[security] Vulnerability in google.golang.org/protobuf

[Damien Neil]

Hello gophers,

Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in the google.golang.org/protobuf/encoding/protojson package which could cause the Unmarshal function to enter an infinite loop when handling some invalid inputs. This condition could only occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown option is set. Unmarshal now correctly returns an error when handling these inputs.

This is CVE-2024-24786.

- Damien, on behalf of the Go team.

[Damien Neil]

On Tue, Mar 5, 2024 at 11:19 AM Damien Neil <dn...@google.com> wrote:

Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in the google.golang.org/protobuf/encoding/protojson package which could cause the Unmarshal function to enter an infinite loop when handling some invalid inputs. This condition could only occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown option is set. Unmarshal now correctly returns an error when handling these inputs.

A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown option is set (as well as when unmarshaling into any message which contains a google.protobuf.Any). There is no UnmarshalUnknown option.

In addition, version 1.33.0 of google.golang.org/protobuf inadvertently introduced an incompatibility with the older github.com/golang/protobuf module. (https://github.com/golang/protobuf/issues/1596) Users of the older module should update to github.com/golang/prot...@v1.5.4.

- Damien, apologetically on behalf of the Go team.