Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-36665 vunerablity in protobufjs >= 6.10.0, < 7.2.4 #879

Closed
letsgolesco opened this issue Jul 11, 2023 · 0 comments · Fixed by #883 or #885
Closed

CVE-2023-36665 vunerablity in protobufjs >= 6.10.0, < 7.2.4 #879

letsgolesco opened this issue Jul 11, 2023 · 0 comments · Fixed by #883 or #885
Assignees
@aabmass
Labels
api: cloudprofiler Issues related to the googleapis/cloud-profiler-nodejs API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@letsgolesco
Copy link

Link to vulnerability report: GHSA-h755-8qp9-cq85

@google-cloud/profiler uses pprof 3.2.0, which in turn uses protobufjs ~7.0.0

The vulnerability has been patched in protobufjs 7.2.4, but pprof still needs to be patched to use the newer version

There's an issue here to track the protobufjs upgrade within pprof: google/pprof-nodejs#256

The pprof version used by @google-cloud/profiler locked to 3.2.0, so it'll need to be bumped when the protobufjs dependency is upgraded

Environment details

  • OS: any
  • Node.js version: any
  • npm version:
  • @google-cloud/profiler version: 5.0.4

Steps to reproduce

  1. Install @google-cloud/profiler
  2. Notice the security vulnerability alert
@letsgolesco letsgolesco added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Jul 11, 2023
@product-auto-label product-auto-label bot added the api: cloudprofiler Issues related to the googleapis/cloud-profiler-nodejs API. label Jul 11, 2023
@aabmass aabmass self-assigned this Jul 18, 2023
This was referenced Jul 19, 2023
Closed
Merged
aabmass added a commit to aabmass/cloud-profiler-nodejs that referenced this issue Jul 24, 2023
@aabmass
fix(deps): upgrade pprof to v3.2.1 [security]
98966ae 
Fixes googleapis#879, take two of googleapis#883 with correct commit message.

This caused an issue where the proto definitions in `protos/` are incompatible with those returned from pprof. The fix I assumed was to regenerate the protos with `npm run protos`, however this fails because the third_party directory was removed in googleapis#486.

To make things work, I instead just imported the same proto definitions from pprof library. I will delete the now unused `protos/` directory for the next major version release as someone could theoretically have been importing them from build, just to be safe.
@aabmass aabmass mentioned this issue Jul 24, 2023
Merged
aabmass added a commit that referenced this issue Jul 24, 2023
@aabmass
fix(deps): upgrade pprof to v3.2.1 [security] (#885)
c140fe5 
Fixes #879, take two of #883 with correct commit message.

This caused an issue where the proto definitions in `protos/` are incompatible with those returned from pprof. The fix I assumed was to regenerate the protos with `npm run protos`, however this fails because the third_party directory was removed in #486.

To make things work, I instead just imported the same proto definitions from pprof library. I will delete the now unused `protos/` directory for the next major version release as someone could theoretically have been importing them from build, just to be safe.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aabmass aabmass

Labels
api: cloudprofiler Issues related to the googleapis/cloud-profiler-nodejs API. priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
2 participants
@aabmass @letsgolesco