Bug 29876

Summary: protobuf new security issues CVE-2021-22569 and CVE-2021-22570
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, nicolas.salguero, pterjan, yvesbrungard
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: protobuf-3.19.1-1.mga9.src.rpm CVE:
Status comment:
Bug Depends on: 30906    
Bug Blocks:    

Description David Walser 2022-01-12 15:35:46 CET 
A security issue fixed upstream in protobuf has been announced today (January 12):
https://www.openwall.com/lists/oss-security/2022/01/12/4

The issue is fixed upstream in 3.19.2.

Mageia 8 is also affected.
David Walser 2022-01-12 15:35:57 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.19.2

Comment 1 Lewis Smith 2022-01-12 19:20:35 CET 
No one packager evident for this, so have to assign it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-02-16 22:42:22 CET 
Fedora has issued an advisory today (February 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ/

The issue is fixed upstream in 3.15.0.

Summary: protobuf, ruby-google-protobuf new security issue CVE-2021-22569 => protobuf, ruby-google-protobuf new security issues CVE-2021-22569 and CVE-2021-22570

Comment 3 Nicolas Salguero 2022-02-18 10:47:47 CET 
Hi,

For Cauldron, protobuf and ruby-google-protobuf were updated to version 3.19.4.

For Mageia 8, I only added the patch from Fedora for CVE-2021-22570 in protobuf-3.14.0-1.1.mga8.

Best regards,

Nico.

CC: (none) => nicolas.salguero

David Walser 2022-02-18 17:56:03 CET

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 4 David Walser 2022-03-15 20:08:24 CET 
openSUSE has issued an advisory for CVE-2021-22570 on March 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WYCKEL27LS2QTHCEAYFVLKKSZP4MBBJQ/
Comment 5 papoteur 2022-03-21 13:16:33 CET 
Shouldn't this report be assigned to QA?

CC: (none) => yves.brungard_mageia

Comment 6 David Walser 2022-03-21 14:26:28 CET 
No, the ruby one hasn't been fixed yet.
David Walser 2022-09-28 19:44:40 CEST

Depends on: (none) => 30906

Comment 7 Pascal Terjan 2022-11-09 18:10:08 CET 
From the upstream advisory:

- Affected versions: All versions of Java Protobufs (including Kotlin and
JRuby) prior to the versions listed below. Protobuf "javalite" users
(typically Android) are not affected.

- google-protobuf [JRuby gem] (3.19.2)

We don't ship jruby or gems built for jruby so are not impacted

CC: (none) => pterjan
Source RPM: protobuf-3.19.1-1.mga9.src.rpm, ruby-google-protobuf-3.11.4-1.mga8.src.rpm => protobuf-3.19.1-1.mga9.src.rpm

David Walser 2022-11-15 23:22:30 CET

Summary: protobuf, ruby-google-protobuf new security issues CVE-2021-22569 and CVE-2021-22570 => protobuf new security issues CVE-2021-22569 and CVE-2021-22570

Comment 8 David Walser 2023-03-13 19:12:47 CET 
Ubuntu has issued an advisory for this today (March 13):
https://ubuntu.com/security/notices/USN-5945-1
Comment 9 David GEIGER 2023-03-15 20:38:08 CET 
Patch added now for CVE-2021-22569!

CC: (none) => geiger.david68210

Comment 10 David Walser 2023-03-16 00:33:50 CET 
Assigned to QA in Bug 30906.

Status comment: Fixed upstream in 3.19.2 => (none)

Comment 11 David Walser 2023-03-19 02:41:47 CET 
Fixed in:
https://advisories.mageia.org/MGASA-2023-0092.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED