Bug 1212220

Summary:	VUL-0: CVE-2023-24535: syft: google.golang.org/protobuf: panic leading to denial of service
Product:	[openSUSE] openSUSE Tumbleweed	Reporter:	Thomas Leroy <thomas.leroy>
Component:	Security	Assignee:	Johannes Kastl <opensuse_buildservice>
Status:	NEW ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium
Version:	Current
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/368858/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:	1212218
Bug Blocks:

Description Thomas Leroy 2023-06-12 08:07:38 UTC

+++ This bug was initially created as a clone of Bug #1212218 +++

CVE-2023-24535

Parsing invalid messages can panic. Parsing a text-format message which contains
a potential number consisting of a minus sign, one or more characters of
whitespace, and no further input will cause a panic.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24535
https://www.cve.org/CVERecord?id=CVE-2023-24535
https://github.com/golang/protobuf/issues/1530
https://go.dev/cl/475995
https://pkg.go.dev/vuln/GO-2023-1631

Comment 1 Thomas Leroy 2023-06-12 08:08:17 UTC

openSUSE:Factory/syft embeds a vulnerable
version of the google.golang.org/protobuf module.

Comment 2 Johannes Kastl 2023-06-12 19:46:34 UTC

syft version 0.83.0 is on its way to Factory, see SR#1092663

AFAICT is contains v1.30.0 of google.golang.org/protobuf, not sure if that version is fixed?
https://github.com/anchore/syft/blob/main/go.mod#L153

Kind Regards,
Johannes

Comment 3 Thomas Leroy 2023-06-13 06:39:36 UTC

(In reply to Johannes Kastl from comment #2)
> syft version 0.83.0 is on its way to Factory, see SR#1092663
> 
> AFAICT is contains v1.30.0 of google.golang.org/protobuf, not sure if that
> version is fixed?
> https://github.com/anchore/syft/blob/main/go.mod#L153
> 
> Kind Regards,
> Johannes

v1.30.0 is a fixed version as well. Thanks Johannes