Hi I have prepared a patch for CVE-2021-3121 described in: https://security-tracker.debian.org/tracker/CVE-2021-3121
You can find the patch here: http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch The patch is based on the following commit: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc My conclusion is that the field function in stretch is unaffected. The reason is that there is no skippy check there at all in the stretch version. For the generate function the iNdEx check was not in place so I added it, similar to the patch. I do have a problem, and that is to check whether the code introduce some regression issue. Also since the CVE lack a description of the effect of this problem I have little knowledge on what the result of this may be. Therefore I would highly appreciate a description of what this problem is and how to regression test the package. Thank you in advance! // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
