Bug 1902065 (CVE-2020-26243)
Summary: | CVE-2020-26243 nanopb: oneof fields with PB_ENABLE_MALLOC can leak memory | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | kconner, rcernich |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://issues.redhat.com/browse/MAISTRA-2020 | ||
Whiteboard: | |||
Fixed In Version: | nanopb 0.3.9.7, nanopb 0.4.4 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found nanopd. If dynamic allocation is enabled and the oneof field contains a static sub-message, an attacker can use this flaw to leak memory potentially resulting in a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-30 11:34:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1901975 |
Description
Guilherme de Almeida Suckevicz
2020-11-26 17:24:55 UTC
External References: https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh ServiceMesh 1.1.x uses envoy v1.12.6, ServiceMesh 2.0.x uses envoy v1.14.5 This only affects ServiceMesh 1.1.x as after envoy 1.13.0 nanopd was removed. On further investigation, whilst OSSM 1.1.x does package an affected version, to be vulnerable the code must first define PB_ENABLE_MALLOC as for the issue to occur the function pb_release_union_field must be called first which is only available in the ifdef. As OSSM does not set PB_ENABLE_MALLOC whilst it packages a vulnerable library it is not affected by this vulnerability and is set to wontfix. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-26243 Statement: OpenShift ServiceMesh (OSSM) packages a vulnerable version of nanopb in the RPM servicemesh-proxy, however it does not define PB_ENABLE_MALLOC and hence the code in pb_release_union_field is never reached. As such, OSSM is deemed to be of Moderate impact and marked wontfix at this time although it may be fixed in a future update. |