Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2015-5237

Published: 25 September 2017

protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.

Notes

AuthorNote
seth-arnold
since the message parsing limit defaults
to 64 megabytes a software author would have to change the limit in order
to handle larger messages anyway, and is thus unlikely to generate these
messages in the short-term. (There is no actual limit on generation, so
this might be an issue today -- it is just not a priority for the
maintainer.)
mdeslaur
per upstream bug, this was fixed in 3.4.0

Priority

Low

CVSS 3 base score: 8.8

Status

Package Release Status
protobuf
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(3.6.1.3-2ubuntu5)
groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Not vulnerable
(3.12.4-1ubuntu3)
jammy Not vulnerable
(3.12.4-1ubuntu5)
kinetic Not vulnerable
(3.12.4-1ubuntu5)
precise Does not exist
(precise was deferred [2015-08-27])
trusty Needed

upstream
Released (3.4.0)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial
Released (2.6.1-1.3ubuntu0.1~esm2)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)