Bug 1203681 - (CVE-2022-1941) VUL-0: CVE-2022-1941: protobuf: A potential Denial of Service issue in protobuf-cpp and protobuf-python
(CVE-2022-1941)
VUL-0: CVE-2022-1941: protobuf: A potential Denial of Service issue in protob...
Status: NEW
: 1204630 1205141 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/343244/
CVSSv3.1:SUSE:CVE-2022-1941:6.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-23 08:49 UTC by Thomas Leroy
Modified: 2022-11-18 09:33 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-09-23 08:49:36 UTC
CVE-2022-1941

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions
prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for
protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2,
3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory
failures. A specially crafted message with multiple key-value per elements
creates parsing issues, and can lead to a Denial of Service against services
receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5,
3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for
protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1941
https://www.cve.org/CVERecord?id=CVE-2022-1941
https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
https://cloud.google.com/support/bulletins#GCP-2022-019
Comment 1 Thomas Leroy 2022-09-23 08:53:15 UTC
I think the following PR fixes the issue:
https://github.com/protocolbuffers/protobuf/pull/10546

According to the advisory, all versions should be affected, therefore all maintained codestreams:
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP2:Update
Comment 2 Max Lin 2022-09-29 10:49:41 UTC
(In reply to Thomas Leroy from comment #1)
> I think the following PR fixes the issue:
> https://github.com/protocolbuffers/protobuf/pull/10546
> 

We need a ECO for update it to version 3.19.5(3.20 and above has stopped to support python < 3.7), wire_format.cc has lots of difference compare to SLE's dated protobuf, including a lot of new defined structures, variable type, and so on, therefore patch backporting is nearly not doable since the code base is so different. Update to a recent version should be a preferred option here.

> According to the advisory, all versions should be affected, therefore all
> maintained codestreams:
> - SUSE:SLE-15:Update

I've an experiment project with protobuf 3.19.5[1], the relevant package is: protobuf-c and AppStream, I did a reverse dependency rebuild of them, protobuf-c needs update to 1.3.2 at least(we have that in SLE15 SP2) for supporting protobuf 3.9.0 and above), AppStream is fine.

> - SUSE:SLE-15-SP2:Update

Relevant package: AppStream, collected, grpc, google-http-java-client, netty3, protobuf-c. Those package from SLE-15-SP2:Update all build successful with protobuf 3.19.5[1], we don't needs additional update for them, just needs rebuild them with protobuf 3.19.5.

[1] https://build.suse.de/project/show/home:mlin7442:branches:OBS_Maintained:protobuf


Can you help to open a ECO for protobuf version update?
Comment 3 Thomas Leroy 2022-09-29 12:26:18 UTC
(In reply to Max Lin from comment #2)
> (In reply to Thomas Leroy from comment #1)
> > I think the following PR fixes the issue:
> > https://github.com/protocolbuffers/protobuf/pull/10546
> > 
> 
> We need a ECO for update it to version 3.19.5(3.20 and above has stopped to
> support python < 3.7), wire_format.cc has lots of difference compare to
> SLE's dated protobuf, including a lot of new defined structures, variable
> type, and so on, therefore patch backporting is nearly not doable since the
> code base is so different. Update to a recent version should be a preferred
> option here.
> 
> > According to the advisory, all versions should be affected, therefore all
> > maintained codestreams:
> > - SUSE:SLE-15:Update
> 
> I've an experiment project with protobuf 3.19.5[1], the relevant package is:
> protobuf-c and AppStream, I did a reverse dependency rebuild of them,
> protobuf-c needs update to 1.3.2 at least(we have that in SLE15 SP2) for
> supporting protobuf 3.9.0 and above), AppStream is fine.
> 
> > - SUSE:SLE-15-SP2:Update
> 
> Relevant package: AppStream, collected, grpc, google-http-java-client,
> netty3, protobuf-c. Those package from SLE-15-SP2:Update all build
> successful with protobuf 3.19.5[1], we don't needs additional update for
> them, just needs rebuild them with protobuf 3.19.5.
> 
> [1]
> https://build.suse.de/project/show/home:mlin7442:branches:OBS_Maintained:
> protobuf
> 
> 
> Can you help to open a ECO for protobuf version update?

Thanks for your feedback Max, let me open it :)
Comment 4 Thomas Leroy 2022-09-29 13:17:37 UTC
ECO created: https://jira.suse.com/browse/PED-2076
Comment 5 Marcus Meissner 2022-09-29 13:43:52 UTC
libprotobuf*20 -> libprotobuf*30 is a major library version change.

we cannot remove the old package, we could only add it in parallel new.
Comment 6 Max Lin 2022-09-29 14:50:32 UTC
(In reply to Marcus Meissner from comment #5)
> libprotobuf*20 -> libprotobuf*30 is a major library version change.
> 

Yes, soname has changed.

> we cannot remove the old package, we could only add it in parallel new.

What does that mean exactly? I need to submit like protobuf_319 instead of protobuf like that? Rebuild package depends on linprotobuf.so.20 in the same incident with newer protobuf could not solve that soname issue?
Comment 7 Marcus Meissner 2022-09-29 14:57:04 UTC
yes something like this.

And we would still need to support both packages for now.

YOu always need to think about third party packages. We can recompile our own packages, but third party apps might link and use libprotobuf.so.20 and never get updated, but still expect security fixes.


So unrelated to the evaluation I would suggest get it into SLES 15 SP5 so we do have a newer version there.
Comment 10 Max Lin 2022-10-20 05:48:37 UTC
Submitted MR#282811
Comment 14 Swamp Workflow Management 2022-11-09 11:23:40 UTC
SUSE-SU-2022:3922-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1194530,1203681,1204256
CVE References: CVE-2021-22569,CVE-2022-1941,CVE-2022-3171
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    protobuf-3.9.2-150200.4.19.2
openSUSE Leap 15.4 (src):    protobuf-3.9.2-150200.4.19.2
openSUSE Leap 15.3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Manager Server 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Manager Retail Branch Server 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Manager Proxy 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Server 15-SP2-BCL (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Micro 5.3 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Micro 5.2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Micro 5.1 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise Installer 15-SP2 (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    protobuf-3.9.2-150200.4.19.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    protobuf-3.9.2-150200.4.19.2
SUSE Enterprise Storage 7 (src):    protobuf-3.9.2-150200.4.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Chao Xiong 2022-11-10 02:54:43 UTC
*** Bug 1205141 has been marked as a duplicate of this bug. ***
Comment 16 Max Lin 2022-11-18 09:26:32 UTC
*** Bug 1204630 has been marked as a duplicate of this bug. ***
Comment 17 Max Lin 2022-11-18 09:33:52 UTC
The resubmitted SR#283063 got accepted, and the incident has been released. This vulnerability is fixed in protobuf 3.9 for the SP2 and the later version in SLE. Reassigning back to security team for the verification.

For the record: protobuf 3.5.0 in SUSE:SLE-15:Update doesn't have the relevant code for the patching, some files even doesn't exist in 3.5.0 per the fix commit, the vulnerability should be exist after upstream refactored protobuf above of protobuf 3.5.