Security update for protobuf SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20672-1 Final 1 1 2025-09-05T12:17:44Z current 2025-09-05T12:17:44Z 2025-09-05T12:17:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for protobuf This update for protobuf fixes the following issues: - CVE-2024-2410: Use after free when parsing JSON from a stream (bsc#1223947). - CVE-2024-7254: StackOverflow vulnerability in Protocol Buffers (bsc#1230778). - CVE-2025-4565: Parsing of untrusted Protocol Buffers data containing an arbitrary number of recursive groups or messages can lead to crash due to RecursionError (bsc#1244663). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-250 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520672-1/ Link for SUSE-SU-2025:20672-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041629.html E-Mail link for SUSE-SU-2025:20672-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1223947 SUSE Bug 1223947 https://bugzilla.suse.com/1230778 SUSE Bug 1230778 https://bugzilla.suse.com/1244663 SUSE Bug 1244663 https://www.suse.com/security/cve/CVE-2024-2410/ SUSE CVE CVE-2024-2410 page https://www.suse.com/security/cve/CVE-2024-7254/ SUSE CVE CVE-2024-7254 page https://www.suse.com/security/cve/CVE-2025-4565/ SUSE CVE CVE-2025-4565 page SUSE Linux Micro 6.1 libprotobuf23_4_0-23.4-slfo.1.1_2.1 libprotobuf23_4_0-23.4-slfo.1.1_2.1 as a component of SUSE Linux Micro 6.1 The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream. If the input is broken up into separate chunks in a certain way, the parser will attempt to read bytes from a chunk that has already been freed. CVE-2024-2410 SUSE Linux Micro 6.1:libprotobuf23_4_0-23.4-slfo.1.1_2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520672-1/ https://www.suse.com/security/cve/CVE-2024-2410.html CVE-2024-2410 https://bugzilla.suse.com/1223947 SUSE Bug 1223947 Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. CVE-2024-7254 SUSE Linux Micro 6.1:libprotobuf23_4_0-23.4-slfo.1.1_2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520672-1/ https://www.suse.com/security/cve/CVE-2024-7254.html CVE-2024-7254 https://bugzilla.suse.com/1230778 SUSE Bug 1230778 Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =>6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901 CVE-2025-4565 SUSE Linux Micro 6.1:libprotobuf23_4_0-23.4-slfo.1.1_2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520672-1/ https://www.suse.com/security/cve/CVE-2025-4565.html CVE-2025-4565 https://bugzilla.suse.com/1244663 SUSE Bug 1244663