1902065 – (CVE-2020-26243) CVE-2020-26243 nanopb: oneof fields with PB_ENABLE_MALLOC can leak memory

Bug 1902065 (CVE-2020-26243) - CVE-2020-26243 nanopb: oneof fields with PB_ENABLE_MALLOC can leak memory

Summary: CVE-2020-26243 nanopb: oneof fields with PB_ENABLE_MALLOC can leak memory

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-26243
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1901975
TreeView+	depends on / blocked

Reported:	2020-11-26 17:24 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-02-16 18:50 UTC (History)
CC List:	2 users (show)
See Also:	https://issues.redhat.com/browse/MAISTRA-2020
Fixed In Version:	nanopb 0.3.9.7, nanopb 0.4.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found nanopd. If dynamic allocation is enabled and the oneof field contains a static sub-message, an attacker can use this flaw to leak memory potentially resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2020-11-30 11:34:47 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-11-26 17:24:55 UTC

Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.

References:
https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh
https://github.com/nanopb/nanopb/issues/615

Upstream patch:
https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c

Comment 1 Mark Cooper 2020-11-30 03:27:52 UTC

External References:

https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh

Comment 2 Mark Cooper 2020-11-30 05:29:48 UTC

ServiceMesh 1.1.x uses envoy v1.12.6, ServiceMesh 2.0.x uses envoy v1.14.5

This only affects ServiceMesh 1.1.x as after envoy 1.13.0 nanopd was removed.

Comment 4 Mark Cooper 2020-11-30 07:11:57 UTC

On further investigation, whilst OSSM 1.1.x does package an affected version, to be vulnerable the code must first define PB_ENABLE_MALLOC as for the issue to occur the function pb_release_union_field must be called first which is only available in the ifdef. 

As OSSM does not set PB_ENABLE_MALLOC whilst it packages a vulnerable library it is not affected by this vulnerability and is set to wontfix.

Comment 6 Product Security DevOps Team 2020-11-30 11:34:47 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-26243

Comment 9 Mark Cooper 2020-12-07 13:40:19 UTC

Statement:

OpenShift ServiceMesh (OSSM) packages a vulnerable version of nanopb in the RPM servicemesh-proxy, however it does not define PB_ENABLE_MALLOC and hence the code in pb_release_union_field is never reached. As such, OSSM is deemed to be of Moderate impact and marked wontfix at this time although it may be fixed in a future update.

Note You need to log in before you can comment on or make changes to this bug.