Debian Long Term Support / LTS Security Information / 2023 / Security Information -- DLA-3393-1 protobuf

Debian Security Advisory

DLA-3393-1 protobuf -- LTS security update

Date Reported:

18 Apr 2023

Affected Packages:

protobuf

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2021-22569, CVE-2021-22570, CVE-2022-1941.

More information:

This update fixes a NULL pointer derference and two denial of service conditions in in protobuf.

• CVE-2021-22569

  An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses.

• CVE-2021-22570

  Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr.

• CVE-2022-1941

  A parsing vulnerability for the MessageSet type in the ProtocolBuffers can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input.

For Debian 10 buster, these problems have been fixed in version 3.6.1.3-2+deb10u1.

We recommend that you upgrade your protobuf packages.

For the detailed security status of protobuf please refer to its security tracker page at: https://security-tracker.debian.org/tracker/protobuf

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS