Bug#1082381: protobuf: CVE-2024-7254
Control: reopen -1 On Mon, Jul 7, 2025 at 2:58 PM Marc Deslauriers wrote: > The merge commit above actually contains 5 separate patches in it. We > separated > them out to be properly handled by quilt. Thanks, just going to upload your work. Cheers, Laszlo/GCS
Bug#1082381: protobuf: CVE-2024-7254
On 2025-07-07 08:55, László Böszörményi (GCS) wrote: Hi, On Mon, Jul 7, 2025 at 1:51 PM Hlib Korzhynskyy wrote: The final merge commit from github [1] is what we used to fix this issue in Ubuntu. It should contain all of the relevant commits for the CVE. [1] https://github.com/protocolbuffers/protobuf/commit/4a197e78ad2430e22e992c5a7727b61ae220f727 OK, this seems to be the full changes needed. Meanwhile I have checked your security update for this issue at: https://launchpad.net/ubuntu/+source/protobuf/3.21.12-9ubuntu1.1 That contains five separate patches, but nevermind. Thanks for your update. The merge commit above actually contains 5 separate patches in it. We separated them out to be properly handled by quilt. Marc.
Bug#1082381: protobuf: CVE-2024-7254
Hi, On Mon, Jul 7, 2025 at 1:51 PM Hlib Korzhynskyy wrote: > The final merge commit from github [1] is what we used to fix this issue in > Ubuntu. It should contain all of the relevant commits for the CVE. > [1] > https://github.com/protocolbuffers/protobuf/commit/4a197e78ad2430e22e992c5a7727b61ae220f727 OK, this seems to be the full changes needed. Meanwhile I have checked your security update for this issue at: https://launchpad.net/ubuntu/+source/protobuf/3.21.12-9ubuntu1.1 That contains five separate patches, but nevermind. Thanks for your update. Regards, Laszlo/GCS
Bug#1082381: protobuf: CVE-2024-7254
Hello, The final merge commit from github [1] is what we used to fix this issue in Ubuntu. It should contain all of the relevant commits for the CVE. Thanks, Hlib. [1] https://github.com/protocolbuffers/protobuf/commit/4a197e78ad2430e22e992c5a7727b61ae220f727 On Sat, 5 Jul 2025 at 12:45, Marc Deslauriers < [email protected]> wrote: > Hi, > > I've added my colleague Hlib to CC, as he's the person who actually did > the > updates for Ubuntu and could perhaps help figure this out. > > Marc. > > On 2025-07-05 06:31, László Böszörményi (GCS) wrote: > > On Thu, Jul 3, 2025 at 11:07 PM Salvatore Bonaccorso > wrote: > >> Can you please double-check this, I think the issue is not yet fixed > >> (completely) in Debian. Marc Deslauriers pointed out that there are > >> commits missing (I updated the tracker now). > > Is his notes public? I'm checking the commits mentioned in the > > security tracker. It seems the commit mentioned earlier [1] is now > > tracked as another [2] (contents seem to be the same). But then parts > > of it are removed in another mentioned commit [3] with code parts not > > present in 3.21.12 (Sid version). > > It is a bit confusing. I can move the packaging to match these > > changes. Then is there any upstream recommendation which fixes to use > > for a specific release branch? Is there any reproducer for this issue? > > > > Regards, > > Laszlo/GCS > > [1] > https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa > > [2] > https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b > > [3] > https://github.com/protocolbuffers/protobuf/commit/b5a7cf7cf4b7e39f6b02205e45afe2104a7faf81 > >
Bug#1082381: protobuf: CVE-2024-7254
Hi, I've added my colleague Hlib to CC, as he's the person who actually did the updates for Ubuntu and could perhaps help figure this out. Marc. On 2025-07-05 06:31, László Böszörményi (GCS) wrote: On Thu, Jul 3, 2025 at 11:07 PM Salvatore Bonaccorso wrote: Can you please double-check this, I think the issue is not yet fixed (completely) in Debian. Marc Deslauriers pointed out that there are commits missing (I updated the tracker now). Is his notes public? I'm checking the commits mentioned in the security tracker. It seems the commit mentioned earlier [1] is now tracked as another [2] (contents seem to be the same). But then parts of it are removed in another mentioned commit [3] with code parts not present in 3.21.12 (Sid version). It is a bit confusing. I can move the packaging to match these changes. Then is there any upstream recommendation which fixes to use for a specific release branch? Is there any reproducer for this issue? Regards, Laszlo/GCS [1] https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa [2] https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b [3] https://github.com/protocolbuffers/protobuf/commit/b5a7cf7cf4b7e39f6b02205e45afe2104a7faf81
Bug#1082381: protobuf: CVE-2024-7254
On Thu, Jul 3, 2025 at 11:07 PM Salvatore Bonaccorso wrote: > Can you please double-check this, I think the issue is not yet fixed > (completely) in Debian. Marc Deslauriers pointed out that there are > commits missing (I updated the tracker now). Is his notes public? I'm checking the commits mentioned in the security tracker. It seems the commit mentioned earlier [1] is now tracked as another [2] (contents seem to be the same). But then parts of it are removed in another mentioned commit [3] with code parts not present in 3.21.12 (Sid version). It is a bit confusing. I can move the packaging to match these changes. Then is there any upstream recommendation which fixes to use for a specific release branch? Is there any reproducer for this issue? Regards, Laszlo/GCS [1] https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa [2] https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b [3] https://github.com/protocolbuffers/protobuf/commit/b5a7cf7cf4b7e39f6b02205e45afe2104a7faf81
Bug#1082381: protobuf: CVE-2024-7254
Hi Laszlo, On Fri, Sep 20, 2024 at 04:05:28PM +0200, Moritz Mühlenhoff wrote: > Source: protobuf > X-Debbugs-CC: [email protected] > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for protobuf. > > CVE-2024-7254[0]: > | Any project that parses untrusted Protocol Buffers data containing > | an arbitrary number of nested groups / series of SGROUP tags can > | corrupted by exceeding the stack limit i.e. StackOverflow. Parsing > | nested groups as unknown fields with DiscardUnknownFieldsParser or > | Java Protobuf Lite parser, or against Protobuf map fields, creates > | unbounded recursions that can be abused by an attacker. > > https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-7254 > https://www.cve.org/CVERecord?id=CVE-2024-7254 > > Please adjust the affected versions in the BTS as needed. Can you please double-check this, I think the issue is not yet fixed (completely) in Debian. Marc Deslauriers pointed out that there are commits missing (I updated the tracker now). Regards, Salvatore
Bug#1082381: protobuf: CVE-2024-7254
Source: protobuf X-Debbugs-CC: [email protected] Severity: important Tags: security Hi, The following vulnerability was published for protobuf. CVE-2024-7254[0]: | Any project that parses untrusted Protocol Buffers data containing | an arbitrary number of nested groups / series of SGROUP tags can | corrupted by exceeding the stack limit i.e. StackOverflow. Parsing | nested groups as unknown fields with DiscardUnknownFieldsParser or | Java Protobuf Lite parser, or against Protobuf map fields, creates | unbounded recursions that can be abused by an attacker. https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-7254 https://www.cve.org/CVERecord?id=CVE-2024-7254 Please adjust the affected versions in the BTS as needed.
