Forum: >>> Magnum BBS <<<

Bug#1082381: protobuf: CVE-2024-7254

From Salvatore Bonaccorso@1:229/2 to All on Thu Jul 3 23:10:01 2025

From: [email protected]

Hi Laszlo,

On Fri, Sep 20, 2024 at 04:05:28PM +0200, Moritz M�hlenhoff wrote:

Source: protobuf
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for protobuf.

CVE-2024-7254[0]:
| Any project that parses untrusted Protocol Buffers data�containing
| an arbitrary number of nested groups / series of SGROUP�tags can
| corrupted by exceeding the stack limit i.e. StackOverflow. Parsing
| nested groups as unknown fields with DiscardUnknownFieldsParser or
| Java Protobuf Lite parser, or against Protobuf map fields, creates
| unbounded recursions that can be abused by an attacker.

https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-7254
https://www.cve.org/CVERecord?id=CVE-2024-7254

Please adjust the affected versions in the BTS as needed.

Can you please double-check this, I think the issue is not yet fixed (completely) in Debian. Marc Deslauriers pointed out that there are
commits missing (I updated the tracker now).

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

From =?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw@21:1/5 to [email protected] on Sat Jul 5 12:40:01 2025

On Thu, Jul 3, 2025 at 11:07 PM Salvatore Bonaccorso <[email protected]> wrote:

Can you please double-check this, I think the issue is not yet fixed (completely) in Debian. Marc Deslauriers pointed out that there are
commits missing (I updated the tracker now).

Is his notes public? I'm checking the commits mentioned in the
security tracker. It seems the commit mentioned earlier [1] is now
tracked as another [2] (contents seem to be the same). But then parts
of it are removed in another mentioned commit [3] with code parts not
present in 3.21.12 (Sid version).
It is a bit confusing. I can move the packaging to match these
changes. Then is there any upstream recommendation which fixes to use
for a specific release branch? Is there any reproducer for this issue?

Regards,
Laszlo/GCS
[1] https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
[2] https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b
[3] https://github.com/protocolbuffers/protobuf/commit/b5a7cf7cf4b7e39f6b02205e45afe2104a7faf81

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?B?TMOhc3psw7MgQsO2c3rDtnJtw@21:1/5 to [email protected] on Mon Jul 7 15:00:02 2025

Hi,

On Mon, Jul 7, 2025 at 1:51 PM Hlib Korzhynskyy <[email protected]> wrote:

The final merge commit from github [1] is what we used to fix this issue in Ubuntu. It should contain all of the relevant commits for the CVE.
[1] https://github.com/protocolbuffers/protobuf/commit/4a197e78ad2430e22e992c5a7727b61ae220f727

OK, this seems to be the full changes needed. Meanwhile I have
checked your security update for this issue at: https://launchpad.net/ubuntu/+source/protobuf/3.21.12-9ubuntu1.1
That contains five separate patches, but nevermind. Thanks for your update.

Regards,
Laszlo/GCS

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Krenn
  Tue Jun 9 11:18:15 2026
  from Sydney, Nsw via Telnet
- Bob Worm
  Tue Jun 9 10:31:07 2026
  from Wales, Uk via Telnet
- Centurion
  Mon Jun 8 23:30:43 2026
  from Berea, Ohio via Telnet
- Centurion
  Mon Jun 8 21:33:11 2026
  from Berea, Ohio via Telnet
- Bob Worm
  Mon Jun 8 20:15:00 2026
  from Wales, Uk via Telnet
- Bob Worm
  Mon Jun 8 16:33:22 2026
  from Wales, Uk via Telnet
- Bob Worm
  Mon Jun 8 14:11:46 2026
  from Wales, Uk via Telnet
- Krenn
  Mon Jun 8 11:22:02 2026
  from Sydney, Nsw via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	44:09:55
Calls:	12,111
Calls today:	2
Files:	15,008
Messages:	6,518,445

Bug#1082381: protobuf: CVE-2024-7254

Who's Online

Recent Visitors

System Info