Security Vulnerability - Action Required: Integer Overflow or Wraparound vulnerability may in your project

[Crispy-fried-chicken]

Hi, we have detected that your project may be vulnerable to Integer Overflow or Wraparound in the function of parse_required_member in the file of lib/cmetrics/src/external/protobuf-c.c . It shares similarities to a recent CVE disclosure CVE-2022-48468 in the https://github.com/protobuf-c/protobuf-c. The source vulnerability information is as follows:

Vulnerability Detail: CVE Identifier: CVE-2022-48468 Description: protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-48468 Patch: https://github.com/protobuf-c/protobuf-c/commit/ec3d900001a13ccdaa8aef996b34c61159c76217

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[patrick-stephens]

Please report security issues via the policy: https://github.com/fluent/fluent-bit/security/policy This looks to be a medium level CVE related to the version of protobuf-c used by cmetrics so needs an update to cmetrics to resolve I think then pulled in here.

[leonardo-albertovich]

Hi @Crispy-fried-chicken, yes, we have verified that this bug has been fixed upstream and a PR that updates the relevant files in cmetrics would be welcome.

Thank you for taking the time to report this issue.

[Crispy-fried-chicken]

Hi, @leonardo-albertovich I've already request a PR which is https://github.com/fluent/fluent-bit/pull/9369, please review it.