Bug#1088994: marked as done (nanopb: CVE-2024-53984)

[Debian Bug Tracking System]

Your message dated Wed, 04 Dec 2024 19:20:47 +0000
with message-id <e1tiuvx-00bqwd...@fasolo.debian.org>
and subject line Bug#1088994: fixed in nanopb 0.4.9.1-1
has caused the Debian Bug report #1088994,
regarding nanopb: CVE-2024-53984
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1088994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088994
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: nanopb
Version: 0.4.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 0.4.7-2

Hi,

The following vulnerability was published for nanopb.

CVE-2024-53984[0]:
| Nanopb is a small code-size Protocol Buffers implementation.  When
| the compile time option PB_ENABLE_MALLOC is enabled, the message
| contains at least one field with FT_POINTER field type, custom
| stream callback is used with unknown stream length. and the
| pb_decode_ex() function is used with flag PB_DECODE_DELIMITED, then
| the pb_decode_ex() function does not automatically call
| pb_release(), like is done for other failure cases. This could lead
| to memory leak and potential denial-of-service. This vulnerability
| is fixed in 0.4.9.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-53984
    https://www.cve.org/CVERecord?id=CVE-2024-53984
[1] https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r
[2] 
https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: nanopb
Source-Version: 0.4.9.1-1
Done: Laszlo Boszormenyi (GCS) <g...@debian.org>

We believe that the bug you reported is fixed in the latest version of
nanopb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1088...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated nanopb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Dec 2024 19:43:32 +0100
Source: nanopb
Architecture: source
Version: 0.4.9.1-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Closes: 1088994
Changes:
 nanopb (0.4.9.1-1) unstable; urgency=high
 .
   * New upstream release:
     - fix CVE-2024-53984: memory not released on error return from
       pb_decode_ex() (closes: #1088994).
Checksums-Sha1:
 0881ca0a1e24a07ca0f86ea3cc94c1aff3fe031e 1851 nanopb_0.4.9.1-1.dsc
 bc99db8d6cdf472632267acf1a6be442c6cc7c80 1186352 nanopb_0.4.9.1.orig.tar.gz
 a7c36232309981ef075656facaedbf561e25ba97 5068 nanopb_0.4.9.1-1.debian.tar.xz
Checksums-Sha256:
 452a6fcce06738786b9aab9f681e31c5e149b8d62761a40222955ae1cd3936d6 1851 
nanopb_0.4.9.1-1.dsc
 4575944a468718ef25f05eb01d994364650b581563089a9841986bb1e460eac3 1186352 
nanopb_0.4.9.1.orig.tar.gz
 9824e75d817aeac1d132781ba865724e51583b78575dc476827c5454669751f2 5068 
nanopb_0.4.9.1-1.debian.tar.xz
Files:
 cb598edae6f3ce1e606378ffe98eaa6a 1851 devel optional nanopb_0.4.9.1-1.dsc
 a974c454f4cb245b3552f3fea233a3fa 1186352 devel optional 
nanopb_0.4.9.1.orig.tar.gz
 459494968055c42116bef4d057ceda5c 5068 devel optional 
nanopb_0.4.9.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmdQpmEACgkQ3OMQ54ZM
yL/SPg//SlLPIoiSzVJrw4Fra44iXCMwkN4srKRTBFk5GSlnD6+wQ7S26IpqEEdJ
+D+iS8GVK6q/Zwg5Ka8PP9qok1fm+03lR45Spplp61X/7VPsEjCZ0g8M+38kjloM
S3gtGls3RIxjqn56Wzct7KbpEI/uyAzNTGsosn7q3kepwoyaiwLnwIXWoiaZoTTo
LJVK3CdUB0K3ZtU/wEcSqQNTC2yh6tUXXaGXaW6uQQGffI6N7ophKPDU8tRhYUjG
WLEKna1+Ltim0dIbIdlMwsclpI6pioKrQep0J9sfWfV34fdx8N16N8vQLw4F41w2
B1M8DEXUFZopr5Yk6pboo0cMq/4IV0uJWgJZ7b2zeOlnhOoCyHV+eah0Corl4Fub
+J2r6KZ+f4L8SPFkRk54jKTArrzd2HeTo39yq6MTho946yG5KO3FFtpYMQypq0q8
OWQiCs7P/tcbLpADZz+X8BVpf2dr12Gg02YptIHVu2BxaAr2RoJwpTvlbs67zDCh
457lo/FIuh5zPkuG6UXYKzy23WJnYA49w2/cixEpC2xJ2Pf3/KHVy4LT68An61RK
BdCgE6iuMBgvMicNzH5EbUCX9z5PrUZK/eazon+Rbm1PwITrJ8uLKweHTaFmUBRB
GNzoK0EKumPBRW4PCEE7MVwfOzfYA31A8hVFVNfwRNRBdxy81ME=
=yo2t
-----END PGP SIGNATURE-----

pgp6zlbudpgRO.pgp
Description: PGP signature

--- End Message ---