Hi Moritz, On Thu, Mar 16, 2023 at 11:15 PM Moritz Mühlenhoff <[email protected]> wrote: > Am Fri, May 21, 2021 at 09:46:31PM +0200 schrieb Moritz Muehlenhoff: > > CVE-2019-11939: > > https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757 > is this fixed in Bookworm? I let the Security Team decide how this should be treated. I will try to describe it in full and short. Thrift was developed by Facebook, open sourced and later donated to the Apache Software Foundation. Meaning that it's a real open source project, it's not supervised by the company. That is, there are two source trees; one from Facebook itself [1] and the one from ASF [2]. These diverged and the vulnerability is found only in the source tree of Facebook [3]: "Golang Facebook Thrift servers would not error [...]". Sure, with Jaeger Agent [4] large memory allocation was found in the Golang binding of the Apache source tree. It was filed as THRIFT-5322 [5] and was fixed for 0.14.0 [6]. This vulnerability is referenced with this issue as well. But I think the upcoming issue is more relevant with it, as with other circumates Jaeger Agent still caused huge allocations and the fix is more similar to the fix used by Facebook. This issue is filed as THRIFT-5369 [7] and was fixed for 0.14.2 and 0.15.0 [8]. Bookworm has version 0.17.0 of Apache Thrift so at least the two mentioned memory allocation problems in Golang bindings are fixed in it. But the referenced CVE vulnerability is officially not referenced with the Apache source tree. I'm looking for advice from the Security Team on how this is considered.
Cheers, Laszlo/GCS [1] https://github.com/facebook/fbthrift [2] https://github.com/apache/thrift [3] https://nvd.nist.gov/vuln/detail/CVE-2019-11939 [4] https://www.jaegertracing.io/ [5] https://issues.apache.org/jira/browse/THRIFT-5322 [6] https://github.com/apache/thrift/commit/37c2ceb737cb40377346c63a05f407da1c119ba0 [7] https://issues.apache.org/jira/browse/THRIFT-5369 [8] https://github.com/apache/thrift/commit/6583f4e52345c3b05a76f0b188836599628356e8
