Google Open Source Software CVEs

2022-Nov-11

Parsing issue in protobuf message-type extension

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Protobuf-Java and JavaLite < 3.21.7

Protobuf-Java and JavaLite < 3.20.3

Protobuf-Java and JavaLite < 3.19.6

Protobuf-Java and JavaLite < 3.16.3

No credit available

2022-Nov-01

Parsing issue in protobuf textformat

A parsing issue similar to CVE-2022-3171, but with TextFormat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Protobuf-Java and JavaLite < 3.21.7

Protobuf-Java and JavaLite < 3.20.3

Protobuf-Java and JavaLite < 3.19.6

Protobuf-Java and JavaLite < 3.16.3

No credit available

2022-Oct-27

Incorrect parsing of the backslash characters in Dart library

The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.

Dart < 2.18.2

Dart < 3.3.3

Sohom Datta, Cryptonite, MIT Manipal

2022-Oct-26

Bazel leaks user credentials through the remote assets API

A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal to 5.3.2 or 4.2.3.

Bazel < 5.3.2

Bazel < 4.2.3

Bazel > 3.0.0

2022-Oct-24

Memory handling vulnerability in ProtocolBuffers Java core and lite

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Protocolbuffers < 3.21.7

Protocolbuffers < 3.20.3

Protocolbuffers < 3.19.6

Protocolbuffers < 3.16.3

No credit available

2022-Sep-22

Out of Memory issue in ProtocolBuffers for cpp and python

A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.

protobuf-cpp <= 3.16.1

protobuf-cpp <= 3.17.3

protobuf-cpp <= 3.18.2

protobuf-cpp <= 3.19.4

protobuf-cpp <= 3.20.1

protobuf-cpp <= 3.21.5

protobuf-python <= 3.16.1

protobuf-python <= 3.17.3

protobuf-python <= 3.18.2

protobuf-python <= 3.19.4

protobuf-python <= 3.20.1

protobuf-python <= 4.21.5

ClusterFuzz - https://google.github.io/clusterfuzz/

2022-Sep-15

Path Traversal vulnerability in Kubevirt

A path traversal vulnerability in KubeVirt versions up to 0.56 (and 0.55.1) on all platforms allows a user able to configure the kubevirt to read arbitrary files on the host filesystem which are publicly readable or which are readable for UID 107 or GID 107. /proc/self/<> is not accessible.

Kubevirt < 0.55.1

Kubevirt < 0.56.0

Oliver Brooks and James Klopchic of NCC Group

Diane Dubois and Roman Mohr of Google

2022-May-05

Illegal access to Kernel log in Fuchsia

A bug exists where an attacker can read the kernel log through exposed Zircon kernel addresses without the required capability ZX_RSRC_KIND_ROOT. It is recommended to upgrade the Fuchsia kernel to 4.1.1 or greater.

Fuchsia Kernel < 4.1.1

No credit available

2022-Mar-29

Local Privilege escalation in Perfetto Dev scripts

A local attacker, as a different local user, may be able to send a HTTP request to 127.0.0.1:10000 after the user (typically a developer) manually invoked the ./tools/run-dev-server script. It is recommended to upgrade to any version beyond 24.2

Perfetto Dev Scripts <= 24.2

No credit available

2022-Feb-25

Denial of Service in fscrypt

fscrypt through v0.3.2 creates a world-writable directory by default when setting up a filesystem, allowing unprivileged users to exhaust filesystem space. We recommend upgrading to fscrypt 0.3.3 or above and adjusting the permissions on existing fscrypt metadata directories where applicable.

fscrypt <= 0.3.2

Matthias Gerstner of SUSE

2022-Feb-25

Local Denial of Service in fscrypt PAM module

The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above

fscrypt <= 0.3.2

Matthias Gerstner of SUSE

2022-Feb-25

Privilege escalation through command injection in fscrypt

The bash_completion script for fscrypt allows injection of commands via crafted mountpoint paths, allowing privilege escalation under a specific set of circumstances. A local user who has control over mountpoint paths could potentially escalate their privileges if they create a malicious mountpoint path and if the system administrator happens to be using the fscrypt bash completion script to complete mountpoint paths. We recommend upgrading to version 0.3.3 or above

fscrypt <= 0.3.2

Matthias Gerstner of SUSE

2022-Feb-18

Auth bypass in Dart SDK

Dart SDK contains the HTTPClient in dart:io library which includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond.

Dart SDK < 2.16.0

No credit available

2022-Jan-31

Improper Input Validation in AKPublic.Verify in go-attestation

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above.

go-attestation < 0.4.0

Nikki VonHollen

2022-Jan-25

Write access to VMO data through copy-on-write in Fuchsia

An issue exists in Fuchsia where VMO data can be modified through access to copy-on-write snapshots. A local attacker could modify objects in the VMO that they do not have permission to. We recommend upgrading past commit d97c05d2301799ed585620a9c5c739d36e7b5d3d or any of the listed versions.

Fuchsia < 4.1

No credit available