Patch protobuf CVE-2022-1941 #25490

msandstedt · 2023-03-06T15:31:06Z

Some tooling is using a version of protobuf with a known vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-1941

Change requirements to use the patched version.

Fixes #25489

msandstedt · 2023-03-06T17:02:13Z

It looks like we need to update pigweed as well. PR for that is here: google/pigweed#12.

github-actions · 2023-03-06T17:43:19Z

PR #25490: Size comparison from 6dd5294 to b51076e

Full report (1 build for cc32xx)

platform	target	config	section	`6dd5294`	`b51076e`
cc32xx	lock	CC3235SF_LAUNCHXL		0	0
			(read only)	643465	643465
			(read/write)	203688	203688
			.ARM.attributes	44	44
			.ARM.exidx	8	8
			.bss	197088	197088
			.comment	194	194
			.data	1480	1480
			.debug_abbrev	930213	930213
			.debug_aranges	87336	87336
			.debug_frame	300024	300024
			.debug_info	20262927	20262927
			.debug_line	`2657822`	`2657822`
			.debug_loc	2800026	2800026
			.debug_ranges	282240	282240
			.debug_str	3023883	3023883
			.ramVecs	780	780
			.resetVecs	64	64
			.rodata	105929	105929
			.shstrtab	232	232
			.stab	204	204
			.stabstr	441	441
			.stack	2048	2048
			.strtab	378514	378514
			.symtab	256560	256560
			.text	535412	535412

github-actions · 2023-03-06T19:43:24Z

PR #25490: Size comparison from d44b6a6 to f8b6d47

Decreases (1 build for cc32xx)

platform	target	config	section	`d44b6a6`	`f8b6d47`	change	% change
cc32xx	lock	CC3235SF_LAUNCHXL	.debug_info	20262928	20262927	-1	-0.0

Full report (3 builds for cc32xx, qpg)

platform	target	config	section	`d44b6a6`	`f8b6d47`	change	% change
cc32xx	lock	CC3235SF_LAUNCHXL		0	0	0	0.0
			(read only)	643465	643465	0	0.0
			(read/write)	203688	203688	0	0.0
			.ARM.attributes	44	44	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	197088	197088	0	0.0
			.comment	194	194	0	0.0
			.data	1480	1480	0	0.0
			.debug_abbrev	930213	930213	0	0.0
			.debug_aranges	87336	87336	0	0.0
			.debug_frame	300024	300024	0	0.0
			.debug_info	20262928	20262927	-1	-0.0
			.debug_line	`2657822`	`2657822`	0	0.0
			.debug_loc	2800026	2800026	0	0.0
			.debug_ranges	282240	282240	0	0.0
			.debug_str	3023883	3023883	0	0.0
			.ramVecs	780	780	0	0.0
			.resetVecs	64	64	0	0.0
			.rodata	105929	105929	0	0.0
			.shstrtab	232	232	0	0.0
			.stab	204	204	0	0.0
			.stabstr	441	441	0	0.0
			.stack	2048	2048	0	0.0
			.strtab	378514	378514	0	0.0
			.symtab	256560	256560	0	0.0
			.text	535412	535412	0	0.0
qpg	lighting-app	qpg6105+debug	(read/write)	1151820	1151820	0	0.0
			.bss	99812	99812	0	0.0
			.data	852	852	0	0.0
			.text	598916	598916	0	0.0
	lock-app	qpg6105+debug	(read/write)	1118868	1118868	0	0.0
			.bss	96292	96292	0	0.0
			.data	864	864	0	0.0
			.text	565968	565968	0	0.0

Some tooling is using a version of protobuf with a known vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-1941 Change requirements to use the patched version. Fixes project-chip#25489

github-actions · 2023-03-07T18:52:56Z

PR #25490: Size comparison from 4203370 to 1d07436

Full report (1 build for cc32xx)

