I reviewed protobuf-c 1.3.3-1 as checked into focal, protobuf-c 1.3.3-1ubuntu2 as checked into jammy, and protobuf-c 1.4.0 from upstream's git repo.
"This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format. It includes libprotobuf-c, a pure C library that implements protobuf encoding and decoding, and protoc-c, a code generator that converts Protocol Buffer .proto files to C descriptor code, based on [Google's] original protoc."
- CVE History:
- two recent vulnerabilities
- one was assigned CVE-2022-33070
- patched in v1.4.1
- Build-Depends?
- protobuf
- ldd /usr/bin/protoc-gen-c
- linux-vdso.so.1
- libprotobuf.so.23 => /lib/x86_64-linux-gnu/libprotobuf.so.23
- libprotoc.so.23 => /lib/x86_64-linux-gnu/libprotoc.so.23
- libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6
- libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
- libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
- libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1
- /lib64/ld-linux-x86-64.so.2
- libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6
- ldd /usr/lib/x86_64-linux-gnu/libprotobuf-c.so.1.0.0
- no additional dependencies
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- /usr/bin/protoc-gen-c
- proto-c -> protoc-gen-c
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- requested in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004962
- cron jobs?
- none
- Build logs:
- OK
- No errors. All warnings are trivial.
- Processes spawned?
- only for documentation generation
- Memory management?
- See vulnerabilities above
- Use of memcpy, malloc, free, and memset LGTM
- An OOB memory access exists in test file
- Defensive programming reasoning commented throughout code
- File IO?
- none
- Logging?
- none
- Environment variable usage?
- none (outside of debian build scripts)
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- none
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- none
- Any significant Coverity results?
- none
- OOB in a test
- Any significant shellcheck results?
- none
- Any significant bandit results?
- none
Packages in Main already use protobuf-c as part of their build (such as sudo). The two recent vulnerabilities in protobuf-c's history were patched promptly. One of the patches is by sudo's maintainer. protobuf-c is also tracked by Google's OSS-Fuzz. The authors of protobuf-c took a lot of care to handle input and protect memory. It is well written and a good candidate for Main.
Security team ACK for promoting protobuf-c to Main.
I reviewed protobuf-c 1.3.3-1 as checked into focal, protobuf-c 1.3.3-1ubuntu2 as checked into jammy, and protobuf-c 1.4.0 from upstream's git repo.
"This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format. It includes libprotobuf-c, a pure C library that implements protobuf encoding and decoding, and protoc-c, a code generator that converts Protocol Buffer .proto files to C descriptor code, based on [Google's] original protoc."
- CVE History: protoc- gen-c 64-linux- gnu/libprotobuf .so.23 64-linux- gnu/libprotoc. so.23 64-linux- gnu/libstdc+ +.so.6 64-linux- gnu/libgcc_ s.so.1 64-linux- gnu/libc. so.6 64-linux- gnu/libz. so.1 ld-linux- x86-64. so.2 64-linux- gnu/libm. so.6 x86_64- linux-gnu/ libprotobuf- c.so.1. 0.0 protoc- gen-c /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 1004962
- two recent vulnerabilities
- one was assigned CVE-2022-33070
- patched in v1.4.1
- Build-Depends?
- protobuf
- ldd /usr/bin/
- linux-vdso.so.1
- libprotobuf.so.23 => /lib/x86_
- libprotoc.so.23 => /lib/x86_
- libstdc++.so.6 => /lib/x86_
- libgcc_s.so.1 => /lib/x86_
- libc.so.6 => /lib/x86_
- libz.so.1 => /lib/x86_
- /lib64/
- libm.so.6 => /lib/x86_
- ldd /usr/lib/
- no additional dependencies
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- /usr/bin/
- proto-c -> protoc-gen-c
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- requested in https:/
- cron jobs?
- none
- Build logs:
- OK
- No errors. All warnings are trivial.
- Processes spawned?
- only for documentation generation
- Memory management?
- See vulnerabilities above
- Use of memcpy, malloc, free, and memset LGTM
- An OOB memory access exists in test file
- Defensive programming reasoning commented throughout code
- File IO?
- none
- Logging?
- none
- Environment variable usage?
- none (outside of debian build scripts)
- Use of privileged functions?
- none
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- none
- Use of networking?
- none
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- none
- Any significant Coverity results?
- none
- OOB in a test
- Any significant shellcheck results?
- none
- Any significant bandit results?
- none
Packages in Main already use protobuf-c as part of their build (such as sudo). The two recent vulnerabilities in protobuf-c's history were patched promptly. One of the patches is by sudo's maintainer. protobuf-c is also tracked by Google's OSS-Fuzz. The authors of protobuf-c took a lot of care to handle input and protect memory. It is well written and a good candidate for Main.
Security team ACK for promoting protobuf-c to Main.