Source: nanopb Version: 0.4.4-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for nanopb. CVE-2021-21401[0]: | Nanopb is a small code-size Protocol Buffers implementation in ansi C. | In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically | formed message can cause invalid `free()` or `realloc()` calls if the | message type contains an `oneof` field, and the `oneof` directly | contains both a pointer field and a non-pointer field. If the message | data first contains the non-pointer field and then the pointer field, | the data of the non-pointer field is incorrectly treated as if it was | a pointer value. Such message data rarely occurs in normal messages, | but it is a concern when untrusted data is parsed. This has been fixed | in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory | for more information including workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-21401 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21401 [1] https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88 Regards, Salvatore
