[USN-5769-1] protobuf vulnerabilities

Fabian Toepfer fabian.toepfer at canonical.com
Thu Dec 8 19:28:18 UTC 2022


==========================================================================
Ubuntu Security Notice USN-5769-1
December 08, 2022

protobuf vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in protobuf.

Software Description:
- protobuf: protocol buffers C++ library (development files)

Details:

It was discovered that protobuf did not properly manage memory when 
serializing
large messages. An attacker could possibly use this issue to cause 
applications
using protobuf to crash, resulting in a denial of service, or possibly 
execute
arbitrary code. (CVE-2015-5237)

It was discovered that protobuf did not properly manage memory when parsing
specifically crafted messages. An attacker could possibly use this issue to
cause applications using protobuf to crash, resulting in a denial of 
service.
(CVE-2022-1941)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
   libprotobuf-lite9v5             2.6.1-1.3ubuntu0.1~esm2
   libprotobuf9v5                  2.6.1-1.3ubuntu0.1~esm2
   libprotoc9v5                    2.6.1-1.3ubuntu0.1~esm2
   protobuf-compiler               2.6.1-1.3ubuntu0.1~esm2
   python-protobuf                 2.6.1-1.3ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-5769-1
   CVE-2015-5237, CVE-2022-1941




More information about the ubuntu-security-announce mailing list