vitalidze
commented
4 years ago @wborn thank you for bringing my attention to this!
No, I haven't tested the 3.x protobuf. But I would like to avoid such changes until the library becomes modular/pluggable (i.e. you will be able to choose either 2.x or 3.x protobuf for example) since it may break the compatibility with some projects. I have started working on the topic some time ago to make jmdns optional with the possibility to switch implementations.
Regarding the particular CVE-2015-5237 [the thread|https://github.com/protocolbuffers/protobuf/issues/760] says that it was introduced in 3.4.0 only and is actually related with big messages (>2G or >4G). Is this even the case for openhab? Do you have a use case when you will be sending such a big messages? I am just trying to figure out the real use case of exploiting the vulnerability.
Let me know your thoughts.
wborn
djmuhlestein
Hi @vitalidze did you ever test using the protobuf-java 3.x libraries? According to the docs it should be compatible with proto2. I just regenerated
CastChannelusing a recent protoc and gave it a brief test with 3.10.0. So far it seems to work without issues. :-)Upgrading this dependency would prevent the CVE-2015-5237 vulnerability which is identified for instance by Snyk (https://github.com/openhab/openhab2-addons/pull/6442).
There's also a lite version that's more compatible with Android but it has some limitations, see: https://github.com/protocolbuffers/protobuf/blob/master/java/lite.md .