USN-5769-1: protobuf vulnerabilities
8 December 2022
Several security issues were fixed in protobuf.
Releases
Packages
- protobuf - protocol buffers C++ library (development files)
Details
It was discovered that protobuf did not properly manage memory when serializing
large messages. An attacker could possibly use this issue to cause applications
using protobuf to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2015-5237)
It was discovered that protobuf did not properly manage memory when parsing
specifically crafted messages. An attacker could possibly use this issue to
cause applications using protobuf to crash, resulting in a denial of service.
(CVE-2022-1941)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
libprotoc9v5
-
2.6.1-1.3ubuntu0.1~esm2
Available with Ubuntu Pro
-
libprotobuf-lite9v5
-
2.6.1-1.3ubuntu0.1~esm2
Available with Ubuntu Pro
-
python-protobuf
-
2.6.1-1.3ubuntu0.1~esm2
Available with Ubuntu Pro
-
libprotobuf9v5
-
2.6.1-1.3ubuntu0.1~esm2
Available with Ubuntu Pro
-
protobuf-compiler
-
2.6.1-1.3ubuntu0.1~esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-5945-1: libprotoc17, libprotobuf-lite8, libprotobuf-lite10, libprotoc8, python3-protobuf, libprotobuf-lite17, libprotobuf10, libprotobuf-lite23, libprotoc-dev, libprotobuf8, libprotobuf-java, libprotobuf23, elpa-protobuf-mode, ruby-google-protobuf, protobuf, libprotoc10, libprotoc23, libprotobuf-dev, protobuf-compiler, libprotobuf17, python-protobuf