Hello, The final merge commit from github [1] is what we used to fix this issue in Ubuntu. It should contain all of the relevant commits for the CVE.
Thanks, Hlib. [1] https://github.com/protocolbuffers/protobuf/commit/4a197e78ad2430e22e992c5a7727b61ae220f727 On Sat, 5 Jul 2025 at 12:45, Marc Deslauriers < marc.deslauri...@canonical.com> wrote: > Hi, > > I've added my colleague Hlib to CC, as he's the person who actually did > the > updates for Ubuntu and could perhaps help figure this out. > > Marc. > > On 2025-07-05 06:31, László Böszörményi (GCS) wrote: > > On Thu, Jul 3, 2025 at 11:07 PM Salvatore Bonaccorso <car...@debian.org> > wrote: > >> Can you please double-check this, I think the issue is not yet fixed > >> (completely) in Debian. Marc Deslauriers pointed out that there are > >> commits missing (I updated the tracker now). > > Is his notes public? I'm checking the commits mentioned in the > > security tracker. It seems the commit mentioned earlier [1] is now > > tracked as another [2] (contents seem to be the same). But then parts > > of it are removed in another mentioned commit [3] with code parts not > > present in 3.21.12 (Sid version). > > It is a bit confusing. I can move the packaging to match these > > changes. Then is there any upstream recommendation which fixes to use > > for a specific release branch? Is there any reproducer for this issue? > > > > Regards, > > Laszlo/GCS > > [1] > https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa > > [2] > https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b > > [3] > https://github.com/protocolbuffers/protobuf/commit/b5a7cf7cf4b7e39f6b02205e45afe2104a7faf81 > >
