Hi Laszlo, On Fri, Sep 20, 2024 at 04:05:28PM +0200, Moritz Mühlenhoff wrote: > Source: protobuf > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for protobuf. > > CVE-2024-7254[0]: > | Any project that parses untrusted Protocol Buffers data containing > | an arbitrary number of nested groups / series of SGROUP tags can > | corrupted by exceeding the stack limit i.e. StackOverflow. Parsing > | nested groups as unknown fields with DiscardUnknownFieldsParser or > | Java Protobuf Lite parser, or against Protobuf map fields, creates > | unbounded recursions that can be abused by an attacker. > > https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-7254 > https://www.cve.org/CVERecord?id=CVE-2024-7254 > > Please adjust the affected versions in the BTS as needed.
Can you please double-check this, I think the issue is not yet fixed (completely) in Debian. Marc Deslauriers pointed out that there are commits missing (I updated the tracker now). Regards, Salvatore
