New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OOM vulnerability in protobuf 2.0.6: RUSTSEC-2019-0003 #7760
Comments
This is a cherry-pick of 66a22c8 against the v2.0 branch that omits the protobuf-fuzz changes since protobuf-fuzz doesn't exist on the v2.0 branch. Part of fixing pantsbuild/pants#7760.
The plan is to:
|
Thank you for investigating! Given that we never open a receiving socket with protobuf, I wonder if a shorter path for this case might be to contribute a |
Agreed on adding
FWICT the affected stream read function is also used on the client side to decode messages. In our generated bazel_protos code in particular I find 67 of uses of
And here e8ebb8802926539c97335861856847d7f3e9b851 is v2.0.6 which we use:
|
The |
We have a fix in-flight in pantsbuild/rust-protobuf#2 that will still need this `--ignore` even when we're consuming it. Adding the `--ignore` now silences nightly CRON audit noise in the meantime and going forward until we can upgrade to a public official release of protobuf with the `RUSTSEC-2019-0003` fix. Part of fixing pantsbuild#7760
Awesome! |
We have a fix in-flight in pantsbuild/rust-protobuf#2 that will still need this `--ignore` even when we're consuming it. Adding the `--ignore` now silences nightly CRON audit noise in the meantime and going forward until we can upgrade to a public official release of protobuf with the `RUSTSEC-2019-0003` fix. Part of fixing #7760
This is a cherry-pick of 66a22c8 against the v2.0.4 tag that omits the protobuf-fuzz changes since protobuf-fuzz doesn't exist in v2.0.4. Part of fixing pantsbuild/pants#7760.
A crates index patch was needed here to ensure both our crates and transitive dependent crates saw the same rust-protobuf. Without this we hit many errors like: ``` Compiling bazel_protos v0.0.1 (/home/jsirois/dev/pantsbuild/jsirois-pants/src/rust/engine/process_execution/bazel_protos) error[E0277]: the trait bound `gen::bytestream::ReadRequest: protobuf::core::Message` is not satisfied --> process_execution/bazel_protos/src/gen/bytestream_grpc.rs:23:42 | 23 | req_mar: ::grpcio::Marshaller { ser: ::grpcio::pb_ser, de: ::grpcio::pb_de }, | ^^^^^^^^^^^^^^^^ the trait `protobuf::core::Message` is not implemented for `gen::bytestream::ReadRequest` | = note: required by `grpcio::codec::pb_codec::ser` ``` Fixes pantsbuild#7760
A crates index patch was needed here to ensure both our crates and transitive dependent crates saw the same rust-protobuf. Without this we hit many errors like: ``` Compiling bazel_protos v0.0.1 (/home/jsirois/dev/pantsbuild/jsirois-pants/src/rust/engine/process_execution/bazel_protos) error[E0277]: the trait bound `gen::bytestream::ReadRequest: protobuf::core::Message` is not satisfied --> process_execution/bazel_protos/src/gen/bytestream_grpc.rs:23:42 | 23 | req_mar: ::grpcio::Marshaller { ser: ::grpcio::pb_ser, de: ::grpcio::pb_de }, | ^^^^^^^^^^^^^^^^ the trait `protobuf::core::Message` is not implemented for `gen::bytestream::ReadRequest` | = note: required by `grpcio::codec::pb_codec::ser` ``` Fixes #7760
Nightly CRON picked this up:
The vulnerability is here: https://github.com/RustSec/advisory-db/blob/0854d2baeea4ccbe3cb5189f6633d98fa773b388/crates/protobuf/RUSTSEC-2019-0003.toml#L1-L15
The fix is pointed to by stepancheg/rust-protobuf#411 and contained in stepancheg/rust-protobuf@66a22c8 which will eventually release with protobuf 3.0.0.
The text was updated successfully, but these errors were encountered: