Security update for nanopb SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0400-1 Final 1 1 2024-12-09T11:02:14Z current 2024-12-09T11:02:14Z 2024-12-09T11:02:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nanopb This update for nanopb fixes the following issues: - CVE-2024-53984: Fix memory not released on error return (boo#1234088) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-400 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AG77Q4WFLPBVX3LSKIMQWP7DA3QHCSEV/ E-Mail link for openSUSE-SU-2024:0400-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1234088 SUSE Bug 1234088 https://www.suse.com/security/cve/CVE-2024-53984/ SUSE CVE CVE-2024-53984 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 libprotobuf-nanopb0-0.4.6-bp156.4.3.1 nanopb-devel-0.4.6-bp156.4.3.1 nanopb-source-0.4.6-bp156.4.3.1 libprotobuf-nanopb0-0.4.6-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 nanopb-devel-0.4.6-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 nanopb-source-0.4.6-bp156.4.3.1 as a component of SUSE Package Hub 15 SP6 libprotobuf-nanopb0-0.4.6-bp156.4.3.1 as a component of openSUSE Leap 15.6 nanopb-devel-0.4.6-bp156.4.3.1 as a component of openSUSE Leap 15.6 nanopb-source-0.4.6-bp156.4.3.1 as a component of openSUSE Leap 15.6 Nanopb is a small code-size Protocol Buffers implementation. When the compile time option PB_ENABLE_MALLOC is enabled, the message contains at least one field with FT_POINTER field type, custom stream callback is used with unknown stream length. and the pb_decode_ex() function is used with flag PB_DECODE_DELIMITED, then the pb_decode_ex() function does not automatically call pb_release(), like is done for other failure cases. This could lead to memory leak and potential denial-of-service. This vulnerability is fixed in 0.4.9.1. CVE-2024-53984 SUSE Package Hub 15 SP6:libprotobuf-nanopb0-0.4.6-bp156.4.3.1 SUSE Package Hub 15 SP6:nanopb-devel-0.4.6-bp156.4.3.1 SUSE Package Hub 15 SP6:nanopb-source-0.4.6-bp156.4.3.1 openSUSE Leap 15.6:libprotobuf-nanopb0-0.4.6-bp156.4.3.1 openSUSE Leap 15.6:nanopb-devel-0.4.6-bp156.4.3.1 openSUSE Leap 15.6:nanopb-source-0.4.6-bp156.4.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AG77Q4WFLPBVX3LSKIMQWP7DA3QHCSEV/ https://www.suse.com/security/cve/CVE-2024-53984.html CVE-2024-53984 https://bugzilla.suse.com/1234088 SUSE Bug 1234088