The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Infinite loop in JSON unmarshaling in google.golang.org/protobuf
More information
#### Details
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
#### Severity
Unknown
#### References
- [https://go.dev/cl/569356](https://go.dev/cl/569356)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2611) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON
More information
#### Details
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
#### Severity
Moderate
#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786)
- [https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023](https://togithub.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023)
- [https://github.com/protocolbuffers/protobuf-go](https://togithub.com/protocolbuffers/protobuf-go)
- [https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0)
- [https://go.dev/cl/569356](https://go.dev/cl/569356)
- [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU)
- [https://pkg.go.dev/vuln/GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8r3f-844c-mc37) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
Release Notes
protocolbuffers/protobuf-go (google.golang.org/protobuf)
### [`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0)
### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0)
**Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0
This release contains commit https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583) and [https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584) for details.
### [`v1.31.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.31.0)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.30.0...v1.31.0)
##### Notable changes
**New Features**
- [CL/489316](https://go.dev/cl/489316): types/dynamicpb: add NewTypes
- Add a function to construct a dynamic type registry from a protoregistry.Files
- [CL/489615](https://go.dev/cl/489615): encoding: add MarshalAppend to protojson and prototext
**Minor performance improvements**
- [CL/491596](https://go.dev/cl/491596): encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one
- [CL/500695](https://go.dev/cl/500695): proto: store the size of tag to avoid multiple calculations
**Bug fixes**
- [CL/497935](https://go.dev/cl/497935): internal/order: fix sorting of synthetic oneofs to be deterministic
- [CL/505555](https://go.dev/cl/505555): encoding/protodelim: fix handling of io.EOF
### [`v1.30.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.30.0)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.29.1...v1.30.0)
- [Notable changes](#v1.30.0-notable-changes)
**Announcement**
In the previous two releases, v1.29.0 and v1.29.1, we associated the tags with the wrong commits and thus the tags do not reference any commit in this repository. This tag, v1.30.0, refers to an existing commit again. Sorry for the inconvenience.
#### Notable changes
**New Features**
- [CL/449576](https://go.dev/cl/449576): protoadapt: helper functions to convert v1 or v2 message to either v1 or v2 message.
### [`v1.29.1`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.29.1)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.29.0...v1.29.1)
- [Notable changes](#v1.29.1-notable-changes)
#### Notable changes
**Bug fixes**
- [CL/475995](https://go.dev/cl/475995): internal/encoding/text: fix parsing of incomplete numbers
### [`v1.29.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.29.0)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0)
- [Overview](#v1.29-overview)
- [Notable changes](#v1.29-notable-changes)
##### Overview
This version introduces a new package `protodelim` to marshal and unmarshal size-delimited messages.
It also brings the implementation up to date with the latest protobuf features.
##### Notable changes
**New Features**
- [CL/419254](https://go.dev/cl/419254): encoding: add protodelim package
- [CL/450775](https://go.dev/cl/450775): reflect/protoreflect: add Value.Equal method
- [CL/462315](https://go.dev/cl/462315): cmd/protoc-gen-go: make deprecated messages more descriptive
- [CL/473015](https://go.dev/cl/473015): encoding/prototext: allow whitespace and comments between minus sign and number in negative numeric literal
**Alignment with protobuf**
- [CL/426054](https://go.dev/cl/426054): types/descriptorpb: update \*.pb.go to use latest protoc release, 21.5
- [CL/425554](https://go.dev/cl/425554): encoding/protojson: fix parsing of google.protobuf.Timestamp
- [CL/461238](https://go.dev/cl/461238): protobuf: remove the check for reserved field numbers
- [CL/469255](https://go.dev/cl/469255): types/descriptorpb: regenerate using latest protobuf v22.0 release
- [CL/472696](https://go.dev/cl/472696): cmd/protoc-gen-go: support protobuf retention feature
**Documentation improvements:**
- [CL/464275](https://go.dev/cl/464275): proto: document Equal behavior of invalid messages
- [CL/466375](https://go.dev/cl/466375): all: update links to Protocol Buffer documentation
**Minor performance improvements**
- [CL/460215](https://go.dev/cl/460215): types/known/structpb: preallocate map in AsMap
- [CL/465115](https://go.dev/cl/465115): internal/strs: avoid unnecessary allocations in Builder
**Breaking changes**
- [CL/461238](https://go.dev/cl/461238): protobuf: remove the check for reserved field numbers
- protowire.(Number).IsValid() no longer returns false for reserved fields because reserved fields are considered semantically valid by the protobuf spec.
