Bug 2214473 (CVE-2023-1428)

Summary: CVE-2023-1428 gRPC: Reachable Assertion
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: code, dfreiber, jburrell, rogbas, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the RPC package. Affected versions of this package are vulnerable to Reachable Assertion, causing an abort() to be called in gRPC.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2214474, 2214476, 2214475    
Bug Blocks: 2213811    

Description Avinash Hanwate 2023-06-13 06:09:11 UTC 
There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.
Comment 1 Avinash Hanwate 2023-06-13 06:10:00 UTC 
Created flatbuffers tracking bugs for this issue:

Affects: fedora-all [bug 2214475]


Created grpc tracking bugs for this issue:

Affects: fedora-all [bug 2214474]
Affects: openstack-rdo [bug 2214476]
Comment 4 Ben Beasley 2023-06-16 15:06:52 UTC 
Initial analysis in https://bugzilla.redhat.com/show_bug.cgi?id=2214474#c2.

TLDR: It doesn’t look like the fix can be reliably backported to the packaged version; updating to a new enough version in Rawhide will require protobuf to be updated to 4.x (22.x/23.x), which is desirable but will probably impact a lot of packages; and updating to a new enough version in F38/F37/EPEL9 will not be possible due to the protobuf 4.x requirement and because the update would be ABI- and API-incompatible.

I’ve closed the flatbuffers bug because I verified that flatbuffers doesn’t bundle any of the grpc source files that were changed upstream to fix this issue. https://bugzilla.redhat.com/show_bug.cgi?id=2214475#c2