30906 – protobuf new security issues CVE-2022-1941 and CVE-2022-3171

Bug 30906 - protobuf new security issues CVE-2022-1941 and CVE-2022-3171

Summary: protobuf new security issues CVE-2022-1941 and CVE-2022-3171

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	29876 31430
	Show dependency tree / graph

Reported:	2022-09-28 19:44 CEST by David Walser
Modified:	2023-03-18 23:18 CET (History)
CC List:	7 users (show)

See Also:	31431 31432
Source RPM:	protobuf-3.19.4-2.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-09-28 19:44:15 CEST

Upstream has issued an advisory on September 22:
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf

The issue is fixed upstream in 3.19.5.

It would appear to be the Python subpackage (python3-protobuf) that's affected.

Mageia 8 is also affected.

David Walser 2022-09-28 19:44:40 CEST

Blocks: (none) => 29876
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 3.19.5

Comment 1 Nicolas Salguero 2022-10-19 13:18:30 CEST

Hi,

For Cauldron, protobuf was updated to version 3.19.5.

Best regards,

Nico.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero

Comment 2 David Walser 2022-11-09 17:51:06 CET

SUSE has issued an advisory today (November 9):
https://lists.suse.com/pipermail/sle-security-updates/2022-November/012857.html

It fixes two issues we already had bugs for (Bug 29876 and this bug) and an additional issue CVE-2022-3171, which is fixed upstream in 3.19.6:
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2


The new issue also affects ruby-google-protobuf (where it is fixed upstream in 3.21.7), and also affects Mageia 8.

Whiteboard: (none) => MGA8TOO
Status comment: Fixed upstream in 3.19.5 => Fixed upstream in protobuf 3.19.6 and ruby-google-protobuf 3.21.7
Source RPM: protobuf-3.19.4-2.mga9.src.rpm => protobuf-3.19.4-2.mga9.src.rpm, ruby-google-protobuf-3.21.6-1.mga9.src.rpm
Version: 8 => Cauldron
Summary: protobuf new security issue CVE-2022-1941 => protobuf new security issues CVE-2022-1941 and CVE-2022-3171
CC: (none) => pterjan

Comment 3 David Walser 2022-11-09 17:53:50 CET

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/R2AEGDIGMLKPLFNJRJWFW4RS6QWEK2NB/

Comment 4 Pascal Terjan 2022-11-09 18:05:28 CET

ruby-google-protobuf is not impacted by CVE-2022-3171 which is a Java only problem. We don't ship jruby or any gem built for jruby, only native versions.

Source RPM: protobuf-3.19.4-2.mga9.src.rpm, ruby-google-protobuf-3.21.6-1.mga9.src.rpm => protobuf-3.19.4-2.mga9.src.rpm
Status comment: Fixed upstream in protobuf 3.19.6 and ruby-google-protobuf 3.21.7 => Fixed upstream in protobuf 3.19.6

Comment 5 David Walser 2022-12-09 17:39:43 CET

Ubuntu has issued an advisory for CVE-2022-1941 on December 8:
https://ubuntu.com/security/notices/USN-5769-1

Status comment: Fixed upstream in protobuf 3.19.6 => Fixed upstream in 3.19.6

Comment 6 David Walser 2022-12-19 19:20:10 CET

Fedora has issued an advisory for this on December 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/

Lewis Smith 2023-01-18 21:22:45 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31431

Comment 7 Lewis Smith 2023-01-18 21:25:17 CET

Cauldron has version: 3.19.6.
Not sure what the problem is, but can this bug be progressed?
Note its new companion bug 31431.

Lewis Smith 2023-01-18 21:34:34 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31432

David Walser 2023-01-23 21:34:35 CET

Blocks: (none) => 31430

Comment 8 David Walser 2023-03-13 19:12:44 CET

Ubuntu has issued an advisory for CVE-2022-1941 (and the issues in Bug 29876) today (March 13):
https://ubuntu.com/security/notices/USN-5945-1

Comment 9 David GEIGER 2023-03-15 20:38:41 CET

Patch added now for CVE-2022-1941 and CVE-2022-3171!

CC: (none) => geiger.david68210

Comment 10 David Walser 2023-03-16 00:32:29 CET

Cauldron has been updated to 21.12 by Jani and David.

This update addresses CVE-2021-22569 and CVE-2021-22570 (Bug 29876) as well as CVE-2022-1941 and CVE-2022-3171 (Bug 30906).

Assignee: java => qa-bugs
Status comment: Fixed upstream in 3.19.6 => (none)
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 11 David Walser 2023-03-16 00:33:13 CET

protobuf-javadoc-3.14.0-1.2.mga8
libprotobuf25-3.14.0-1.2.mga8
libprotoc25-3.14.0-1.2.mga8
libprotobuf-devel-3.14.0-1.2.mga8
protobuf-java-3.14.0-1.2.mga8
libprotobuf-lite25-3.14.0-1.2.mga8
python3-protobuf-3.14.0-1.2.mga8
protobuf-javalite-3.14.0-1.2.mga8
protobuf-compiler-3.14.0-1.2.mga8
protobuf-parent-3.14.0-1.2.mga8
protobuf-bom-3.14.0-1.2.mga8
protobuf-java-util-3.14.0-1.2.mga8
protobuf-vim-3.14.0-1.2.mga8
libprotobuf-static-devel-3.14.0-1.2.mga8

from protobuf-3.14.0-1.2.mga8.src.rpm

Comment 12 Herman Viaene 2023-03-16 16:25:27 CET

This seems all developer's area,so OK on clean install. Tried a few urpmq operations, nothing usefull shown.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 13 Thomas Andrews 2023-03-16 19:42:49 CET

A search for previous updates shows "protobuf" as needed by vlc, and urpmq --whatrequires shows that vlc-plugin-common requires lib64protobuf-lite25 as a runtime library, but I have no idea which of the seemingly hundreds of plugins in that package uses it.

But I tried, anyway. After the update, I tried running strace with vlc and played a mp4 file from Handbrake and the original avi file from a digital camera, but a search of the resulting file contained no reference to "protobuf" at all. 

I tried again, this time attempting streaming from the Internet, which failed miserably because I didn't know what I was doing. No reference to "protobuf" this time either, so I don't believe it was this update that caused the failure.

I'm going to give this a tentative validation on our  clean installs. If this needs further testing, I will need some guidance on how to do it.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-17 23:12:52 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 14 Mageia Robot 2023-03-18 23:18:05 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0092.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.