Skip to content

Protobuf DoS#2169

Merged
tarcieri merged 4 commits intorustsec:mainfrom
trail-of-forks:dm/advisory
Mar 7, 2025
Merged

Protobuf DoS#2169
tarcieri merged 4 commits intorustsec:mainfrom
trail-of-forks:dm/advisory

Conversation

@DarkaMaul
Copy link
Contributor

@DarkaMaul DarkaMaul commented Dec 12, 2024

This (public) advisory follows two emails sent on August 9 and October 3rd.

The crate is affected by the same vulnerability as described in GHSA-735f-pc8j-v9w8

@jayvdb
Copy link
Contributor

jayvdb commented Dec 12, 2024

ping @stepancheg

@jayvdb jayvdb mentioned this pull request Dec 12, 2024
Merged
woodruffw
woodruffw reviewed Dec 12, 2024
View reviewed changes
@DarkaMaul @woodruffw
Update crates/protobuf/RUSTSEC-0000-0000.md
c41686a 
Co-authored-by: William Woodruff <william@yossarian.net>
@tnull
Copy link

tnull commented Dec 13, 2024
edited
Loading

The crate is affected by the same vulnerability as described in GHSA-735f-pc8j-v9w8

Given that this affects multiple implementations across different languages, do we know whether other Rust protobuf implementations such as prost might also be affected?

@DarkaMaul
Copy link
Contributor Author

DarkaMaul commented Dec 13, 2024

The crate is affected by the same vulnerability as described in GHSA-735f-pc8j-v9w8

Given that this affects multiple implementations across different languages, do we know whether other Rust protobuf implementations such as prost might also be affected?

From my understanding, prost is not affected by the same issue:

@tnull
Copy link

tnull commented Dec 13, 2024
edited
Loading

From my understanding, prost is not affected by the same issue:

  • it does not support unknown fields
  • it performs a recursion depth limit check when parsing unknown fields

That makes sense. Thank you for clarifying!

@G8XSU G8XSU mentioned this pull request Dec 13, 2024
Merged
@tarcieri
Copy link
Member

tarcieri commented Mar 7, 2025

The crate is affected by the same vulnerability as described in GHSA-735f-pc8j-v9w8

@DarkaMaul sorry for the belated review, can you add an alias for this?

@woodruffw
Copy link
Contributor

woodruffw commented Mar 7, 2025

The crate is affected by the same vulnerability as described in GHSA-735f-pc8j-v9w8

@DarkaMaul sorry for the belated review, can you add an alias for this?

Just to clarify, you mean an aliases = [] entry, right?

I'll let @DarkaMaul opine as well, but IMO it might not be an appropriate alias in this case -- the GHSA is for the same class of vulnerability, but for a completely different actual vulnerability (that one is Java only).

(OTOH, maybe this makes sense in the related = [] set?)

@tarcieri
Copy link
Member

tarcieri commented Mar 7, 2025

@woodruffw yeah, related sounds good

tarcieri
tarcieri reviewed Mar 7, 2025
View reviewed changes
@woodruffw @tarcieri
Update crates/protobuf/RUSTSEC-0000-0000.md
da7ebd9 
Co-authored-by: Tony Arcieri <bascule@gmail.com>
@tarcieri tarcieri merged commit e6a1b2a into rustsec:main Mar 7, 2025
1 check passed
@woodruffw woodruffw deleted the dm/advisory branch March 7, 2025 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tarcieri tarcieri tarcieri left review comments

+1 more reviewer

@woodruffw woodruffw woodruffw left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@DarkaMaul @jayvdb @tnull @tarcieri @woodruffw