Your message dated Tue, 29 Apr 2025 21:36:53 +0000
with message-id <[email protected]>
and subject line Bug#1082381: fixed in protobuf 3.21.12-11
has caused the Debian Bug report #1082381,
regarding protobuf: CVE-2024-7254
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1082381: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082381
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: protobuf
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for protobuf.
CVE-2024-7254[0]:
| Any project that parses untrusted Protocol Buffers data containing
| an arbitrary number of nested groups / series of SGROUP tags can
| corrupted by exceeding the stack limit i.e. StackOverflow. Parsing
| nested groups as unknown fields with DiscardUnknownFieldsParser or
| Java Protobuf Lite parser, or against Protobuf map fields, creates
| unbounded recursions that can be abused by an attacker.
https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-7254
https://www.cve.org/CVERecord?id=CVE-2024-7254
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: protobuf
Source-Version: 3.21.12-11
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated protobuf
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 29 Apr 2025 21:27:02 +0200
Source: protobuf
Architecture: source
Version: 3.21.12-11
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1082381
Changes:
protobuf (3.21.12-11) unstable; urgency=high
.
* Fix CVE-2024-7254: when parsing unknown fields in the Protobuf Java Lite
and Full library, a maliciously crafted message can cause a StackOverflow
error and lead to a program crash (closes: #1082381).
Checksums-Sha1:
29a73fcff72f2a7f57f016360dc671b608a65009 3043 protobuf_3.21.12-11.dsc
ffa01b91e66875c2cb5e12e63f8e264318d47e9b 37556
protobuf_3.21.12-11.debian.tar.xz
Checksums-Sha256:
3edfb7884fd89d805e88b0a61b85a7339e50709d3575b28659ef21c5b8c5b686 3043
protobuf_3.21.12-11.dsc
ee6e17387b4b53c1679d156cea20c6812c4dac50f07da533a63a15e24d58fc57 37556
protobuf_3.21.12-11.debian.tar.xz
Files:
9f558845157ae9ce5cf9bdbf6af95086 3043 devel optional protobuf_3.21.12-11.dsc
ff8c2ce41f561d0ad1ddae805f9280cd 37556 devel optional
protobuf_3.21.12-11.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmgRQaYACgkQ3OMQ54ZM
yL96Ag//bFWVtD9SqVnbwcF4vlHtCGewbz1uiHamFABPmhba3/JYgkiechlY3FNm
L6bpV6h6XrEtLWEIWzsqdzJds3ZfyxH4iWMhWCHDieeap76EgQQuDI4nuA8eJ8GW
9WwKM2SZFYS0Hdsq7Sl3RNogPr6owS3w4psPzJ8PJlC3zTerBYu76BuO/cY1zTjw
BJ7RcrUR0GM5lvhNGfxZ72jzqhN4xr9NZbCBj/e0aWvtLHP0vtrQXtG7Cdi1Gqxc
SEECIPl4hjI2FcEiC9Mb1I1biWGq9fEfhWRUX7QAZKaRqfvbz4UL85qP+142C4Dc
yNl/nZ5gUv5W0PzBZqcjC/qEFCpfmgDzJvv0axUQ5VxVF1zHUa3P0mEuUEOuxUMc
r/otz/4d5f1U3bgnzRfM6Mr8GzIOtLlZrtUs0TF9uNzRaKNxRWnlJMmFKOE5hZJY
iH8ve3vGqEgh1A5uYJXCOupXm4jusONcKUjgx2ZJDMResUld7dqBUcwpPXUVbqiY
RdDKeBxT4Y4cP/8E5S/hWCRwGPnNSCxDDgWa+7cMFWBYH/bjT1Bk7tnrlKfZbpfF
M2s+d4NECPFK0CvHe5Tu3FMTTccZGWQWzzngHERDxAa9QsZIJkK85A5SLpYyxvur
sKbCqmNRhIOknfsL0gG5FL2viq09ZF0tyo8HNF0Oh2FSWHxWDvY=
=Z6kc
-----END PGP SIGNATURE-----
pgpr23W0SVmlY.pgp
Description: PGP signature
--- End Message ---
