Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] #2323

Closed

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
google.golang.org/protobuf v1.23.0 -> v1.33.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-24786

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.


Infinite loop in JSON unmarshaling in google.golang.org/protobuf

CGA-2vgr-6mqh-4r48 / CGA-v9cm-f6x8-5vj7 / CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

CGA-2vgr-6mqh-4r48 / CGA-v9cm-f6x8-5vj7 / CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf)

v1.33.0

Compare Source

v1.32.0

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See https://github.com/golang/protobuf/issues/1583 and https://github.com/golang/protobuf/issues/1584 for details.

v1.31.0

Compare Source

Notable changes

New Features

  • CL/489316: types/dynamicpb: add NewTypes
    • Add a function to construct a dynamic type registry from a protoregistry.Files
  • CL/489615: encoding: add MarshalAppend to protojson and prototext

Minor performance improvements

  • CL/491596: encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one
  • CL/500695: proto: store the size of tag to avoid multiple calculations

Bug fixes

  • CL/497935: internal/order: fix sorting of synthetic oneofs to be deterministic
  • CL/505555: encoding/protodelim: fix handling of io.EOF

v1.30.0

Compare Source

Announcement
In the previous two releases, v1.29.0 and v1.29.1, we associated the tags with the wrong commits and thus the tags do not reference any commit in this repository. This tag, v1.30.0, refers to an existing commit again. Sorry for the inconvenience.

Notable changes

New Features

  • CL/449576: protoadapt: helper functions to convert v1 or v2 message to either v1 or v2 message.

v1.29.1

Compare Source

Notable changes

Bug fixes

  • CL/475995: internal/encoding/text: fix parsing of incomplete numbers

v1.29.0

Compare Source

Overview

This version introduces a new package protodelim to marshal and unmarshal size-delimited messages.
It also brings the implementation up to date with the latest protobuf features.

Notable changes

New Features

  • CL/419254: encoding: add protodelim package
  • CL/450775: reflect/protoreflect: add Value.Equal method
  • CL/462315: cmd/protoc-gen-go: make deprecated messages more descriptive
  • CL/473015: encoding/prototext: allow whitespace and comments between minus sign and number in negative numeric literal

Alignment with protobuf

  • CL/426054: types/descriptorpb: update *.pb.go to use latest protoc release, 21.5
  • CL/425554: encoding/protojson: fix parsing of google.protobuf.Timestamp
  • CL/461238: protobuf: remove the check for reserved field numbers
  • CL/469255: types/descriptorpb: regenerate using latest protobuf v22.0 release
  • CL/472696: cmd/protoc-gen-go: support protobuf retention feature

Documentation improvements:

  • CL/464275: proto: document Equal behavior of invalid messages
  • CL/466375: all: update links to Protocol Buffer documentation

Minor performance improvements

  • CL/460215: types/known/structpb: preallocate map in AsMap
  • CL/465115: internal/strs: avoid unnecessary allocations in Builder

Breaking changes

  • CL/461238: protobuf: remove the check for reserved field numbers
    • protowire.(Number).IsValid() no longer returns false for reserved fields because reserved fields are considered semantically valid by the protobuf spec.

v1.28.1

Compare Source

This release contains protoc-gen-go binaries for arm64.

Notable changes since v1.28.0:

  • CL/418677: internal/impl: improve MessageInfo.New performance
  • CL/411377: proto: short-circuit Equal when inputs are identical
  • CL/419714: all: Add prebuild binaries for arm64

v1.28.0

Compare Source

Overview

The release provides a new unmarshal option for limiting the recursion depth when unmarshalling nested messages to prevent stack overflows. (UnmarshalOptions.RecursionLimit).

Notable changes

New features:

  • CL/340489: testing/protocmp: add Message.Unwrap

Documentation improvements:

  • CL/339569: reflect/protoreflect: add more docs on Value aliasing

Updated supported versions:

UnmarshalOption RecursionLimit
  • CL/385854: all: implement depth limit for unmarshalling

The new UnmarshalOptions.RecursionLimit limits the maximum recursion depth when unmarshalling messages. The limit is applied for nested messages. When messages are nested deeper than the specified limit the unmarshalling will fail. If unspecified, a default limit of 10,000 is applied.

In addition to the configurable limit for message nesting a non-configurable recursion limit for group nesting of 10,000 was introduced.

Upcoming breakage changes

The default recursion limit of 10,000 introduced in the release is subject to change. We want to align this limit with implementations for other languages in the long term. C++ and Java use a limit of 100 which is also the target for the Go implementation.

v1.27.1

Compare Source

Notable changes since v1.27.0:

  • CL/331149: cmd/protoc-gen-go: fix generation of enum defaults

v1.27.0

Compare Source

Overview

The release provides new functionality for iterating through a message using protobuf reflection. There are some minor changes to the code generator.

Notable changes

New features:

  • CL/309669: testing/protopack: add Message.UnmarshalAbductive

Bug fixes:

  • CL/317430: encoding/prototext: fix skipping of unknown fields
  • CL/321529: internal/impl: support typed nil source for Merge of aberrant messages

Generator changes

  • CL/305574: cmd/protoc-gen-go: remove generation of the ExtensionRangeArray method
  • CL/319649: cmd/protoc-gen-go: avoid referencing remote enum values by name
  • CL/316949: compiler/protogen: relax rules for valid import paths
  • CL/306209: cmd/protoc-gen-go: add protoc suffix
Reflectively ranging over a message
  • CL/236540: reflect: add protopath and protorange packages

The new reflect/protorange package supports recursively ranging through all populated fields of a message. There are many use cases for such a feature. See the examples for inspiration.

Upcoming breakage changes

This release removes generation of the ExtensionRangeArray method, as originally announced since the v1.20.0 release on March 2nd, 2020. Our analysis of the entire public module proxy found no static usages of this method. This method is pseudo-internal to the implementation and we expect removal of it to have no material impact. If something is broken by this change, please file an issue and we can consider re-generating this method in a patch release.

There are no new upcoming breaking changes to announce in this release.

v1.26.0

Compare Source

Overview

This release reduces dependencies on other modules, enforces strict behavior with generated Go packages and name conflicts, expands support for aberrant message types, and provides minor new features in protobuf reflection.

Notable changes

New features:

  • CL/242377: proto: add MessageName helper
  • CL/236777: reflect/protoreflect: add MessageFieldTypes
  • CL/239838: reflect/protoreflect: add FieldDescriptor.TextName
  • CL/238000: reflect/protoreflect: improve source information usability

Behavior changes:

  • CL/240017: internal/impl: introduce instability to protoreflect.Message.Range order
  • CL/262681: internal/encoding/text: escape \x7f (DEL) in strings
  • CL/262682: internal/encoding/text: escape Unicode control characters in strings
  • CL/259900: internal/filedesc: remove ProtoLegacyRawDesc method
  • CL/286132: internal/descfmt: always include type name in FormatList
  • CL/302330: cmd/protoc-gen-go: support --help flag
  • CL/301952: cmd/protoc-gen-go: print version to stdout
  • CL/244297: all: return less-specific, but more informative wire unmarshal errors

Bug fixes:

  • CL/247458: testing/protocmp: fix representation of empty bytes
  • CL/241658: testing/prototest: fix suggestion for field name
  • CL/259899: reflect/protodesc: fix round-tripping for package field
  • CL/247737: encoding/protojson: restrict valid values for google.protobuf.Value.number_value
  • CL/246097: types/known/fieldmaskpb: repeated and map fields are only valid in the last position of a path
  • CL/244718: internal/impl: make errInvalidUTF8 be a proto.Error

Performance optimizations:

  • CL/253100: proto/equal: reduce equal scalar value allocation
  • CL/240378: reflect/protoregistry: avoid checking for '/' in FindMessageByName
Reduced dependencies
  • CL/259901: cmd/protoc-gen-go: remove reference to legacy ProtoPackageIsVersion4
  • CL/262679: all: rely on dynamic dependency check for genproto
  • CL/262683: all: remove weak dependency on github.com/golang/protobuf
  • CL/262684: all: add weak dependency on github.com/golang/protobuf
  • CL/235283: all: update protobuf toolchain dependency

