Bug 1200908 - (CVE-2022-33070) VUL-0: CVE-2022-33070: protobuf-c: invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c
(CVE-2022-33070)
VUL-0: CVE-2022-33070: protobuf-c: invalid arithmetic shift via the function ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Adam Majer
Security Team bot
https://smash.suse.de/issue/335417/
CVSSv3.1:SUSE:CVE-2022-33070:7.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-24 09:07 UTC by Thomas Leroy
Modified: 2022-08-09 07:38 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-06-24 09:07:43 UTC
CVE-2022-33070

Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the
function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability
allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33070
https://github.com/protobuf-c/protobuf-c/pull/508
https://github.com/protobuf-c/protobuf-c/issues/506
Comment 1 Thomas Leroy 2022-06-24 09:09:00 UTC
The following codestreams are be affected:
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP2:Update
- openSUSE:Factory
Comment 3 Michael Vetter 2022-08-08 12:37:08 UTC
openSUSE Factory is not affected anymore since it contains the fixed version 1.4.1.

For SLE15 I prepared updates at https://build.suse.de/project/show/home:mvetter:branches:OBS_Maintained:protobuf-c which still need testing.
Comment 4 Adam Majer 2022-08-08 20:31:30 UTC
Most of the code that is affected was introduced in newer versions than we have in SLE.

There is a small section of code related to pack_int32() that exists in SLE,

https://github.com/protobuf-c/protobuf-c/pull/508/files#diff-ec49d7823ada420c8af76baa77438e5304515c031911fe8faefce469e136c033L816-L826

In this case, the use of right shift, it doesn't matter if this is sign extending or not as the loading function will restore all the bits correctly. There is no assumption in this code whether the number is sign extended.

For possible interop issues, this section can be patched, but it's not a CVE but a regular bug (like 822 in patch).