[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2021-3121 stretch patch review request and request for test help

Hi

I have prepared a patch for CVE-2021-3121 described in:
https://security-tracker.debian.org/tracker/CVE-2021-3121

You can find the patch here:
http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch

The patch is based on the following commit:
https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc

My conclusion is that the field function in stretch is unaffected. The reason is that there is no skippy check there at all in the stretch version.
For the generate function the iNdEx check was not in place so I added it, similar to the patch.

I do have a problem, and that is to check whether the code introduce some regression issue. Also since the CVE lack a description of the effect of this problem I have little knowledge on what the result of this may be.

Therefore I would highly appreciate a description of what this problem is and how to regression test the package.

Thank you in advance!

// Ola

--
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------

Reply to: