Your submission was sent successfully! Close

CVE-2022-33070

Published: 23 June 2022

Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Notes

AuthorNote
mdeslaur
pidgin in precise+ uses embedded libgadu
amurray
The various Ubuntu source packages listed against this CVE all contain an embedded copy of protobuf-c but they still needed to be triaged to determine if they actually use their own embedded copy or whether they link against the system libprotobuf-c
mdeslaur
in sudo, only used by sudo_logsrvd, setting priority to low
eslerm
sudo is patched and they sent PR to protobuf-c upstream
Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
argyll
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(reached end-of-life)
jammy Needs triage

upstream Needs triage

ccextractor
Launchpad, Ubuntu, Debian
focal Needs triage

impish Ignored
(reached end-of-life)
jammy Needs triage

upstream Needs triage

libgadu
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(reached end-of-life)
jammy Needs triage

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support)
libpg-query
Launchpad, Ubuntu, Debian
jammy Needs triage

upstream Needs triage

libsignal-protocol-c
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(reached end-of-life)
jammy Needs triage

upstream Needs triage

ocserv
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(reached end-of-life)
jammy Needs triage

upstream Needs triage

pidgin
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

impish Ignored
(reached end-of-life)
jammy Needs triage

trusty Needs triage

upstream Needs triage

xenial Ignored
(end of standard support)
protobuf-c
Launchpad, Ubuntu, Debian
bionic Needs triage

focal
Released (1.3.3-1ubuntu0.1)
impish Ignored
(reached end-of-life)
jammy
Released (1.3.3-1ubuntu2.1)
trusty Needs triage

upstream Needs triage

sudo
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal Needs triage

impish Ignored
(reached end-of-life)
jammy Needs triage

trusty Not vulnerable
(code not present)
upstream Needs triage

xenial Not vulnerable
(code not present)