Your message dated Tue, 16 Sep 2025 18:34:29 +0000
with message-id <[email protected]>
and subject line Bug#1082381: fixed in protobuf 3.21.12-12
has caused the Debian Bug report #1082381,
regarding protobuf: CVE-2024-7254
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1082381: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082381
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: protobuf
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for protobuf.

CVE-2024-7254[0]:
| Any project that parses untrusted Protocol Buffers data containing
| an arbitrary number of nested groups / series of SGROUP tags can
| corrupted by exceeding the stack limit i.e. StackOverflow. Parsing
| nested groups as unknown fields with DiscardUnknownFieldsParser or
| Java Protobuf Lite parser, or against Protobuf map fields, creates
| unbounded recursions that can be abused by an attacker.

https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-7254
    https://www.cve.org/CVERecord?id=CVE-2024-7254

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message ---
Source: protobuf
Source-Version: 3.21.12-12
Done: Laszlo Boszormenyi (GCS) <[email protected]>

We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated protobuf 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 16 Sep 2025 18:19:06 +0200
Source: protobuf
Architecture: source
Version: 3.21.12-12
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1082381 1104293 1108057
Changes:
 protobuf (3.21.12-12) unstable; urgency=high
 .
   [ Hlib Korzhynskyy <[email protected]> ]
   * Complete fix of CVE-2024-7254 (closes: #1082381):
     - add recursion checks and recursion limit,
     - add tests.
 .
   [ Laszlo Boszormenyi (GCS) ]
   * Fix CVE-2025-4565: data containing an arbitrary number of recursive
     groups, recursive messages or a series of SGROUP tags can be corrupted
     by exceeding the Python recursion limit (closes: #1108057).
   * Update Standards-Version to 4.7.2 .
 .
   [ zhangdandan <[email protected]> ]
   * Add loongarch64 support (closes: #1104293).
Checksums-Sha1:
 6e2021b06edbd6ff816d5eabecf22d2f1b668d24 3033 protobuf_3.21.12-12.dsc
 62ca7fd87ae3e20f23c074af6c683ed4bd8b8652 43472 
protobuf_3.21.12-12.debian.tar.xz
Checksums-Sha256:
 fdbecee35a727cd8ca33bde34434e4d572d6abec6e1bc5d89b7b422124e95fd6 3033 
protobuf_3.21.12-12.dsc
 d94591bc02e4e7f767c9d035adfe9181a953d2e871fec18231c1e09c101f24af 43472 
protobuf_3.21.12-12.debian.tar.xz
Files:
 5488a274eed9fde75df170b62611ec6f 3033 devel optional protobuf_3.21.12-12.dsc
 6ab0c579b44bea3eb71a73eb8f74e139 43472 devel optional 
protobuf_3.21.12-12.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmjJpMIACgkQ3OMQ54ZM
yL/D9A//a7e0yq1BV9GG2dc8+lz7rKZ0dDmSBG5uj6FibrbBgQDMopjtBXngRfPx
NWUpmov+cA8TngY2RrV2g3q8RjGcn9jAWIFJGGOU5LNJ7TgSGTSqcV1hURRwvoXG
vWbdusfsXvSG9wVxZ9MJPjfubPiIflkE2o533ZSGm5eDj7Gw1S5bHt42CLvSeZma
md30saQEnLNhO+5OBuIRNWEiOc4EIBzLWtCEyvHXp6ypYWxBPCtX8d+hrlaUlgAU
6tXi2mJbRgHKwbybVV9eQ/1QjAqq+ZV/9gNPqSb3DchpQm/DC30vrhhbv2/yXoBK
LHN+q1pBGGIv51W7e6Ym9A6fnjoY0MvjMk4RuM4aFsRBcZ/m9JvLfj34kwyAa9Np
WSI+pCubFF6yM1UHgT3HGdLlA8dPP/Z79YJFCqn88J4gWmc1gW8cK5Ow4Y2s3XL3
+Wh6YjaKfqlQXKaDm1aZvNoG6y7DArexBQDIGL97T1vtBgwtWjWWnG+LHeYMYpU1
BiJRXCxJBYzoEleVTRE3s0mK0PcrCtfduJBkUxDkxkQ54OCvIxWYhNEeseG9vepA
RhZWhgSPeGV4GzGxgrD/kekKGkntWxyruoE0iq4Uun3hBKbIWkXu7HZEIznP29EY
oQDtSfLk5SAO4hAtpK/HGrww2QgDhkE8cxhS6SG3Fbpij7EFjg0=
=98Mq
-----END PGP SIGNATURE-----

Attachment: pgp1DbTQlXmBh.pgp
Description: PGP signature


--- End Message ---

Reply via email to