### [`v1.28.1`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.28.1)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1)
This release contains protoc-gen-go binaries for arm64.
Notable changes since [v1.28.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.28.0):
- [CL/418677](https://golang.org/cl/418677): internal/impl: improve MessageInfo.New performance
- [CL/411377](https://golang.org/cl/411377): proto: short-circuit Equal when inputs are identical
- [CL/419714](https://golang.org/cl/419714): all: Add prebuild binaries for arm64
### [`v1.28.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.28.0)
[Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.27.1...v1.28.0)
- [Overview](#v1.28-overview)
- [Notable changes](#v1.28-notable-changes)
- [UnmarshalOption RecursionLimit](#v1.28-recursion-limit)
- [Upcoming breakage changes](#v1.28-breaking-changes)
#### Overview
The release provides a new unmarshal option for limiting the recursion depth when unmarshalling nested messages to prevent stack overflows. ([`UnmarshalOptions.RecursionLimit`](https://pkg.go.dev/google.golang.org/protobuf/proto#UnmarshalOptions.RecursionLimit)).
#### Notable changes
**New features:**
- [CL/340489](https://go.dev/cl/340489): testing/protocmp: add Message.Unwrap
**Documentation improvements:**
- [CL/339569](https://go.dev/cl/339569): reflect/protoreflect: add more docs on Value aliasing
**Updated supported versions:**
- [CL/370055](https://go.dev/cl/370055): all: update supported versions
##### UnmarshalOption RecursionLimit
- [CL/385854](https://golang.org/cl/385854): all: implement depth limit for unmarshalling
The new [`UnmarshalOptions.RecursionLimit`](https://pkg.go.dev/google.golang.org/protobuf/proto#UnmarshalOptions.RecursionLimit) limits the maximum recursion depth when unmarshalling messages. The limit is applied for nested messages. When messages are nested deeper than the specified limit the unmarshalling will fail. If unspecified, a default limit of 10,000 is applied.
In addition to the configurable limit for message nesting a non-configurable recursion limit for [group](https://developers.google.com/protocol-buffers/docs/proto#groups) nesting of 10,000 was introduced.
#### Upcoming breakage changes
The default recursion limit of 10,000 introduced in the release is subject to change. We want to align this limit with implementations for other languages in the long term. C++ and Java use a limit of 100 which is also the target for the Go implementation.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.27.1->v1.33.0GitHub Vulnerability Alerts
CVE-2024-24786
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
Infinite loop in JSON unmarshaling in google.golang.org/protobuf
CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611
More information
#### Details The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. #### Severity Unknown #### References - [https://go.dev/cl/569356](https://go.dev/cl/569356) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2611) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON
CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611
More information
#### Details The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. #### Severity Moderate #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) - [https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023](https://togithub.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023) - [https://github.com/protocolbuffers/protobuf-go](https://togithub.com/protocolbuffers/protobuf-go) - [https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0) - [https://go.dev/cl/569356](https://go.dev/cl/569356) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU) - [https://pkg.go.dev/vuln/GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8r3f-844c-mc37) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
protocolbuffers/protobuf-go (google.golang.org/protobuf)
### [`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0 This release contains commit https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583) and [https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584) for details. ### [`v1.31.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.31.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.30.0...v1.31.0) ##### Notable changes **New Features** - [CL/489316](https://go.dev/cl/489316): types/dynamicpb: add NewTypes - Add a function to construct a dynamic type registry from a protoregistry.Files - [CL/489615](https://go.dev/cl/489615): encoding: add MarshalAppend to protojson and prototext **Minor performance improvements** - [CL/491596](https://go.dev/cl/491596): encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one - [CL/500695](https://go.dev/cl/500695): proto: store the size of tag to avoid multiple calculations **Bug fixes** - [CL/497935](https://go.dev/cl/497935): internal/order: fix sorting of synthetic oneofs to be deterministic - [CL/505555](https://go.dev/cl/505555): encoding/protodelim: fix handling of io.EOF ### [`v1.30.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.30.