Security update for protobuf SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:3747-1 Final 1 1 2024-10-22T13:41:37Z current 2024-10-22T13:41:37Z 2024-10-22T13:41:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for protobuf This update for protobuf fixes the following issues: - CVE-2024-7254: Fixed stack overflow vulnerability in Protocol Buffer (bsc#1230778) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SP5-Azure-3P-2024-3747,Image SLES15-SP5-Azure-Basic-2024-3747,Image SLES15-SP5-Azure-Standard-2024-3747,Image SLES15-SP5-BYOS-Azure-2024-3747,Image SLES15-SP5-HPC-Azure-2024-3747,Image SLES15-SP5-HPC-BYOS-Azure-2024-3747,Image SLES15-SP5-Hardened-BYOS-Azure-2024-3747,Image SLES15-SP5-SAP-Azure-3P-2024-3747,Image SLES15-SP5-SAP-BYOS-Azure-2024-3747,Image SLES15-SP5-SAP-Hardened-Azure-2024-3747,Image SLES15-SP5-SAP-Hardened-BYOS-Azure-2024-3747,Image SLES15-SP5-SAPCAL-Azure-2024-3747,SUSE-2024-3747,SUSE-SLE-INSTALLER-15-SP5-2024-3747,SUSE-SLE-Micro-5.5-2024-3747,SUSE-SLE-Module-Basesystem-15-SP5-2024-3747,SUSE-SLE-Module-Development-Tools-15-SP5-2024-3747,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-3747,SUSE-SLE-Module-Public-Cloud-15-SP5-2024-3747,SUSE-SLE-Module-Python3-15-SP5-2024-3747,openSUSE-Leap-Micro-5.5-2024-3747,openSUSE-SLE-15.5-2024-3747 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20243747-1/ Link for SUSE-SU-2024:3747-1 https://lists.suse.com/pipermail/sle-security-updates/2024-October/019665.html E-Mail link for SUSE-SU-2024:3747-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1230778 SUSE Bug 1230778 https://www.suse.com/security/cve/CVE-2024-7254/ SUSE CVE CVE-2024-7254 page Image SLES15-SP5-Azure-3P Image SLES15-SP5-Azure-Basic Image SLES15-SP5-Azure-Standard Image SLES15-SP5-BYOS-Azure Image SLES15-SP5-HPC-Azure Image SLES15-SP5-HPC-BYOS-Azure Image SLES15-SP5-Hardened-BYOS-Azure Image SLES15-SP5-SAP-Azure-3P Image SLES15-SP5-SAP-BYOS-Azure Image SLES15-SP5-SAP-Hardened-Azure Image SLES15-SP5-SAP-Hardened-BYOS-Azure Image SLES15-SP5-SAPCAL-Azure SUSE Linux Enterprise Installer Updates 15 SP5 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Module for Basesystem 15 SP5 SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Public Cloud 15 SP5 SUSE Linux Enterprise Module for Python 3 15 SP5 openSUSE Leap 15.5 openSUSE Leap Micro 5.5 python311-protobuf-4.25.1-150500.12.5.1 libprotobuf-lite25_1_0-25.1-150500.12.5.1 libprotobuf-lite25_1_0-32bit-25.1-150500.12.5.1 libprotobuf-lite25_1_0-64bit-25.1-150500.12.5.1 libprotobuf25_1_0-25.1-150500.12.5.1 libprotobuf25_1_0-32bit-25.1-150500.12.5.1 libprotobuf25_1_0-64bit-25.1-150500.12.5.1 libprotoc25_1_0-25.1-150500.12.5.1 libprotoc25_1_0-32bit-25.1-150500.12.5.1 libprotoc25_1_0-64bit-25.1-150500.12.5.1 protobuf-devel-25.1-150500.12.5.1 protobuf-java-25.1-150500.12.5.1 python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-Azure-3P python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-Azure-Basic python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-Azure-Standard python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-BYOS-Azure python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-HPC-Azure python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-HPC-BYOS-Azure python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-Hardened-BYOS-Azure python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-SAP-Azure-3P python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-SAP-BYOS-Azure python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-SAP-Hardened-Azure python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-SAP-Hardened-BYOS-Azure python311-protobuf-4.25.1-150500.12.5.1 as a component of Image SLES15-SP5-SAPCAL-Azure libprotobuf-lite25_1_0-25.1-150500.12.5.1 as a component of SUSE Linux Enterprise Installer Updates 15 SP5 libprotobuf-lite25_1_0-25.1-150500.12.5.1 as a component of SUSE Linux Enterprise Micro 5.5 libprotobuf-lite25_1_0-25.1-150500.12.5.