Bugzilla – Bug 1212220
VUL-0: CVE-2023-24535: syft: google.golang.org/protobuf: panic leading to denial of service
Last modified: 2023-06-13 06:39:36 UTC
+++ This bug was initially created as a clone of Bug #1212218 +++ CVE-2023-24535 Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24535 https://www.cve.org/CVERecord?id=CVE-2023-24535 https://github.com/golang/protobuf/issues/1530 https://go.dev/cl/475995 https://pkg.go.dev/vuln/GO-2023-1631
openSUSE:Factory/syft embeds a vulnerable version of the google.golang.org/protobuf module.
syft version 0.83.0 is on its way to Factory, see SR#1092663 AFAICT is contains v1.30.0 of google.golang.org/protobuf, not sure if that version is fixed? https://github.com/anchore/syft/blob/main/go.mod#L153 Kind Regards, Johannes
(In reply to Johannes Kastl from comment #2) > syft version 0.83.0 is on its way to Factory, see SR#1092663 > > AFAICT is contains v1.30.0 of google.golang.org/protobuf, not sure if that > version is fixed? > https://github.com/anchore/syft/blob/main/go.mod#L153 > > Kind Regards, > Johannes v1.30.0 is a fixed version as well. Thanks Johannes