Source: nanopb Version: 0.4.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/nanopb/nanopb/issues/615 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for nanopb. CVE-2020-26243[0]: | Nanopb is a small code-size Protocol Buffers implementation. In Nanopb | before versions 0.4.4 and 0.3.9.7, decoding specifically formed | message can leak memory if dynamic allocation is enabled and an oneof | field contains a static submessage that contains a dynamic field, and | the message being decoded contains the submessage multiple times. This | is rare in normal messages, but it is a concern when untrusted data is | parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following | workarounds are available: 1) Set the option `no_unions` for the oneof | field. This will generate fields as separate instead of C union, and | avoids triggering the problematic code. 2) Set the type of the | submessage field inside oneof to `FT_POINTER`. This way the whole | submessage will be dynamically allocated and the problematic code is | not executed. 3) Use an arena allocator for nanopb, to make sure all | memory can be released afterwards. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-26243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26243 [1] https://github.com/nanopb/nanopb/issues/615 [2] https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh Regards, Salvatore