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 libprotobuf25_1_0-25.1-150500.12.5.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 libprotoc25_1_0-25.1-150500.12.5.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP5 libprotoc25_1_0-25.1-150500.12.5.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 protobuf-devel-25.1-150500.12.5.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 libprotoc25_1_0-25.1-150500.12.5.1 as a component of SUSE Linux Enterprise Module for Public Cloud 15 SP5 python311-protobuf-4.25.1-150500.12.5.1 as a component of SUSE Linux Enterprise Module for Python 3 15 SP5 libprotobuf-lite25_1_0-25.1-150500.12.5.1 as a component of openSUSE Leap 15.5 libprotobuf-lite25_1_0-32bit-25.1-150500.12.5.1 as a component of openSUSE Leap 15.5 libprotobuf25_1_0-25.1-150500.12.5.1 as a component of openSUSE Leap 15.5 libprotobuf25_1_0-32bit-25.1-150500.12.5.1 as a component of openSUSE Leap 15.5 libprotoc25_1_0-25.1-150500.12.5.1 as a component of openSUSE Leap 15.5 libprotoc25_1_0-32bit-25.1-150500.12.5.1 as a component of openSUSE Leap 15.5 protobuf-devel-25.1-150500.12.5.1 as a component of openSUSE Leap 15.5 protobuf-java-25.1-150500.12.5.1 as a component of openSUSE Leap 15.5 python311-protobuf-4.25.1-150500.12.5.1 as a component of openSUSE Leap 15.5 libprotobuf-lite25_1_0-25.1-150500.12.5.1 as a component of openSUSE Leap Micro 5.5 Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. CVE-2024-7254 Image SLES15-SP5-Azure-3P:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-Azure-Basic:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-Azure-Standard:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-BYOS-Azure:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-HPC-Azure:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-HPC-BYOS-Azure:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-Hardened-BYOS-Azure:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-SAP-Azure-3P:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-SAP-BYOS-Azure:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-SAP-Hardened-Azure:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-SAP-Hardened-BYOS-Azure:python311-protobuf-4.25.1-150500.12.5.1 Image SLES15-SP5-SAPCAL-Azure:python311-protobuf-4.25.1-150500.12.5.1 SUSE Linux Enterprise Installer Updates 15 SP5:libprotobuf-lite25_1_0-25.1-150500.12.5.1 SUSE Linux Enterprise Micro 5.5:libprotobuf-lite25_1_0-25.1-150500.12.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:libprotobuf-lite25_1_0-25.1-150500.12.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:libprotobuf25_1_0-25.1-150500.12.5.1 SUSE Linux Enterprise Module for Basesystem 15 SP5:libprotoc25_1_0-25.1-150500.12.5.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:libprotoc25_1_0-25.1-150500.12.5.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:protobuf-devel-25.1-150500.12.5.1 SUSE Linux Enterprise Module for Public Cloud 15 SP5:libprotoc25_1_0-25.1-150500.12.5.1 SUSE Linux Enterprise Module for Python 3 15 SP5:python311-protobuf-4.25.1-150500.12.5.1 openSUSE Leap 15.5:libprotobuf-lite25_1_0-25.1-150500.12.5.1 openSUSE Leap 15.5:libprotobuf-lite25_1_0-32bit-25.1-150500.12.5.1 openSUSE Leap 15.5:libprotobuf25_1_0-25.1-150500.12.5.1 openSUSE Leap 15.5:libprotobuf25_1_0-32bit-25.1-150500.12.5.1 openSUSE Leap 15.5:libprotoc25_1_0-25.1-150500.12.5.1 openSUSE Leap 15.5:libprotoc25_1_0-32bit-25.1-150500.12.5.1 openSUSE Leap 15.5:protobuf-devel-25.1-150500.12.5.1 openSUSE Leap 15.5:protobuf-java-25.1-150500.12.5.1 openSUSE Leap 15.5:python311-protobuf-4.25.1-150500.12.5.1 openSUSE Leap Micro 5.5:libprotobuf-lite25_1_0-25.1-150500.12.5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20243747-1/ https://www.suse.com/security/cve/CVE-2024-7254.html CVE-2024-7254 https://bugzilla.suse.com/1230778 SUSE Bug 1230778