Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port fix for CVE-2024-24786 #152

Merged
merged 1 commit into from
Mar 11, 2024
Merged

Port fix for CVE-2024-24786 #152

merged 1 commit into from
Mar 11, 2024

Conversation

tdeebswihart
Copy link
Contributor

Official description from NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-24786

From the official commit:

encoding/protojson, internal/encoding/json: handle missing object values

In internal/encoding/json, report an error when encountering a }
when we are expecting an object field value. For example, the input
{"":} now correctly results in an error at the closing } token.

In encoding/protojson, check for an unexpected EOF token in
skipJSONValue. This is redundant with the check in internal/encoding/json,
but adds a bit more defense against any other similar bugs that
might exist.

Fixes CVE-2024-24786

Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
TryBot-Bypass: Damien Neil dneil@google.com
Reviewed-by: Roland Shoemaker roland@golang.org
Commit-Queue: Damien Neil dneil@google.com

@tdeebswihart
Port fix for CVE-2024-24786
e667da4 
From the official commit:

> encoding/protojson, internal/encoding/json: handle missing object values
>
> In internal/encoding/json, report an error when encountering a }
> when we are expecting an object field value. For example, the input
> `{"":}` now correctly results in an error at the closing } token.
>
> In encoding/protojson, check for an unexpected EOF token in
> skipJSONValue. This is redundant with the check in internal/encoding/json,
> but adds a bit more defense against any other similar bugs that
> might exist.
>
> Fixes CVE-2024-24786
>
> Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
> Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
> TryBot-Bypass: Damien Neil <dneil@google.com>
> Reviewed-by: Roland Shoemaker <roland@golang.org>
> Commit-Queue: Damien Neil <dneil@google.com>
@tdeebswihart tdeebswihart requested review from a team as code owners March 11, 2024 16:43
@tdeebswihart tdeebswihart merged commit 332690c into master Mar 11, 2024
3 checks passed
@tdeebswihart tdeebswihart deleted the protojson/cve-2024-24786 branch March 11, 2024 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bergundy bergundy bergundy approved these changes

@cretz cretz cretz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@tdeebswihart @bergundy @cretz