Bug 1902065 (CVE-2020-26243)

Summary: CVE-2020-26243 nanopb: oneof fields with PB_ENABLE_MALLOC can leak memory
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kconner, rcernich
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/MAISTRA-2020
Whiteboard:
Fixed In Version: nanopb 0.3.9.7, nanopb 0.4.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found nanopd. If dynamic allocation is enabled and the oneof field contains a static sub-message, an attacker can use this flaw to leak memory potentially resulting in a denial of service. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-30 11:34:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1901975    

Description Guilherme de Almeida Suckevicz 2020-11-26 17:24:55 UTC 
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.

References:
https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh
https://github.com/nanopb/nanopb/issues/615

Upstream patch:
https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c
Comment 1 Mark Cooper 2020-11-30 03:27:52 UTC 
External References:

https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh
Comment 2 Mark Cooper 2020-11-30 05:29:48 UTC 
ServiceMesh 1.1.x uses envoy v1.12.6, ServiceMesh 2.0.x uses envoy v1.14.5

This only affects ServiceMesh 1.1.x as after envoy 1.13.0 nanopd was removed.
Comment 4 Mark Cooper 2020-11-30 07:11:57 UTC 
On further investigation, whilst OSSM 1.1.x does package an affected version, to be vulnerable the code must first define PB_ENABLE_MALLOC as for the issue to occur the function pb_release_union_field must be called first which is only available in the ifdef. 

As OSSM does not set PB_ENABLE_MALLOC whilst it packages a vulnerable library it is not affected by this vulnerability and is set to wontfix.
Comment 6 Product Security DevOps Team 2020-11-30 11:34:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26243
Comment 9 Mark Cooper 2020-12-07 13:40:19 UTC 
Statement:

OpenShift ServiceMesh (OSSM) packages a vulnerable version of nanopb in the RPM servicemesh-proxy, however it does not define PB_ENABLE_MALLOC and hence the code in pb_release_union_field is never reached. As such, OSSM is deemed to be of Moderate impact and marked wontfix at this time although it may be fixed in a future update.