Go code generated by protoc-gen-go no longer have a hard dependency on the github.com/golang/protobuf module. In previous releases, the generator would emit a reference to the ProtoPackageIsVersion4 constant to statically enforce that a sufficiently new version of the older module was being linked in. In the last year, most of the Go ecosystem has moved to Go modules, where we can rely on Go modules to enforce a minimum version constraint on the older protobuf module. While there continues to be a cyclic dependency between the github.com/golang/protobuf and google.golang.org/protobuf modules, the cyclic dependency was briefly broken and re-added to clear out the infinitely growing list of go.sum entries.

The module dependency on the google.golang.org/genproto module has been removed. Any program that depends on both google.golang.org/protobuf and google.golang.org/genproto must use at least version cb27e3aa from May 26th, 2020. There is a runtime check at program initialization that panics when too old of a version of the genproto module is being linked into the binary.

The well-known types provided by this module are built from v3.15.3 of the protobuf toolchain.

Require Go import path
  • CL/301953: compiler/protogen: require that the import path be specified

As mentioned in the v1.20.0 release from March 2nd, 2020, the Go generator will require that the Go import path be specified for all .proto files being generated and their transitive dependencies. Since v1.20.0, every occurrence of a .proto file missing a Go import path has resulted in a warning being printed to standard error that this will eventually become a fatal error. The Go import path is normally specified by declaring a go_package option in the .proto file. Alternatively, this can be specified at compile-time with a M flag passed on the command line. See the developer documentation for more information on the go_package option and M flag.

Fatal namespace conflicts
  • CL/235298: reflect/protoregistry: panic upon registration conflicts
  • CL/295349: reflect/protoregistry: add compile-time opt-out for registration conflicts

As mentioned in the v1.20.0 release from March 2nd, 2020, the Go protobuf runtime will fatally fail if it detects the registration of duplicate names. Since v1.20.0, every occurrence of a conflict has resulted in a warning being printed to standard error that this will eventually become a fatal error. See the developer documentation for more information about what a namespace conflict is and how to resolve it.

While it is preferable that the source of the conflict be fixed, the fatal error can be immediately worked around in one of two ways:

  1. At compile time. The default behavior for handling conflicts can be specified at compile time with a linker-initialized variable:
go build -ldflags "-X google.golang.org/protobuf/reflect/protoregistry.conflictPolicy=warn"
  1. At program execution. The behavior for handling conflicts when executing a particular Go binary can be set with an environment variable:
GOLANG_PROTOBUF_REGISTRATION_CONFLICT=warn ./main

This will cause the runtime to use the conflict handling behavior from v1.25.0 and earlier, which is to simply warn about them.

Support for aberrant message types
  • CL/300869: internal/impl: add runtime support for aberrant messages
  • CL/244937: internal/impl: add runtime support for *[]byte unknown representation

This project's compatibility document specifies that we only guarantee runtime compatibility with messages generated by protoc-gen-go. Use of this module's runtime with any other custom message type will have mixed results, ranging from panics, to unspecified behavior, to working correctly. The proper way for custom message types to perfectly work with this module is for the custom type to implement the protoreflect.ProtoMessage interface, which allows a given message implementation to self-describe how its contents should be introspected.

Since some widely depended upon modules have custom message types not generated by protoc-gen-go, we expand support in this module's runtime to be able to handle those aberrant message types. This change should reduce the probability that using one of those modules with this module results in a panic and instead have reasonably correct behavior.

This support is not covered by this project's compatibility guarantee and may be modified or removed in a future version of this module without notice. Custom types must move to supporting protobuf reflection to ensure long-term compatibility.

Upcoming breakage changes

This release makes some potentially disruptive changes that have been announced since the v1.20.0 release on March 2nd, 2020. Not all breaking changes mentioned in the v1.20.0 have been made and may still take effect in a later version of this module.

There are no new upcoming breaking changes to announce in this release.

v1.25.0

Compare Source

Overview

This release provides specialized support for well-known types.

Notable changes

New features:

Minor changes:

  • CL/238002: reflect/protoreflect: optimize Name.IsValid and FullName.IsValid
  • CL/239339: cmd/protoc-gen-go: use of --version flag exits with 0

Bug fixes:

  • CL/236998: encoding/protojson: strict validation of FieldMask serialization
Specialized support for well-known types

This release provides specialized support for well-known types by directly generating methods and functions into the generated package for certain well-known types that improve the usability of such types. The additionally generated APIs are listed below.

Upcoming breakage changes

There are no new upcoming breaking changes to announce in this release.

As a reminder, the following have already been announced and may take effect in the near future:

v1.24.0

Compare Source

Overview

This release moves the generation of well-known types into this module.

Notable changes

New features:

Minor changes:

  • CL/235297: all: add weak dependency on google.golang.org/genproto module

Bug fixes:

  • CL/234697: testing/protopack: fix format precision
Centralized host for all well-known types

This release moves the generation of well-known types (e.g., FieldMask) into this module. Previously, some of the well-known types were generated into the google.golang.org/genproto module. This sets the stage for a future release of this module to provide first-class support for the well-known types.

As a consequence of this migration, this module incurs a weak dependency on the google.golang.org/genproto module. This dependency may be dropped in the distant future, but it will persist for some time to ensure that users of this module use a sufficiently new version of google.golang.org/genproto (if they happen to depend on it) so as to avoid duplicate registration problems with regard to the well-known types.

Upcoming breakage changes

There are no new upcoming breaking changes to announce in this release.

As a reminder, the following have already been announced and may take effect in the near future:


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link
Contributor Author

renovate bot commented Aug 6, 2024

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/golang/protobuf v1.4.3 -> v1.5.0

Copy link

github-actions bot commented Aug 6, 2024

Coverage from tests in ./e2e_test/... for ./consensus/istanbul/... at commit 0e41817

coverage: 54.8% of statements across all listed packages
coverage:  68.2% of statements in consensus/istanbul
coverage:  63.3% of statements in consensus/istanbul/announce
coverage:  56.9% of statements in consensus/istanbul/backend
coverage:   0.0% of statements in consensus/istanbul/backend/backendtest
coverage:  24.3% of statements in consensus/istanbul/backend/internal/replica
coverage:  65.2% of statements in consensus/istanbul/core
coverage:  50.0% of statements in consensus/istanbul/db
coverage:   0.0% of statements in consensus/istanbul/proxy
coverage:  64.2% of statements in consensus/istanbul/uptime
coverage:  52.4% of statements in consensus/istanbul/validator
coverage:  79.2% of statements in consensus/istanbul/validator/random

Copy link

github-actions bot commented Aug 6, 2024

5826 passed, 5 failed, 43 skipped

Test failures:
  [build failed]: geth

Failed
  [build failed]: console
Failed
  [build failed]: signer
Failed
  [build failed]: core
Failed
  [build failed]: rules
Failed
This test report was produced by the test-summary action.  Made with ❤️ in Cambridge.

@renovate renovate bot force-pushed the renovate/go-google.golang.org-protobuf-vulnerability branch 2 times, most recently from 4949919 to 94da712 Compare September 19, 2024 10:35
@renovate renovate bot changed the title chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] - autoclosed Nov 5, 2024
@renovate renovate bot closed this Nov 5, 2024
@renovate renovate bot deleted the renovate/go-google.golang.org-protobuf-vulnerability branch November 5, 2024 12:05
@renovate renovate bot changed the title chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] - autoclosed chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] Nov 5, 2024
@renovate renovate bot reopened this Nov 5, 2024
@renovate renovate bot restored the renovate/go-google.golang.org-protobuf-vulnerability branch November 5, 2024 15:37
…urity]

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/go-google.golang.org-protobuf-vulnerability branch from 94da712 to 8cadfad Compare November 5, 2024 15:38
@palango
Copy link
Contributor

palango commented Nov 26, 2024

needs other updates, so we won't be merging this.

@palango palango closed this Nov 26, 2024
Copy link
Contributor Author

renovate bot commented Nov 26, 2024

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.33.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/go-google.golang.org-protobuf-vulnerability branch November 26, 2024 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant