diff --git a/backport-0001-Fix-issue-499-unsigned-integer-overflow.patch b/backport-0001-Fix-issue-499-unsigned-integer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..f01254291a766726b5f25f42a6e58d3218a6dc88 --- /dev/null +++ b/backport-0001-Fix-issue-499-unsigned-integer-overflow.patch @@ -0,0 +1,35 @@ +From 289f5c18b195aa43d46a619d1188709abbfa9c82 Mon Sep 17 00:00:00 2001 +From: 10054172 +Date: Fri, 18 Mar 2022 12:42:57 -0400 +Subject: [PATCH 1/2] Fix issue #499: unsigned integer overflow + +Signed-off-by: 10054172 +--- + protobuf-c/protobuf-c.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/protobuf-c/protobuf-c.c b/protobuf-c/protobuf-c.c +index 98052cd..ec2d40a 100644 +--- a/protobuf-c/protobuf-c.c ++++ b/protobuf-c/protobuf-c.c +@@ -2603,10 +2603,13 @@ parse_required_member(ScannedMember *scanned_member, + return FALSE; + + def_mess = scanned_member->field->default_value; +- subm = protobuf_c_message_unpack(scanned_member->field->descriptor, +- allocator, +- len - pref_len, +- data + pref_len); ++ if (len > pref_len) ++ subm = protobuf_c_message_unpack(scanned_member->field->descriptor, ++ allocator, ++ len - pref_len, ++ data + pref_len); ++ else ++ subm = NULL; + + if (maybe_clear && + *pmessage != NULL && +-- +2.37.3.windows.1 + diff --git a/backport-0002-Fix-regression-with-zero-length-messages-introduced-.patch b/backport-0002-Fix-regression-with-zero-length-messages-introduced-.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd46392f14e26f3b585f05095f4a188627656249 --- /dev/null +++ b/backport-0002-Fix-regression-with-zero-length-messages-introduced-.patch @@ -0,0 +1,28 @@ +From 0d1fd124a4e0a07b524989f6e64410ff648fba61 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 9 Jun 2022 07:34:55 -0600 +Subject: [PATCH 2/2] Fix regression with zero-length messages introduced in + protobuf-c PR 500. + +[edmonds: Import bugfix from +https://github.com/sudo-project/sudo/commit/b6a6451482a3ff5e30f43ef888159d4b0d39143b.patch.] +--- + protobuf-c/protobuf-c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/protobuf-c/protobuf-c.c b/protobuf-c/protobuf-c.c +index ec2d40a..448f3e8 100644 +--- a/protobuf-c/protobuf-c.c ++++ b/protobuf-c/protobuf-c.c +@@ -2603,7 +2603,7 @@ parse_required_member(ScannedMember *scanned_member, + return FALSE; + + def_mess = scanned_member->field->default_value; +- if (len > pref_len) ++ if (len >= pref_len) + subm = protobuf_c_message_unpack(scanned_member->field->descriptor, + allocator, + len - pref_len, +-- +2.37.3.windows.1 + diff --git a/protobuf-c.spec b/protobuf-c.spec index 0358f1b65954ca563d7630343954e912f0e02e1e..e46e3f3c03fc38feeaeb4932300ea16ca9fcb4a1 100644 --- a/protobuf-c.spec +++ b/protobuf-c.spec @@ -1,6 +1,6 @@ Name: protobuf-c Version: 1.4.0 -Release: 2 +Release: 3 Summary: This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format License: BSD URL: https://github.com/protobuf-c/protobuf-c @@ -11,6 +11,9 @@ BuildRequires: autoconf automake libtool gcc-c++ pkgconfig(protobuf) Provides: %{name}-compiler = %{version}-%{release} Obsoletes: %{name}-compiler < %{version}-%{release} +Patch6000: backport-0001-Fix-issue-499-unsigned-integer-overflow.patch +Patch6001: backport-0002-Fix-regression-with-zero-length-messages-introduced-.patch + %description This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format. @@ -50,6 +53,12 @@ make check %{_libdir}/{libprotobuf-c.so,pkgconfig/libprotobuf-c.pc} %changelog +* Sat Jan 7 2023 mengwenhua - 1.4.0-3 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix unsigned integer overflow + * Mon Jul 4 2022 dengyuyu - 1.4.0-2 - fix CVE-2022-33070