From e8ea467301d3b05781b9c49a75c68b93d10fc479 Mon Sep 17 00:00:00 2001 From: Alexis Date: Thu, 12 Dec 2024 15:32:57 +0100 Subject: [PATCH 1/3] Add protobuf issue --- crates/protobuf/RUSTSEC-0000-0000.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 crates/protobuf/RUSTSEC-0000-0000.md diff --git a/crates/protobuf/RUSTSEC-0000-0000.md b/crates/protobuf/RUSTSEC-0000-0000.md new file mode 100644 index 000000000..1e749a493 --- /dev/null +++ b/crates/protobuf/RUSTSEC-0000-0000.md @@ -0,0 +1,19 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "protobuf" +date = "2024-12-12" +url = "https://github.com/stepancheg/rust-protobuf/issues/749" +categories = ["denial-of-service"] +keywords = ["panic"] +informational = "unmaintained" + +[affected] +functions = { "protobuf::coded_input_stream::CodedInputStream::skip_group" = ["<= 3.4.0"] } +``` + +# RustSec Advisory Template - Advisory Title Goes Here + +Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input. + +This allows an attacker to cause a stack overflow when parsing the mssage on untrusted data. From 34c6bb163a18a846e289819987a8a2dca0984a73 Mon Sep 17 00:00:00 2001 From: Alexis Date: Thu, 12 Dec 2024 15:56:48 +0100 Subject: [PATCH 2/3] Add missing field --- crates/protobuf/RUSTSEC-0000-0000.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crates/protobuf/RUSTSEC-0000-0000.md b/crates/protobuf/RUSTSEC-0000-0000.md index 1e749a493..c2adb285f 100644 --- a/crates/protobuf/RUSTSEC-0000-0000.md +++ b/crates/protobuf/RUSTSEC-0000-0000.md @@ -8,6 +8,9 @@ categories = ["denial-of-service"] keywords = ["panic"] informational = "unmaintained" +[versions] +patched = [] + [affected] functions = { "protobuf::coded_input_stream::CodedInputStream::skip_group" = ["<= 3.4.0"] } ``` From c41686aab3930e3d080e20dd16544b2d505699d7 Mon Sep 17 00:00:00 2001 From: dm Date: Fri, 13 Dec 2024 09:45:16 +0100 Subject: [PATCH 3/3] Update crates/protobuf/RUSTSEC-0000-0000.md Co-authored-by: William Woodruff --- crates/protobuf/RUSTSEC-0000-0000.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/protobuf/RUSTSEC-0000-0000.md b/crates/protobuf/RUSTSEC-0000-0000.md index c2adb285f..2f5711962 100644 --- a/crates/protobuf/RUSTSEC-0000-0000.md +++ b/crates/protobuf/RUSTSEC-0000-0000.md @@ -15,7 +15,7 @@ patched = [] functions = { "protobuf::coded_input_stream::CodedInputStream::skip_group" = ["<= 3.4.0"] } ``` -# RustSec Advisory Template - Advisory Title Goes Here +# Crash due to uncontrolled recursion in protobuf crate Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input.