- Package:
- src:protobuf
- Source:
- src:protobuf
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2025-07-07 12:59:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for protobuf. CVE-2024-7254[0]: | Any project that parses untrusted Protocol Buffers data containing | an arbitrary number of nested groups / series of SGROUP tags can | corrupted by exceeding the stack limit i.e. StackOverflow. Parsing | nested groups as unknown fields with DiscardUnknownFieldsParser or | Java Protobuf Lite parser, or against Protobuf map fields, creates | unbounded recursions that can be abused by an attacker. https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-7254 https://www.cve.org/CVERecord?id=CVE-2024-7254 Please adjust the affected versions in the BTS as needed.
We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1082381@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated protobuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 29 Apr 2025 21:27:02 +0200
Source: protobuf
Architecture: source
Version: 3.21.12-11
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1082381
Changes:
protobuf (3.21.12-11) unstable; urgency=high
.
* Fix CVE-2024-7254: when parsing unknown fields in the Protobuf Java Lite
and Full library, a maliciously crafted message can cause a StackOverflow
error and lead to a program crash (closes: #1082381).
Checksums-Sha1:
29a73fcff72f2a7f57f016360dc671b608a65009 3043 protobuf_3.21.12-11.dsc
ffa01b91e66875c2cb5e12e63f8e264318d47e9b 37556 protobuf_3.21.12-11.debian.tar.xz
Checksums-Sha256:
3edfb7884fd89d805e88b0a61b85a7339e50709d3575b28659ef21c5b8c5b686 3043 protobuf_3.21.12-11.dsc
ee6e17387b4b53c1679d156cea20c6812c4dac50f07da533a63a15e24d58fc57 37556 protobuf_3.21.12-11.debian.tar.xz
Files:
9f558845157ae9ce5cf9bdbf6af95086 3043 devel optional protobuf_3.21.12-11.dsc
ff8c2ce41f561d0ad1ddae805f9280cd 37556 devel optional protobuf_3.21.12-11.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmgRQaYACgkQ3OMQ54ZM
yL96Ag//bFWVtD9SqVnbwcF4vlHtCGewbz1uiHamFABPmhba3/JYgkiechlY3FNm
L6bpV6h6XrEtLWEIWzsqdzJds3ZfyxH4iWMhWCHDieeap76EgQQuDI4nuA8eJ8GW
9WwKM2SZFYS0Hdsq7Sl3RNogPr6owS3w4psPzJ8PJlC3zTerBYu76BuO/cY1zTjw
BJ7RcrUR0GM5lvhNGfxZ72jzqhN4xr9NZbCBj/e0aWvtLHP0vtrQXtG7Cdi1Gqxc
SEECIPl4hjI2FcEiC9Mb1I1biWGq9fEfhWRUX7QAZKaRqfvbz4UL85qP+142C4Dc
yNl/nZ5gUv5W0PzBZqcjC/qEFCpfmgDzJvv0axUQ5VxVF1zHUa3P0mEuUEOuxUMc
r/otz/4d5f1U3bgnzRfM6Mr8GzIOtLlZrtUs0TF9uNzRaKNxRWnlJMmFKOE5hZJY
iH8ve3vGqEgh1A5uYJXCOupXm4jusONcKUjgx2ZJDMResUld7dqBUcwpPXUVbqiY
RdDKeBxT4Y4cP/8E5S/hWCRwGPnNSCxDDgWa+7cMFWBYH/bjT1Bk7tnrlKfZbpfF
M2s+d4NECPFK0CvHe5Tu3FMTTccZGWQWzzngHERDxAa9QsZIJkK85A5SLpYyxvur
sKbCqmNRhIOknfsL0gG5FL2viq09ZF0tyo8HNF0Oh2FSWHxWDvY=
=Z6kc
-----END PGP SIGNATURE-----
Hi Laszlo, Can you please double-check this, I think the issue is not yet fixed (completely) in Debian. Marc Deslauriers pointed out that there are commits missing (I updated the tracker now). Regards, Salvatore
Is his notes public? I'm checking the commits mentioned in the security tracker. It seems the commit mentioned earlier [1] is now tracked as another [2] (contents seem to be the same). But then parts of it are removed in another mentioned commit [3] with code parts not present in 3.21.12 (Sid version). It is a bit confusing. I can move the packaging to match these changes. Then is there any upstream recommendation which fixes to use for a specific release branch? Is there any reproducer for this issue? Regards, Laszlo/GCS [1] https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa [2] https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b [3] https://github.com/protocolbuffers/protobuf/commit/b5a7cf7cf4b7e39f6b02205e45afe2104a7faf81
Hi, I've added my colleague Hlib to CC, as he's the person who actually did the updates for Ubuntu and could perhaps help figure this out. Marc.
Hello, The final merge commit from github [1] is what we used to fix this issue in Ubuntu. It should contain all of the relevant commits for the CVE. Thanks, Hlib. [1] https://github.com/protocolbuffers/protobuf/commit/4a197e78ad2430e22e992c5a7727b61ae220f727 On Sat, 5 Jul 2025 at 12:45, Marc Deslauriers < marc.deslauriers@canonical.com> wrote:
Hi, OK, this seems to be the full changes needed. Meanwhile I have checked your security update for this issue at: https://launchpad.net/ubuntu/+source/protobuf/3.21.12-9ubuntu1.1 That contains five separate patches, but nevermind. Thanks for your update. Regards, Laszlo/GCS
The merge commit above actually contains 5 separate patches in it. We separated them out to be properly handled by quilt. Marc.