phisco / crossplane

Cloud Native Control Planes
https://crossplane.io
Apache License 2.0
1 stars 0 forks source link

fix(deps): update module google.golang.org/protobuf to v1.33.0 [security] (master) - autoclosed #303

Closed phisco-renovate[bot] closed 3 months ago

phisco-renovate[bot] commented 6 months ago

This PR contains the following updates:

Package Type Update Change
google.golang.org/protobuf require minor v1.31.0 -> v1.33.0

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-24786

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.


Infinite loop in JSON unmarshaling in google.golang.org/protobuf

CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information #### Details The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. #### Severity Unknown #### References - [https://go.dev/cl/569356](https://go.dev/cl/569356) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2611) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information #### Details The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. #### Severity Moderate #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) - [https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023](https://togithub.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023) - [https://github.com/protocolbuffers/protobuf-go](https://togithub.com/protocolbuffers/protobuf-go) - [https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0) - [https://go.dev/cl/569356](https://go.dev/cl/569356) - [https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU) - [https://pkg.go.dev/vuln/GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) - [https://security.netapp.com/advisory/ntap-20240517-0002](https://security.netapp.com/advisory/ntap-20240517-0002) - [http://www.openwall.com/lists/oss-security/2024/03/08/4](http://www.openwall.com/lists/oss-security/2024/03/08/4) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8r3f-844c-mc37) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf) ### [`v1.33.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.32.0...v1.33.0) This release contains one security fix: - `encoding/protojson`: `Unmarshal` could enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a `google.protobuf.Any` value, or when the `UnmarshalOptions.DiscardUnknown` option is set. `Unmarshal` now correctly returns an error when handling these inputs. This is CVE-2024-24786. ### [`v1.32.0`](https://togithub.com/protocolbuffers/protobuf-go/releases/tag/v1.32.0) [Compare Source](https://togithub.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0) **Full Changelog**: https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.32.0 This release contains commit https://github.com/protocolbuffers/protobuf-go/commit/bfcd6476a38e41247d6bb43dc8f00b23ec9fffc2, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See [https://github.com/golang/protobuf/issues/1583](https://togithub.com/golang/protobuf/issues/1583) and [https://github.com/golang/protobuf/issues/1584](https://togithub.com/golang/protobuf/issues/1584) for details.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by Renovate Bot.

phisco-renovate[bot] commented 6 months ago

âš  Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

â™» Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: go.mod
Command failed: make generate
# github.com/bufbuild/buf/private/pkg/protodescriptor
/go/pkg/mod/github.com/bufbuild/buf@v1.27.2/private/pkg/protodescriptor/protodescriptor.go:52:24: cannot use fileDescriptorProto (variable of type *descriptorpb.FileDescriptorProto) as FileDescriptor value in assignment: *descriptorpb.FileDescriptorProto does not implement FileDescriptor (wrong type for method GetEdition)
        have GetEdition() descriptorpb.Edition
        want GetEdition() string
/go/pkg/mod/github.com/bufbuild/buf@v1.27.2/private/pkg/protodescriptor/protodescriptor.go:71:32: impossible type assertion: fileDescriptor.(*descriptorpb.FileDescriptorProto)
    *descriptorpb.FileDescriptorProto does not implement FileDescriptor (wrong type for method GetEdition)
        have GetEdition() descriptorpb.Edition
        want GetEdition() string
/go/pkg/mod/github.com/bufbuild/buf@v1.27.2/private/pkg/protodescriptor/protodescriptor.go:97:33: cannot use proto.String(edition) (value of type *string) as *descriptorpb.Edition value in assignment
/go/pkg/mod/github.com/bufbuild/buf@v1.27.2/private/pkg/protodescriptor/protodescriptor.go:151:36: cannot use fileDescriptorProto (variable of type *descriptorpb.FileDescriptorProto) as FileDescriptor value in argument to ValidateFileDescriptor: *descriptorpb.FileDescriptorProto does not implement FileDescriptor (wrong type for method GetEdition)
        have GetEdition() descriptorpb.Edition
        want GetEdition() string
apis/generate.go:73: running "go": exit status 1
make[1]: *** [build/makelib/golang.mk:240: go.generate] Error 1
make: *** [build/makelib/common.mk:434: generate] Error 2