.32.0
  From: google.golang.org/api/compute/v1@0.149.0 > google.golang.org/api/internal/gensupport@0.149.0 > github.com/googleapis/gax-go/v2/apierror@2.12.0 > google.golang.org/protobuf/encoding/protojson@1.32.0
  From: google.golang.org/api/dns/v1@0.149.0 > google.golang.org/api/internal/gensupport@0.149.0 > github.com/googleapis/gax-go/v2/apierror@2.12.0 > google.golang.org/protobuf/encoding/protojson@1.32.0
  and 28 more...
  Fixed in: 1.33.0
```

Note that in this branch we also had to bump
google.golang.org/golang/protobuf to v1.5.4 due to
golang/protobuf#1596. Why this wasn't
necessary in the other branches... no idea.
:shakes-fist-at-golang-deps:

Manual cherry-pick of openshift#2240 / 0e128fe
which was a
Manual cherry-pick of openshift#2239 / f7cf469
which was a
Manual cherry-pick of openshift#2231 / 2efba4b
2uasimojo added a commit to 2uasimojo/hive that referenced this issue Mar 13, 2024
...to address these snyk-found vulns:

```
✗ Medium severity vulnerability found in google.golang.org/protobuf/internal/encoding/json
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFINTERNALENCODINGJSON-6393704
  Introduced through: google.golang.org/api/option@0.149.0, github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, google.golang.org/api/cloudresourcemanager/v1@0.149.0, google.golang.org/api/compute/v1@0.149.0, google.golang.org/api/dns/v1@0.149.0, google.golang.org/api/serviceusage/v1@0.149.0, github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd
  From: google.golang.org/api/option@0.149.0 > google.golang.org/grpc@1.61.0 > google.golang.org/grpc/internal/transport@1.61.0 > google.golang.org/grpc/internal/pretty@1.61.0 > google.golang.org/protobuf/encoding/protojson@1.32.0 > google.golang.org/protobuf/internal/encoding/json@1.32.0
  From: github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd > google.golang.org/api/option@0.149.0 > google.golang.org/grpc@1.61.0 > google.golang.org/grpc/internal/transport@1.61.0 > google.golang.org/grpc/internal/pretty@1.61.0 > google.golang.org/protobuf/encoding/protojson@1.32.0 > google.golang.org/protobuf/internal/encoding/json@1.32.0
  From: google.golang.org/api/cloudresourcemanager/v1@0.149.0 > google.golang.org/api/transport/http@0.149.0 > google.golang.org/api/option@0.149.0 > google.golang.org/grpc@1.61.0 > google.golang.org/grpc/internal/transport@1.61.0 > google.golang.org/grpc/internal/pretty@1.61.0 > google.golang.org/protobuf/encoding/protojson@1.32.0 > google.golang.org/protobuf/internal/encoding/json@1.32.0
  and 5 more...
  Fixed in: 1.33.0
✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6393703
  Introduced through: google.golang.org/api/cloudresourcemanager/v1@0.149.0, google.golang.org/api/compute/v1@0.149.0, google.golang.org/api/dns/v1@0.149.0, google.golang.org/api/serviceusage/v1@0.149.0, github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd, google.golang.org/api/option@0.149.0, github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f
  From: google.golang.org/api/cloudresourcemanager/v1@0.149.0 > google.golang.org/api/internal/gensupport@0.149.0 > github.com/googleapis/gax-go/v2/apierror@2.12.0 > google.golang.org/protobuf/encoding/protojson@1.32.0
  From: google.golang.org/api/compute/v1@0.149.0 > google.golang.org/api/internal/gensupport@0.149.0 > github.com/googleapis/gax-go/v2/apierror@2.12.0 > google.golang.org/protobuf/encoding/protojson@1.32.0
  From: google.golang.org/api/dns/v1@0.149.0 > google.golang.org/api/internal/gensupport@0.149.0 > github.com/googleapis/gax-go/v2/apierror@2.12.0 > google.golang.org/protobuf/encoding/protojson@1.32.0
  and 28 more...
