Bug 30906

Summary: protobuf new security issues CVE-2022-1941 and CVE-2022-3171
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, nicolas.salguero, pterjan, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=31431
https://bugs.mageia.org/show_bug.cgi?id=31432
Whiteboard: MGA8-64-OK
Source RPM: protobuf-3.19.4-2.mga9.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 29876, 31430    

Description David Walser 2022-09-28 19:44:15 CEST 
Upstream has issued an advisory on September 22:
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf

The issue is fixed upstream in 3.19.5.

It would appear to be the Python subpackage (python3-protobuf) that's affected.

Mageia 8 is also affected.
David Walser 2022-09-28 19:44:40 CEST

Blocks: (none) => 29876
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.19.5

Comment 1 Nicolas Salguero 2022-10-19 13:18:30 CEST 
Hi,

For Cauldron, protobuf was updated to version 3.19.5.

Best regards,

Nico.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero

Comment 2 David Walser 2022-11-09 17:51:06 CET 
SUSE has issued an advisory today (November 9):
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012857.html

It fixes two issues we already had bugs for (Bug 29876 and this bug) and an additional issue CVE-2022-3171, which is fixed upstream in 3.19.6:
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2


The new issue also affects ruby-google-protobuf (where it is fixed upstream in 3.21.7), and also affects Mageia 8.

Whiteboard: (none) => MGA8TOO
Status comment: Fixed upstream in 3.19.5 => Fixed upstream in protobuf 3.19.6 and ruby-google-protobuf 3.21.7
Source RPM: protobuf-3.19.4-2.mga9.src.rpm => protobuf-3.19.4-2.mga9.src.rpm, ruby-google-protobuf-3.21.6-1.mga9.src.rpm
Version: 8 => Cauldron
Summary: protobuf new security issue CVE-2022-1941 => protobuf new security issues CVE-2022-1941 and CVE-2022-3171
CC: (none) => pterjan

Comment 4 Pascal Terjan 2022-11-09 18:05:28 CET 
ruby-google-protobuf is not impacted by CVE-2022-3171 which is a Java only problem. We don't ship jruby or any gem built for jruby, only native versions.

Source RPM: protobuf-3.19.4-2.mga9.src.rpm, ruby-google-protobuf-3.21.6-1.mga9.src.rpm => protobuf-3.19.4-2.mga9.src.rpm
Status comment: Fixed upstream in protobuf 3.19.6 and ruby-google-protobuf 3.21.7 => Fixed upstream in protobuf 3.19.6

Comment 5 David Walser 2022-12-09 17:39:43 CET 
Ubuntu has issued an advisory for CVE-2022-1941 on December 8:
https://ubuntu.com/security/notices/USN-5769-1

Status comment: Fixed upstream in protobuf 3.19.6 => Fixed upstream in 3.19.6

Comment 6 David Walser 2022-12-19 19:20:10 CET 
Fedora has issued an advisory for this on December 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
Lewis Smith 2023-01-18 21:22:45 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31431

Comment 7 Lewis Smith 2023-01-18 21:25:17 CET 
Cauldron has version: 3.19.6.
Not sure what the problem is, but can this bug be progressed?
Note its new companion bug 31431.
Lewis Smith 2023-01-18 21:34:34 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31432

David Walser 2023-01-23 21:34:35 CET

Blocks: (none) => 31430

Comment 8 David Walser 2023-03-13 19:12:44 CET 
Ubuntu has issued an advisory for CVE-2022-1941 (and the issues in Bug 29876) today (March 13):
https://ubuntu.com/security/notices/USN-5945-1
Comment 9 David GEIGER 2023-03-15 20:38:41 CET 
Patch added now for CVE-2022-1941 and CVE-2022-3171!

CC: (none) => geiger.david68210

Comment 10 David Walser 2023-03-16 00:32:29 CET 
Cauldron has been updated to 21.12 by Jani and David.

This update addresses CVE-2021-22569 and CVE-2021-22570 (Bug 29876) as well as CVE-2022-1941 and CVE-2022-3171 (Bug 30906).

Assignee: java => qa-bugs
Status comment: Fixed upstream in 3.19.6 => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 11 David Walser 2023-03-16 00:33:13 CET 
protobuf-javadoc-3.14.0-1.2.mga8
libprotobuf25-3.14.0-1.2.mga8
libprotoc25-3.14.0-1.2.mga8
libprotobuf-devel-3.14.0-1.2.mga8
protobuf-java-3.14.0-1.2.mga8
libprotobuf-lite25-3.14.0-1.2.mga8
python3-protobuf-3.14.0-1.2.mga8
protobuf-javalite-3.14.0-1.2.mga8
protobuf-compiler-3.14.0-1.2.mga8
protobuf-parent-3.14.0-1.2.mga8
protobuf-bom-3.14.0-1.2.mga8
protobuf-java-util-3.14.0-1.2.mga8
protobuf-vim-3.14.0-1.2.mga8
libprotobuf-static-devel-3.14.0-1.2.mga8

from protobuf-3.14.0-1.2.mga8.src.rpm
Comment 12 Herman Viaene 2023-03-16 16:25:27 CET 
This seems all developer's area,so OK on clean install. Tried a few urpmq operations, nothing usefull shown.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 13 Thomas Andrews 2023-03-16 19:42:49 CET 
A search for previous updates shows "protobuf" as needed by vlc, and urpmq --whatrequires shows that vlc-plugin-common requires lib64protobuf-lite25 as a runtime library, but I have no idea which of the seemingly hundreds of plugins in that package uses it.

But I tried, anyway. After the update, I tried running strace with vlc and played a mp4 file from Handbrake and the original avi file from a digital camera, but a search of the resulting file contained no reference to "protobuf" at all. 

I tried again, this time attempting streaming from the Internet, which failed miserably because I didn't know what I was doing. No reference to "protobuf" this time either, so I don't believe it was this update that caused the failure.

I'm going to give this a tentative validation on our  clean installs. If this needs further testing, I will need some guidance on how to do it.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-17 23:12:52 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 14 Mageia Robot 2023-03-18 23:18:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0092.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED