Your message dated Wed, 27 Mar 2024 00:21:37 +0000
with message-id <[email protected]>
and subject line Bug#1065684: fixed in golang-google-protobuf 1.33.0-1
has caused the Debian Bug report #1065684,
regarding golang-google-protobuf: CVE-2024-24786
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1065684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065684
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-google-protobuf
Version: 1.32.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-google-protobuf.
CVE-2024-24786[0]:
| The protojson.Unmarshal function can enter an infinite loop when
| unmarshaling certain forms of invalid JSON. This condition can occur
| when unmarshaling into a message which contains a
| google.protobuf.Any value, or when the
| UnmarshalOptions.DiscardUnknown option is set.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-24786
https://www.cve.org/CVERecord?id=CVE-2024-24786
[1] https://go-review.googlesource.com/c/protobuf/+/569356
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-google-protobuf
Source-Version: 1.33.0-1
Done: Anthony Fok <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-google-protobuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anthony Fok <[email protected]> (supplier of updated golang-google-protobuf
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 26 Mar 2024 17:49:06 -0600
Source: golang-google-protobuf
Architecture: source
Version: 1.33.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Anthony Fok <[email protected]>
Closes: 1065684
Changes:
golang-google-protobuf (1.33.0-1) unstable; urgency=medium
.
* New upstream version 1.33.0
.
encoding/protojson, internal/encoding/json: handle missing object values
.
In internal/encoding/json, report an error when encountering a }
when we are expecting an object field value. For example, the input
`{"":}` now correctly results in an error at the closing } token.
.
In encoding/protojson, check for an unexpected EOF token in
skipJSONValue. This is redundant with the check in internal/encoding/json,
but adds a bit more defense against any other similar bugs that
might exist.
.
Fixes CVE-2024-24786 (Closes: #1065684)
.
* DH_GOLANG_INSTALL_EXTRA: Update path to editions_defaults.binpb
which was moved from reflect/protodesc/ to internal/editiondefaults/
Checksums-Sha1:
b4aaad31d00d1ab4eccdbf8624d3b7831a3ab61a 2381
golang-google-protobuf_1.33.0-1.dsc
9673951a743296d76d1a474871c2443f7a449ffc 812348
golang-google-protobuf_1.33.0.orig.tar.xz
5a249134d9e0c499bd70f8978155a5ccd2573eaf 4060
golang-google-protobuf_1.33.0-1.debian.tar.xz
d65004dfe310321fe0bfacd5a7a9ff8f2bcf15bd 6838
golang-google-protobuf_1.33.0-1_amd64.buildinfo
Checksums-Sha256:
1274db27a31a56d97a94efd04ed288922bbe8dcc46cf2e805ced2cd423bb8a01 2381
golang-google-protobuf_1.33.0-1.dsc
40d83211cdfc25e1c13c6de527b33516c21d6ef48188070ff22f29330abe4f84 812348
golang-google-protobuf_1.33.0.orig.tar.xz
9469684733b7810b2a382ea2c0e801c4b0b4bd90bc41399e3a76d8760996ac03 4060
golang-google-protobuf_1.33.0-1.debian.tar.xz
ce0906317aab1c72969211523151d466ac98416e798139c8a7eec0eacefb6aa7 6838
golang-google-protobuf_1.33.0-1_amd64.buildinfo
Files:
9f76d0ea63ae9eb01ff3917847cd8ebc 2381 golang optional
golang-google-protobuf_1.33.0-1.dsc
e102870db4b3dfb32af3ee85f427acad 812348 golang optional
golang-google-protobuf_1.33.0.orig.tar.xz
b7485bec7ce51cb4b820b7c0df1c3a6e 4060 golang optional
golang-google-protobuf_1.33.0-1.debian.tar.xz
1e8b2ecc9959e7a38402e295616a05ef 6838 golang optional
golang-google-protobuf_1.33.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCAAuFiEEFCQhsZrUqVmW+VBy6iUAtBLFms8FAmYDYDAQHGZva2FAZGVi
aWFuLm9yZwAKCRDqJQC0EsWazzzsD/sGWkFsY9HxvjV+I3uOVIJFVNXno5jjvq+K
r4gn+iZeL6lXXZEUe5i0o+qBAoLdTCQ0e7LYnDLxQVrlWi7NgVvME75O0TjsMX3s
F+eevszYhb0MKeXq0VFmBDv+ZHVQoVgsom/2QDzJ9G70M1FIYc4QjQ/cQZ3DtyLc
SOf6J/520TdIIx4SC8ht54874GVxehBCSBk+ZRh4qnJc8OZfgg6qISEy3zhzov12
AEPc7E2mmjZJwF16V9X6MMRJteEy4j4fTfEQ9GpQ+Gg9rnXwYSupuSINISQ8adiV
t8K7NCy9SZh/SIkUjTXcHskobTlUmajpBzDfJvl/W/1+nnZKjcHfMq9JcS0T7pyf
Nee3zubnjdIA9212hO27ygJcoQrPNsZ2yhLEn74NMY8W+z5u15qtqi6qlQ/xVcb3
kwvOtzd3pIUcD+RbN4w1tKcD5ATW5Tlo2awt7DkKHOAtbXNf42N2/jlJbHWeMjgB
wDHFH0lVs7mZQT16glt8cvSZPjJyqPKzeVfAR2rnkBz162qjNLndeycyyGGXS9Wd
gWvu/Yk3VJyf8N5g8Qb+EVJQxX6XPXSaWWMaxaSaJ8PBVW1V2+hPEuseuLY0sZHV
4kk0e4GtlzbMRDuDTm3Yq4XWVFiwLbtl4kw07u0QpHW9vRmLwClnDa0REJ4aGtih
idTusSuIxg==
=Ph/5
-----END PGP SIGNATURE-----
pgpo7yoaLN6Hm.pgp
Description: PGP signature
--- End Message ---
