Source: nanopb Version: 0.4.9-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.4.7-2
Hi, The following vulnerability was published for nanopb. CVE-2024-53984[0]: | Nanopb is a small code-size Protocol Buffers implementation. When | the compile time option PB_ENABLE_MALLOC is enabled, the message | contains at least one field with FT_POINTER field type, custom | stream callback is used with unknown stream length. and the | pb_decode_ex() function is used with flag PB_DECODE_DELIMITED, then | the pb_decode_ex() function does not automatically call | pb_release(), like is done for other failure cases. This could lead | to memory leak and potential denial-of-service. This vulnerability | is fixed in 0.4.9.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-53984 https://www.cve.org/CVERecord?id=CVE-2024-53984 [1] https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r [2] https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378 Regards, Salvatore