platform	target	config	section	`4203370`	`1d07436`
cc32xx	lock	CC3235SF_LAUNCHXL		0	0
			(read only)	644425	644425
			(read/write)	203688	203688
			.ARM.attributes	44	44
			.ARM.exidx	8	8
			.bss	197088	197088
			.comment	194	194
			.data	1480	1480
			.debug_abbrev	930235	930235
			.debug_aranges	87336	87336
			.debug_frame	300028	300028
			.debug_info	`2026706`	`2026706`
			.debug_line	2659698	2659698
			.debug_loc	2802749	2802749
			.debug_ranges	282952	282952
			.debug_str	3023892	3023892
			.ramVecs	780	780
			.resetVecs	64	64
			.rodata	105929	105929
			.shstrtab	232	232
			.stab	204	204
			.stabstr	441	441
			.stack	2048	2048
			.strtab	378514	378514
			.symtab	256624	256624
			.text	536372	536372

msandstedt · 2023-03-08T02:58:18Z

I succeeded in getting the protobuf patch upstreamed to https://pigweed.googlesource.com/pigweed/pigweed. However, pulling in the newest upstream pigweed now breaks a couple of our builds.

Do we have any resident pigweed experts?

andy31415 · 2023-03-20T20:43:27Z

I succeeded in getting the protobuf patch upstreamed to https://pigweed.googlesource.com/pigweed/pigweed. However, pulling in the newest upstream pigweed now breaks a couple of our builds.

Do we have any resident pigweed experts?

#25351 is working towards that. https://pigweed.dev/docs/getting_started.html says there is a chatroom as well for direct asking. Wyatt is the owner for #25351

stale · 2023-05-20T11:24:22Z

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale · 2023-06-23T01:18:54Z

This stale pull request has been automatically closed. Thank you for your contributions.

github-actions bot added the scripts label Mar 6, 2023

pullapprove bot requested review from yufengwangca and yunhanw-google March 6, 2023 15:31

pullapprove bot added review - pending scripts and removed scripts labels Mar 6, 2023

msandstedt force-pushed the patch-CVE-2022-1941 branch from 0a43aa5 to 31a947d Compare March 6, 2023 15:31

jmeg-sfy approved these changes Mar 6, 2023

View reviewed changes

andy31415 approved these changes Mar 6, 2023

View reviewed changes

pullapprove bot added review - approved and removed review - pending labels Mar 6, 2023

yunhanw-google approved these changes Mar 6, 2023

View reviewed changes

msandstedt force-pushed the patch-CVE-2022-1941 branch from b51076e to f8b6d47 Compare March 6, 2023 19:15

bzbarsky-apple approved these changes Mar 6, 2023

View reviewed changes

msandstedt force-pushed the patch-CVE-2022-1941 branch from f8b6d47 to 6e3e914 Compare March 7, 2023 17:49

msandstedt added 2 commits March 7, 2023 11:50

Patch protobuf CVE-2022-1941

e1c7a45

Some tooling is using a version of protobuf with a known vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-1941 Change requirements to use the patched version. Fixes project-chip#25489

update pigweed submodule to pull in protobuf version change

1d07436

msandstedt force-pushed the patch-CVE-2022-1941 branch from 6e3e914 to 1d07436 Compare March 7, 2023 17:51

pullapprove bot requested review from joonhaengHeo and younghak-hwang March 8, 2023 03:58

msandstedt mentioned this pull request Mar 14, 2023

Bump protobuf from 3.20.1 to 3.20.2 in /scripts/setup #25038

Closed

stale bot added the stale Stale issue or PR label May 20, 2023

stale bot closed this Jun 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Patch protobuf CVE-2022-1941 #25490

Patch protobuf CVE-2022-1941 #25490

msandstedt commented Mar 6, 2023

msandstedt commented Mar 6, 2023

github-actions bot commented Mar 6, 2023

github-actions bot commented Mar 6, 2023

github-actions bot commented Mar 7, 2023

msandstedt commented Mar 8, 2023

andy31415 commented Mar 20, 2023

stale bot commented May 20, 2023

stale bot commented Jun 23, 2023

Patch protobuf CVE-2022-1941 #25490

Patch protobuf CVE-2022-1941 #25490

Conversation

msandstedt commented Mar 6, 2023

msandstedt commented Mar 6, 2023

github-actions bot commented Mar 6, 2023

github-actions bot commented Mar 6, 2023

github-actions bot commented Mar 7, 2023

msandstedt commented Mar 8, 2023

andy31415 commented Mar 20, 2023

stale bot commented May 20, 2023

stale bot commented Jun 23, 2023