Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg1cnItNHJoOS1oaHdo

Memory leak in Nanopb

Impact

Decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed.

Patches

Preliminary patch is available on git and problem will be patched in versions 0.3.9.7 and 0.4.4 once testing has been completed.

Workarounds

Following workarounds are available:

References

Bug report: https://github.com/nanopb/nanopb/issues/615

For more information

If you have any questions or comments about this advisory, comment on the bug report linked above.

Permalink: https://github.com/advisories/GHSA-85rr-4rh9-hhwh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg1cnItNHJoOS1oaHdo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-85rr-4rh9-hhwh, CVE-2020-26243
References: Repository: https://github.com/nanopb/nanopb
Blast Radius: 11.7

Affected Packages

pypi:nanopb
Dependent packages: 3
Dependent repositories: 36
Downloads: 40,101 last month
Affected Version Ranges: >= 0.4.0, < 0.4.4, >= 0.3.2, <= 0.3.9.6
Fixed in: 0.4.4, 0.3.9.7
All affected versions: 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8
All unaffected versions: