29876 – protobuf new security issues CVE-2021-22569 and CVE-2021-22570

Bug 29876 - protobuf new security issues CVE-2021-22569 and CVE-2021-22570

Summary: protobuf new security issues CVE-2021-22569 and CVE-2021-22570

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	All Packagers
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:	30906
Blocks:
	Show dependency tree / graph

Reported:	2022-01-12 15:35 CET by David Walser
Modified:	2023-03-19 02:41 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	protobuf-3.19.1-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-01-12 15:35:46 CET

A security issue fixed upstream in protobuf has been announced today (January 12):
https://www.openwall.com/lists/oss-security/2022/01/12/4

The issue is fixed upstream in 3.19.2.

Mageia 8 is also affected.

David Walser 2022-01-12 15:35:57 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.19.2

Comment 1 Lewis Smith 2022-01-12 19:20:35 CET

No one packager evident for this, so have to assign it globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2022-02-16 22:42:22 CET

Fedora has issued an advisory today (February 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ/

The issue is fixed upstream in 3.15.0.

Summary: protobuf, ruby-google-protobuf new security issue CVE-2021-22569 => protobuf, ruby-google-protobuf new security issues CVE-2021-22569 and CVE-2021-22570

Comment 3 Nicolas Salguero 2022-02-18 10:47:47 CET

Hi,

For Cauldron, protobuf and ruby-google-protobuf were updated to version 3.19.4.

For Mageia 8, I only added the patch from Fedora for CVE-2021-22570 in protobuf-3.14.0-1.1.mga8.

Best regards,

Nico.

CC: (none) => nicolas.salguero

David Walser 2022-02-18 17:56:03 CET

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 4 David Walser 2022-03-15 20:08:24 CET

openSUSE has issued an advisory for CVE-2021-22570 on March 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WYCKEL27LS2QTHCEAYFVLKKSZP4MBBJQ/

Comment 5 papoteur 2022-03-21 13:16:33 CET

Shouldn't this report be assigned to QA?

CC: (none) => yves.brungard_mageia

Comment 6 David Walser 2022-03-21 14:26:28 CET

No, the ruby one hasn't been fixed yet.

David Walser 2022-09-28 19:44:40 CEST

Depends on: (none) => 30906

Comment 7 Pascal Terjan 2022-11-09 18:10:08 CET

From the upstream advisory:

- Affected versions: All versions of Java Protobufs (including Kotlin and
JRuby) prior to the versions listed below. Protobuf "javalite" users
(typically Android) are not affected.

- google-protobuf [JRuby gem] (3.19.2)

We don't ship jruby or gems built for jruby so are not impacted

CC: (none) => pterjan
Source RPM: protobuf-3.19.1-1.mga9.src.rpm, ruby-google-protobuf-3.11.4-1.mga8.src.rpm => protobuf-3.19.1-1.mga9.src.rpm

David Walser 2022-11-15 23:22:30 CET

Summary: protobuf, ruby-google-protobuf new security issues CVE-2021-22569 and CVE-2021-22570 => protobuf new security issues CVE-2021-22569 and CVE-2021-22570

Comment 8 David Walser 2023-03-13 19:12:47 CET

Ubuntu has issued an advisory for this today (March 13):
https://ubuntu.com/security/notices/USN-5945-1

Comment 9 David GEIGER 2023-03-15 20:38:08 CET

Patch added now for CVE-2021-22569!

CC: (none) => geiger.david68210

Comment 10 David Walser 2023-03-16 00:33:50 CET

Assigned to QA in Bug 30906.

Status comment: Fixed upstream in 3.19.2 => (none)

Comment 11 David Walser 2023-03-19 02:41:47 CET

Fixed in:
https://advisories.mageia.org/MGASA-2023-0092.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.