  Fixed in: 1.33.0
```

Note that in this branch we also had to bump
google.golang.org/golang/protobuf to v1.5.4 due to
golang/protobuf#1596. Why this wasn't
necessary in the other branches... no idea.
:shakes-fist-at-golang-deps:

Manual cherry-pick of openshift#2241 / d8c9a5d
which was a
Manual cherry-pick of openshift#2240 / 0e128fe
which was a
Manual cherry-pick of openshift#2239 / f7cf469
which was a
Manual cherry-pick of openshift#2231 / 2efba4b
Strum355 added a commit to sourcegraph/sourcegraph-public-snapshot that referenced this issue Mar 13, 2024
Man I dont even know. Why does golang.google.org/protobuf even depend on github.com/golang/protobuf if the latter is deprecated and explicitly states to use the former...? golang/protobuf#1596

## Test plan

go build & CI
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Mar 14, 2024
…bilty, see golang/protobuf#1596 (comment)

upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.44.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Mar 14, 2024
…bilty, see golang/protobuf#1596 (comment)

upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.49.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Mar 14, 2024
…r compatibilty, see golang/protobuf#1596 (comment)

OCPBUGS-22630: upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.49.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
thaJeztah added a commit to thaJeztah/containerd that referenced this issue Mar 18, 2024
commit 10c7f03 updated google.golang.org/protobuf
to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the
Golang security list issued a warning that the v1.33.0 update introduced a
breaking change, causing compatibility with github.com/golang/protobuf to be
broken;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

Containerd itself does not appear to be using this code, but consumers may be,
so update the github.com/golang/protobuf to restore compatibility.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah added a commit to thaJeztah/containerd that referenced this issue Mar 20, 2024
commit 10c7f03 updated google.golang.org/protobuf
to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the
Golang security list issued a warning that the v1.33.0 update introduced a
breaking change, causing compatibility with github.com/golang/protobuf to be
broken;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

Containerd itself does not appear to be using this code, but consumers may be,
so update the github.com/golang/protobuf to restore compatibility.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 45e425c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah added a commit to thaJeztah/containerd that referenced this issue Mar 20, 2024
commit 10c7f03 updated google.golang.org/protobuf
to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the
Golang security list issued a warning that the v1.33.0 update introduced a
breaking change, causing compatibility with github.com/golang/protobuf to be
broken;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 45e425c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Apr 4, 2024
…bilty, see golang/protobuf#1596 (comment)

upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.49.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Apr 8, 2024
…r compatibilty, see golang/protobuf#1596 (comment)

OCPBUGS-22630: upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.45.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Apr 15, 2024
…bilty, see golang/protobuf#1596 (comment)

deps: upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.45.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
austinvazquez pushed a commit to austinvazquez/moby that referenced this issue Apr 25, 2024
…f v1.5.4

full diffs:

- protocolbuffers/protobuf-go@v1.31.0...v1.33.0
- golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results in our code:

    govulncheck ./...
    Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities...

    === Symbol Results ===

    Vulnerability #1: GO-2024-2611
        Infinite loop in JSON unmarshaling in google.golang.org/protobuf
      More info: https://pkg.go.dev/vuln/GO-2024-2611
      Module: google.golang.org/protobuf
        Found in: google.golang.org/protobuf@v1.31.0
        Fixed in: google.golang.org/protobuf@v1.33.0
        Example traces found:
          #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek
          #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read
          #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal

    Your code is affected by 1 vulnerability from 1 module.
    This scan found no other vulnerabilities in packages you import or modules you
    require.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1ca89d7)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
austinvazquez pushed a commit to austinvazquez/moby that referenced this issue Apr 25, 2024
…f v1.5.4

full diffs:

- protocolbuffers/protobuf-go@v1.31.0...v1.33.0
- golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results in our code:

    govulncheck ./...
    Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities...

    === Symbol Results ===

    Vulnerability #1: GO-2024-2611
        Infinite loop in JSON unmarshaling in google.golang.org/protobuf
      More info: https://pkg.go.dev/vuln/GO-2024-2611
      Module: google.golang.org/protobuf
        Found in: google.golang.org/protobuf@v1.31.0
        Fixed in: google.golang.org/protobuf@v1.33.0
        Example traces found:
          #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek
          #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read
          #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal

    Your code is affected by 1 vulnerability from 1 module.
    This scan found no other vulnerabilities in packages you import or modules you
    require.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1ca89d7)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
austinvazquez pushed a commit to austinvazquez/moby that referenced this issue Apr 25, 2024
…f v1.5.4

full diffs:

- protocolbuffers/protobuf-go@v1.31.0...v1.33.0
- golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results in our code:

    govulncheck ./...
    Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities...

    === Symbol Results ===

    Vulnerability #1: GO-2024-2611
        Infinite loop in JSON unmarshaling in google.golang.org/protobuf
      More info: https://pkg.go.dev/vuln/GO-2024-2611
      Module: google.golang.org/protobuf
        Found in: google.golang.org/protobuf@v1.31.0
        Fixed in: google.golang.org/protobuf@v1.33.0
        Example traces found:
          #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek
          #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read
          #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal

    Your code is affected by 1 vulnerability from 1 module.
    This scan found no other vulnerabilities in packages you import or modules you
    require.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1ca89d7)
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
r4f4 added a commit to r4f4/installer that referenced this issue May 9, 2024
Bump golang.org/protobuf to v1.33.0 for CVE-2024-24786 fix.

Notice that, in some cases, github.com/golang/protobuf had to be bumped
to v1.5.4 because of golang/protobuf#1596.
r4f4 added a commit to r4f4/installer that referenced this issue May 23, 2024
Bump golang.org/protobuf to v1.33.0 for CVE-2024-24786 fix.

Notice that, in some cases, github.com/golang/protobuf had to be bumped
to v1.5.4 because of golang/protobuf#1596.
r4f4 added a commit to r4f4/installer that referenced this issue May 27, 2024
Bump golang.org/protobuf to v1.33.0 for CVE-2024-24786 fix.

Notice that, in some cases, github.com/golang/protobuf had to be bumped
to v1.5.4 because of golang/protobuf#1596.
pawanpinjarkar pushed a commit to pawanpinjarkar/installer that referenced this issue May 28, 2024
Bump golang.org/protobuf to v1.33.0 for CVE-2024-24786 fix.

Notice that, in some cases, github.com/golang/protobuf had to be bumped
to v1.5.4 because of golang/protobuf#1596.
azr pushed a commit to azr/containerd that referenced this issue Aug 30, 2024
commit 10c7f03 updated google.golang.org/protobuf
to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the
Golang security list issued a warning that the v1.33.0 update introduced a
breaking change, causing compatibility with github.com/golang/protobuf to be
broken;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

Containerd itself does not appear to be using this code, but consumers may be,
so update the github.com/golang/protobuf to restore compatibility.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@deep-explorer
Copy link

I installed google.golang.org/protobuf v1.34.2 but it doesn't support descriptor.
And alternatively, I tried to install github.com/golang/protobuf module but can't install this one as well.

could not import google.golang.org/protobuf/protoc-gen-go/descriptor (no required module provides package "google.golang.org/protobuf/protoc-gen-go/descriptor")compilerBrokenImport

@puellanivis
Copy link
Collaborator

If you look in the github.com/golang/protobuf/protoc-gen-go/descriptor package, you can see what the correct module for the descriptor package is (as the package primarily just type aliases, and const/var copies everything over): google.golang.org/protobuf/types/descriptorpb (The package has been moved to a more consistent path to join the other general protobufs.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants