Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards. References: https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh https://github.com/nanopb/nanopb/issues/615 Upstream patch: https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c
External References: https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh
ServiceMesh 1.1.x uses envoy v1.12.6, ServiceMesh 2.0.x uses envoy v1.14.5 This only affects ServiceMesh 1.1.x as after envoy 1.13.0 nanopd was removed.
On further investigation, whilst OSSM 1.1.x does package an affected version, to be vulnerable the code must first define PB_ENABLE_MALLOC as for the issue to occur the function pb_release_union_field must be called first which is only available in the ifdef. As OSSM does not set PB_ENABLE_MALLOC whilst it packages a vulnerable library it is not affected by this vulnerability and is set to wontfix.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-26243
Statement: OpenShift ServiceMesh (OSSM) packages a vulnerable version of nanopb in the RPM servicemesh-proxy, however it does not define PB_ENABLE_MALLOC and hence the code in pb_release_union_field is never reached. As such, OSSM is deemed to be of Moderate impact and marked wontfix at this time although it may be fixed in a future update.