0ct0pu5/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
48972 commits 14 branches 412 tags 338 MiB
Commit graph

6 commits

Author SHA1 Message Date
Sebastiaan van Stijn
1ca89d7eae
vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4 
full diffs:

- https://github.com/protocolbuffers/protobuf-go/compare/v1.31.0...v1.33.0
- https://github.com/golang/protobuf/compare/v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (https://github.com/golang/protobuf/issues/1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results in our code:

    govulncheck ./...
    Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities...

    === Symbol Results ===

    Vulnerability #1: GO-2024-2611
        Infinite loop in JSON unmarshaling in google.golang.org/protobuf
      More info: https://pkg.go.dev/vuln/GO-2024-2611
      Module: google.golang.org/protobuf
        Found in: google.golang.org/protobuf@v1.31.0
        Fixed in: google.golang.org/protobuf@v1.33.0
        Example traces found:
          #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek
          #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read
          #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal

    Your code is affected by 1 vulnerability from 1 module.
    This scan found no other vulnerabilities in packages you import or modules you
    require.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2024-03-14 13:12:54 +01:00
Sebastiaan van Stijn
73041028b6
vendor: google.golang.org/protobuf v1.31.0 
full diff: https://github.com/protocolbuffers/protobuf-go/compare/v1.30.0...v1.31.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-09-18 18:17:30 +02:00
Sebastiaan van Stijn
d431345bf3
vendor: google.golang.org/protobuf v1.29.1 
full diff: https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.29.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2023-07-19 18:06:02 +02:00
CrazyMax
f1ca793980
use tools build constraint for proto dependencies 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
 2023-05-29 03:13:15 +02:00
Sebastiaan van Stijn
7df7357e08
vendor: cloud.google.com/go v0.92.0, google.golang.org/api v0.54.0 
this removes a `tools.go` from the dependency, which caused various test
dependencies to be ending up in the dependency-tree, and are now gone.

- cloud.google.com/go v0.92.0: https://github.com/googleapis/google-cloud-go/compare/v0.81.0...v0.92.0
- google.golang.org/api v0.54.0: https://github.com/googleapis/google-api-go-client/compare/v0.46.0...v0.54.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2022-03-11 20:01:57 +01:00
Cory Snider
00ba5bdb98 Unpin grpc, protobuf dependencies 
...in preparation for upgrading containerd.

Signed-off-by: Cory Snider <csnider@mirantis.com>
 2022-03-10 17:48:10 -05:00