Bugzilla – Bug 1200908
VUL-0: CVE-2022-33070: protobuf-c: invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c
Last modified: 2022-08-09 07:38:49 UTC
Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the
function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability
allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
The following codestreams are be affected:
openSUSE Factory is not affected anymore since it contains the fixed version 1.4.1.
For SLE15 I prepared updates at https://build.suse.de/project/show/home:mvetter:branches:OBS_Maintained:protobuf-c which still need testing.
Most of the code that is affected was introduced in newer versions than we have in SLE.
There is a small section of code related to pack_int32() that exists in SLE,
In this case, the use of right shift, it doesn't matter if this is sign extending or not as the loading function will restore all the bits correctly. There is no assumption in this code whether the number is sign extended.
For possible interop issues, this section can be patched, but it's not a CVE but a regular bug (like 822 in patch).