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.29.1...v1.30.0) - [Notable changes](#v1.30.0-notable-changes) **Announcement** In the previous two releases, v1.29.0 and v1.29.1, we associated the tags with the wrong commits and thus the tags do not reference any commit in this repository. This tag, v1.30.0, refers to an existing commit again. Sorry for the inconvenience. #### Notable changes **New Features** - [CL/449576](https://go.dev/cl/449576): protoadapt: helper functions to convert v1 or v2 message to either v1 or v2 message. ### [`v1.29.1`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.29.1) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.29.0...v1.29.1) - [Notable changes](#v1.29.1-notable-changes) #### Notable changes **Bug fixes** - [CL/475995](https://go.dev/cl/475995): internal/encoding/text: fix parsing of incomplete numbers ### [`v1.29.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.29.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.0) - [Overview](#v1.29-overview) - [Notable changes](#v1.29-notable-changes) ##### Overview This version introduces a new package `protodelim` to marshal and unmarshal size-delimited messages. It also brings the implementation up to date with the latest protobuf features. ##### Notable changes **New Features** - [CL/419254](https://go.dev/cl/419254): encoding: add protodelim package - [CL/450775](https://go.dev/cl/450775): reflect/protoreflect: add Value.Equal method - [CL/462315](https://go.dev/cl/462315): cmd/protoc-gen-go: make deprecated messages more descriptive - [CL/473015](https://go.dev/cl/473015): encoding/prototext: allow whitespace and comments between minus sign and number in negative numeric literal **Alignment with protobuf** - [CL/426054](https://go.dev/cl/426054): types/descriptorpb: update \*.pb.go to use latest protoc release, 21.5 - [CL/425554](https://go.dev/cl/425554): encoding/protojson: fix parsing of google.protobuf.Timestamp - [CL/461238](https://go.dev/cl/461238): protobuf: remove the check for reserved field numbers - [CL/469255](https://go.dev/cl/469255): types/descriptorpb: regenerate using latest protobuf v22.0 release - [CL/472696](https://go.dev/cl/472696): cmd/protoc-gen-go: support protobuf retention feature **Documentation improvements:** - [CL/464275](https://go.dev/cl/464275): proto: document Equal behavior of invalid messages - [CL/466375](https://go.dev/cl/466375): all: update links to Protocol Buffer documentation **Minor performance improvements** - [CL/460215](https://go.dev/cl/460215): types/known/structpb: preallocate map in AsMap - [CL/465115](https://go.dev/cl/465115): internal/strs: avoid unnecessary allocations in Builder **Breaking changes** - [CL/461238](https://go.dev/cl/461238): protobuf: remove the check for reserved field numbers - protowire.(Number).IsValid() no longer returns false for reserved fields because reserved fields are considered semantically valid by the protobuf spec. ### [`v1.28.1`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.28.1) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.28.0...v1.28.1) This release contains protoc-gen-go binaries for arm64. Notable changes since [v1.28.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.28.0): - [CL/418677](https://golang.org/cl/418677): internal/impl: improve MessageInfo.New performance - [CL/411377](https://golang.org/cl/411377): proto: short-circuit Equal when inputs are identical - [CL/419714](https://golang.org/cl/419714): all: Add prebuild binaries for arm64 ### [`v1.28.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.28.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.27.1...v1.28.0) - [Overview](#v1.28-overview) - [Notable changes](#v1.28-notable-changes) - [UnmarshalOption RecursionLimit](#v1.28-recursion-limit) - [Upcoming breakage changes](#v1.28-breaking-changes) #### Overview The release provides a new unmarshal option for limiting the recursion depth when unmarshalling nested messages to prevent stack overflows. ([`UnmarshalOptions.RecursionLimit`](https://pkg.go.dev/google.golang.org/protobuf/proto#UnmarshalOptions.RecursionLimit)). #### Notable changes **New features:** - [CL/340489](https://go.dev/cl/340489): testing/protocmp: add Message.Unwrap **Documentation improvements:** - [CL/339569](https://go.dev/cl/339569): reflect/protoreflect: add more docs on Value aliasing **Updated supported versions:** - [CL/370055](https://go.dev/cl/370055): all: update supported versions ##### UnmarshalOption RecursionLimit - [CL/385854](https://golang.org/cl/385854): all: implement depth limit for unmarshalling The new [`UnmarshalOptions.RecursionLimit`](https://pkg.go.dev/google.golang.org/protobuf/proto#UnmarshalOptions.RecursionLimit) limits the maximum recursion depth when unmarshalling messages. The limit is applied for nested messages. When messages are nested deeper than the specified limit the unmarshalling will fail. If unspecified, a default limit of 10,000 is applied. In addition to the configurable limit for message nesting a non-configurable recursion limit for [group](https://developers.google.com/protocol-buffers/docs/proto#groups) nesting of 10,000 was introduced. #### Upcoming breakage changes The default recursion limit of 10,000 introduced in the release is subject to change. We want to align this limit with implementations for other languages in the long term. C++ and Java use a limit of 100 which is also the target for the Go implementation.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.