Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency protobuf to v3.18.3 [SECURITY] #125

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Mar 7, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
protobuf ==3.14.0 -> ==3.18.3 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2021-22570

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

CVE-2022-1941

Summary

A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.

Reporter: ClusterFuzz

Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.

Severity & Impact

As scored by google
Medium 5.7 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Asscored byt NIST
High 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.

Proof of Concept

For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.

Mitigation / Patching

Please update to the latest available versions of the following packages:

  • protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)
  • protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency protobuf to v3.15.0 [SECURITY] Update dependency protobuf to v3.18.3 [SECURITY] Sep 25, 2022
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from fadb35f to 2b0ca4b Compare September 25, 2022 22:36
@renovate renovate bot changed the title Update dependency protobuf to v3.18.3 [SECURITY] Update dependency protobuf to v3.18.3 [SECURITY] - autoclosed Dec 3, 2024
@renovate renovate bot closed this Dec 3, 2024
@renovate renovate bot deleted the renovate/pypi-protobuf-vulnerability branch December 3, 2024 17:27
@renovate renovate bot changed the title Update dependency protobuf to v3.18.3 [SECURITY] - autoclosed Update dependency protobuf to v3.18.3 [SECURITY] Dec 10, 2024
@renovate renovate bot reopened this Dec 10, 2024
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from e1de1ca to 2b0ca4b Compare December 10, 2024 15:32
@renovate renovate bot changed the title Update dependency protobuf to v3.18.3 [SECURITY] Update dependency protobuf to v3.18.3 [SECURITY] - autoclosed Dec 11, 2024
@renovate renovate bot closed this Dec 11, 2024
@renovate renovate bot changed the title Update dependency protobuf to v3.18.3 [SECURITY] - autoclosed Update dependency protobuf to v3.18.3 [SECURITY] Dec 16, 2024
@renovate renovate bot reopened this Dec 16, 2024
@renovate renovate bot force-pushed the renovate/pypi-protobuf-vulnerability branch from d4d4f63 to 2b0ca4b Compare December 16, 2024 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants