Bugzilla – Bug 943441
VUL-0: CVE-2015-5237: protobuf: integer overflow in serialization
Last modified: 2015-08-31 13:48:08 UTC
https://github.com/google/protobuf/issues/760 CVE-2015-5237: Integer overflow in serialization #760 int is used to express the size of serialized messages. If the size exceeds 4 GiB, the application may allocate a buffer which is too small, or protobuf itself does this, in google::protobuf::MessageLite::SerializeToString. This lead to a heap buffer overflow, which may be exploitable for code execution in some cases. It has been suggested that serialization of messages larger than 2 GiB is unsupported. But there is no good way for an application to ensure that the limit is not exceeded accidentally, without imposing rather draconian limits. To some degree, this is an gets-style interface. Right now, this is more or less harmless because the message sizes involved are substantial. But this will change over time. My worry is that it will be difficult to fix this because some of the overflowing computations end up in generated *.pb.cc files, so the eventual fix will not be a simple library update. References: https://bugzilla.redhat.com/show_bug.cgi?id=1256426 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5237
bugbot adjusting priority
There is no fix for protobuf. Apps must not feed more than 2G into protobuf according to upstream: https://github.com/google/protobuf/issues/760#issuecomment-135519672