CVE-2022-33070

Published: 23 June 2022

Protobuf-c v1.4.0 was discovered to contain an invalid arithmetic shift via the function parse_tag_and_wiretype in protobuf-c/protobuf-c.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Notes

Author	Note
mdeslaur	pidgin in precise+ uses embedded libgadu
alexmurray	The various Ubuntu source packages listed against this CVE all contain an embedded copy of protobuf-c but they still needed to be triaged to determine if they actually use their own embedded copy or whether they link against the system libprotobuf-c
mdeslaur	in sudo, only used by sudo_logsrvd, setting priority to low
eslerm	sudo is patched and they sent PR to protobuf-c upstream

Priority

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package	Release	Status
argyll Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	upstream	Needs triage
ccextractor Launchpad, Ubuntu, Debian	focal	Needs triage
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Does not exist
	lunar	Does not exist
	upstream	Needs triage
libgadu Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
libpg-query Launchpad, Ubuntu, Debian	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	upstream	Needs triage
libsignal-protocol-c Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	upstream	Needs triage
ocserv Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	upstream	Needs triage
pidgin Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Needs triage
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Needs triage
	upstream	Needs triage
	xenial	Needs triage
protobuf-c Launchpad, Ubuntu, Debian	bionic	Needs triage
	focal	Released (1.3.3-1ubuntu0.1)
	impish	Ignored (reached end-of-life)
	jammy	Released (1.3.3-1ubuntu2.1)
	kinetic	Released (1.4.1-1ubuntu1)
	lunar	Released (1.4.1-1ubuntu1)
	upstream	Needs triage
sudo Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Not vulnerable (1.8.31-1ubuntu1.2)
	impish	Ignored (reached end-of-life)
	jammy	Released (1.9.9-1ubuntu2.2)
	kinetic	Not vulnerable (1.9.11p3-1ubuntu1)
	lunar	Not vulnerable (1.9.11p3-1ubuntu2)
	upstream	Needs triage
	Patches: upstream: https://www.sudo.ws/repos/sudo/rev/e25aa8e9891a

Severity score breakdown

Parameter	Value
Base score	5.5
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

Bugs

https://github.com/protobuf-c/protobuf-c/issues/506

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›