OEM Priority Project

Bug #1956617
Comment #9

Comment 9 for bug 1956617

Revision history for this message

Mark Esler (eslerm) wrote on 2022-07-11:

I reviewed protobuf-c 1.3.3-1 as checked into focal, protobuf-c 1.3.3-1ubuntu2 as checked into jammy, and protobuf-c 1.4.0 from upstream's git repo.

"This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format. It includes libprotobuf-c, a pure C library that implements protobuf encoding and decoding, and protoc-c, a code generator that converts Protocol Buffer .proto files to C descriptor code, based on [Google's] original protoc."

- CVE History:
  - two recent vulnerabilities
  - one was assigned CVE-2022-33070
  - patched in v1.4.1
- Build-Depends?
  - protobuf
  - ldd /usr/bin/protoc-gen-c
    - linux-vdso.so.1
    - libprotobuf.so.23 => /lib/x86_64-linux-gnu/libprotobuf.so.23
    - libprotoc.so.23 => /lib/x86_64-linux-gnu/libprotoc.so.23
    - libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6
    - libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
    - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
    - libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1
    - /lib64/ld-linux-x86-64.so.2
    - libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6
  - ldd /usr/lib/x86_64-linux-gnu/libprotobuf-c.so.1.0.0
    - no additional dependencies
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - /usr/bin/protoc-gen-c
  - proto-c -> protoc-gen-c
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - requested in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004962
- cron jobs?
  - none
- Build logs:
  - OK
  - No errors. All warnings are trivial.
- Processes spawned?
  - only for documentation generation
- Memory management?
  - See vulnerabilities above
  - Use of memcpy, malloc, free, and memset LGTM
  - An OOB memory access exists in test file
  - Defensive programming reasoning commented throughout code
- File IO?
  - none
- Logging?
  - none
- Environment variable usage?
  - none (outside of debian build scripts)
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none
- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - none
  - OOB in a test
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none

Packages in Main already use protobuf-c as part of their build (such as sudo). The two recent vulnerabilities in protobuf-c's history were patched promptly. One of the patches is by sudo's maintainer. protobuf-c is also tracked by Google's OSS-Fuzz. The authors of protobuf-c took a lot of care to handle input and protect memory. It is well written and a good candidate for Main.

Security team ACK for promoting protobuf-c to Main.

I reviewed protobuf-c 1.3.3-1 as checked into focal, protobuf-c 1.3.3-1ubuntu2 as checked into jammy, and protobuf-c 1.4.0 from upstream's git repo.

- CVE History:
  - two recent vulnerabilities
  - one was assigned CVE-2022-33070
  - patched in v1.4.1
- Build-Depends?
  - protobuf
  - ldd /usr/bin/protoc-gen-c
    - linux-vdso.so.1                                                       
    - libprotobuf.so.23 => /lib/x86_64-linux-gnu/libprotobuf.so.23        
    - libprotoc.so.23 => /lib/x86_64-linux-gnu/libprotoc.so.23
    - libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6
    - libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1      
    - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
    - libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1
    - /lib64/ld-linux-x86-64.so.2
    - libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6                
  - ldd /usr/lib/x86_64-linux-gnu/libprotobuf-c.so.1.0.0      
    - no additional dependencies    
- pre/post inst/rm scripts?
  - none
- init scripts?
  - none
- systemd units?
  - none
- dbus services?
  - none
- setuid binaries?
  - none
- binaries in PATH?
  - /usr/bin/protoc-gen-c                          
  - proto-c -> protoc-gen-c
- sudo fragments?
  - none
- polkit files?
  - none
- udev rules?
  - none
- unit tests / autopkgtests?
  - requested in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004962
- cron jobs?
  - none
- Build logs:
  - OK
  - No errors. All warnings are trivial.
- Processes spawned?
  - only for documentation generation
- Memory management?
  - See vulnerabilities above
  - Use of memcpy, malloc, free, and memset LGTM
  - An OOB memory access exists in test file
  - Defensive programming reasoning commented throughout code
- File IO?
  - none
- Logging?
  - none
- Environment variable usage?
  - none (outside of debian build scripts)
- Use of privileged functions?
  - none
- Use of cryptography / random number sources etc?
  - none
- Use of temp files?
  - none
- Use of networking?
  - none
- Use of WebKit?
  - none
- Use of PolicyKit?
  - none
- Any significant cppcheck results?
  - none
- Any significant Coverity results?
  - none
  - OOB in a test
- Any significant shellcheck results?
  - none
- Any significant bandit results?
  - none

Security team ACK for promoting protobuf-c to Main.