Bug 30676

Summary: protobuf-c new security issues CVE-2022-33070 and CVE-2022-48468
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Olivier Blin <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, marja11, nicolas.salguero, pkg-bugs
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: protobuf-c-1.3.3-5.mga8.src.rpm CVE:
Status comment: Fixed upstream in 1.4.1

Description David Walser 2022-07-27 18:23:35 CEST 
Ubuntu has issued an advisory on July 26:
https://ubuntu.com/security/notices/USN-5531-1

Apparently, it may be bundled within other packages such as:
argyllcms
pidgin
sudo

So that needs to be checked too.
David Walser 2022-07-27 18:23:46 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patch available from Ubuntu

Comment 1 Marja Van Waes 2022-07-27 22:43:04 CEST 
(In reply to David Walser from comment #0)
> Ubuntu has issued an advisory on July 26:
> https://ubuntu.com/security/notices/USN-5531-1

Assigning to our registered protobuf-c maintainer

> 
> Apparently, it may be bundled within other packages such as:
> argyllcms
> pidgin
> sudo
> 
> So that needs to be checked too.

None of those have a registered maintainer, so CC'ing all packagers collectively for them.

Assignee: bugsquad => mageia
CC: (none) => marja11, pkg-bugs

Comment 2 David Walser 2022-09-06 21:29:24 CEST 
Fedora has issued an advisory for this today (September 6):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FFN2GHUEGTSHRD7J5PKQ5DRSJSEQ2IKN/

Severity: major => normal

Comment 3 David Walser 2023-05-06 23:23:18 CEST 
SUSE has issued an advisory on April 25:
https://lists.suse.com/pipermail/sle-security-updates/2023-April/014571.html

It fixes a new issue that, along with the original issue in this bug, is fixed upstream in 1.4.1.

Status comment: Patch available from Ubuntu => Fixed upstream in 1.4.1
Summary: protobuf-c new security issue CVE-2022-33070 => protobuf-c new security issues CVE-2022-33070 and CVE-2022-48468

Comment 4 David Walser 2023-05-07 01:45:57 CEST 
In Fedora, protobuf-c is bundled in libsignal-protocol-c, and Fedora has issued an advisory for CVE-2022-48468 in that bundled copy on on April 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EI4JZSHJXW7WOOTAQSV5SUCC5GE2GC2B/

In Mageia, libsignal-protocol-c is build with system protobuf-c.
Comment 5 David GEIGER 2023-06-29 22:15:02 CEST 
Fixed for cauldron with protobuf-c-1.4.1-2.mga9!

Version: Cauldron => 8
CC: (none) => geiger.david68210
Whiteboard: MGA8TOO => (none)

Comment 6 Nicolas Salguero 2024-01-12 10:21:07 CET 
Mageia 8 EOL

CC: (none) => nicolas.salguero
Status: NEW => RESOLVED
Resolution: (none) => OLD