From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0A15E159C9B for ; Mon, 12 Aug 2024 07:22:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F2F4B2BC0CA; Mon, 12 Aug 2024 07:21:01 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 09EC32BC02B for ; Mon, 12 Aug 2024 07:20:42 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 45FE734302F for ; Mon, 12 Aug 2024 07:20:41 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 3039CC762F for ; Mon, 12 Aug 2024 07:20:41 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202408-31 ] protobuf, protobuf-python: Denial of Service Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============8588599300138692922==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Mon, 12 Aug 2024 07:20:40 -0000 Message-ID: <172344724119.7.8326818864355534168@3f85d36892cf> X-Archives-Salt: 7911b548-75d7-4fc3-a011-8d748533d2f4 X-Archives-Hash: c005bb147ad47a4a501fa5d59e940767 --===============8588599300138692922== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: protobuf, protobuf-python: Denial of Service Date: August 12, 2024 Bugs: #872434 ID: 202408-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in protobuf and protobuf-python, which can lead to a denial of service. Background ========== Google's Protocol Buffers are an extensible mechanism for serializing structured data. Affected packages ================= Package Vulnerable Unaffected -------------------------- ------------ ------------ dev-libs/protobuf < 3.20.3 >= 3.20.3 dev-python/protobuf-python < 3.19.6 >= 3.19.6 Description =========== A vulnerability has been discovered in protobuf and protobuf-python. Please review the CVE identifiers referenced below for details. Impact ====== A parsing vulnerability for the MessageSet type can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. Workaround ========== There is no known workaround at this time. Resolution ========== All protobuf and protobuf-python users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/protobuf-3.20.3" # emerge --ask --oneshot --verbose ">=dev-python/protobuf-python-3.19.6" References ========== [ 1 ] CVE-2022-1941 https://nvd.nist.gov/vuln/detail/CVE-2022-1941 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-31 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============8588599300138692922== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAma5t8gACgkQFMQkOaVy +9mTmQ//WPDW59c3oPFhfEWVbQUe9bME0JUeJPCOaZMm/vpaO8cTD/e2MwtWP3dS lXXbcfjTh+6ScV05rVMiKsTkKp+nLPmwgsWifOlU7wFG4GFUeRysJ0mqW1CE8pIG x1hDNchzEYZEMPoTkC5cyR2RJ0N4Z1XDVgYhpzydkm2ZPJ/Xa0rT56qvcNDkcFbl 3NsQpZ63SHA2wkeZs6OW+BitMQYpfvvC6YuKwYFmwZsYVw3LxIoc1IUzZDQDVoHw h7fZJ54fC6G8fE2Mrix8ChPhty/JeoCeMTYrYwpqUCOzePId6kcCVXpQI4Q60rxW gR3mEZIDtTPUAfHv+BHbVECVwxcSYFhfrgEbRJCFKXwTCajM7/5f/ddfN/x4ipa1 IlcGG9mszrbSIqUPAur89RDf/c1+zLkCezdcKTQawDIsMR5jgLRgctrnzqnd5CIi 2EWZwKmtfbI2iahfSUxaVySKR1aewekqoiltWpb0UWbNcC7XVtBh8OJOZkyxn8t3 ZMLVrPwndlajtZyugUKEz3xG1ycwfW89EBwW2S1ocz/OcyI/ZTrBD6ePQEsFjFOu HB6C2iO2c3pI8BWAtAkYtfbz4VTHltEoSPBs6Aiokue8G1zTh7sQ4K0G49/q1TeN IS3G7OBDKcqPY05v1n5+POcbp2ZUz2ExDpCcKCgR1oUqyB4T10Q= =Uf1Q -----END PGP SIGNATURE----- --===============8588599300138692922==--