Nanopb 0.4.9.1 bugfix release
48 views
Skip to first unread message
Petteri Aimonen
Dec 1, 2024, 6:23:29 AM12/1/24
to nanopb groups
Hi,
Nanopb 0.4.9.1 has been released:
https://jpa.kapsi.fi/nanopb/download/
nanopb-0.4.9.1 (2024-12-01)
Fix memory not released on error return from pb_decode_ex() (GHSA-xwqq-qxmw-hj5r)
Fix deprecated MakeClass() call in generator (#1015)
Fix compiler error with enums and --c-style (#1014)
Fix version conflict with bazel build rules (#1034)
This release is a bugfix-only maintenance release.
It contains a fix for potential security issue that occurs when all of these conditions apply:
* Affects nanopb versions 0.4.0 to 0.4.9.
* Compile time option PB_ENABLE_MALLOC is enabled.
* Message contains at least one field with FT_POINTER field type.
* Custom stream callback is used with unknown stream length (stream.bytes_left = SIZE_MAX)
* pb_decode_ex() function is used with flag PB_DECODE_DELIMITED.
* The input message is corrupted (accidentally or maliciously) in the length prefix.
Maximum impact is denial of service through memory leak.
Workaround is to call pb_release() even if pb_decode_ex() returns with an error.
For more details see https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r
SHA-256 sums:
882cd8473ad932b24787e676a808e4fb29c12e086d20bcbfbacc66c183094b5c nanopb-0.4.9.1.tar.gz
951a9ab2385424a4cdf245d0c84f4c88c6ccbc65a0dade4b246d50c068f24128 nanopb-0.4.9.1-linux-x86.tar.gz
a6c0befd9b546953fb9d7525d467c273873cb899c2b0a1b3142a189fb1916459 nanopb-0.4.9.1-macosx-x86.tar.gz
2938c3785544ce87eb9892d236afb7cb0ff512f8eda898eb28eb21741434a0c7 nanopb-0.4.9.1-windows-x86.zip
--
Petteri
Nanopb 0.4.9.1 has been released:
https://jpa.kapsi.fi/nanopb/download/
nanopb-0.4.9.1 (2024-12-01)
Fix memory not released on error return from pb_decode_ex() (GHSA-xwqq-qxmw-hj5r)
Fix deprecated MakeClass() call in generator (#1015)
Fix compiler error with enums and --c-style (#1014)
Fix version conflict with bazel build rules (#1034)
This release is a bugfix-only maintenance release.
It contains a fix for potential security issue that occurs when all of these conditions apply:
* Affects nanopb versions 0.4.0 to 0.4.9.
* Compile time option PB_ENABLE_MALLOC is enabled.
* Message contains at least one field with FT_POINTER field type.
* Custom stream callback is used with unknown stream length (stream.bytes_left = SIZE_MAX)
* pb_decode_ex() function is used with flag PB_DECODE_DELIMITED.
* The input message is corrupted (accidentally or maliciously) in the length prefix.
Maximum impact is denial of service through memory leak.
Workaround is to call pb_release() even if pb_decode_ex() returns with an error.
For more details see https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r
SHA-256 sums:
882cd8473ad932b24787e676a808e4fb29c12e086d20bcbfbacc66c183094b5c nanopb-0.4.9.1.tar.gz
951a9ab2385424a4cdf245d0c84f4c88c6ccbc65a0dade4b246d50c068f24128 nanopb-0.4.9.1-linux-x86.tar.gz
a6c0befd9b546953fb9d7525d467c273873cb899c2b0a1b3142a189fb1916459 nanopb-0.4.9.1-macosx-x86.tar.gz
2938c3785544ce87eb9892d236afb7cb0ff512f8eda898eb28eb21741434a0c7 nanopb-0.4.9.1-windows-x86.zip
--
Petteri
Reply all
Reply to author
Forward
0 new messages