Update module google.golang.org/protobuf to v1.33.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
google.golang.org/protobuf	v1.30.0 -> v1.33.0
google.golang.org/protobuf	v1.28.1 -> v1.33.0
google.golang.org/protobuf	v1.27.1 -> v1.33.0

GitHub Vulnerability Alerts

CVE-2024-24786

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

---

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

CGA-2vgr-6mqh-4r48 / CGA-v9cm-f6x8-5vj7 / CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-24786
• https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023
• https://github.com/protocolbuffers/protobuf-go
• https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0
• https://go.dev/cl/569356
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU
• https://pkg.go.dev/vuln/GO-2024-2611
• https://security.netapp.com/advisory/ntap-20240517-0002
• http://www.openwall.com/lists/oss-security/2024/03/08/4

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Infinite loop in JSON unmarshaling in google.golang.org/protobuf

CGA-2vgr-6mqh-4r48 / CGA-v9cm-f6x8-5vj7 / CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Unknown

References

• https://go.dev/cl/569356

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf)

v1.33.0

Compare Source

This release contains one security fix:

• encoding/protojson: Unmarshal could enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. Unmarshal now correctly returns an error when handling these inputs. This is CVE-2024-24786.

v1.32.0

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See golang/protobuf#1583 and golang/protobuf#1584 for details.

v1.31.0

Compare Source

Notable changes

New Features

• CL/489316: types/dynamicpb: add NewTypes
  • Add a function to construct a dynamic type registry from a protoregistry.Files
• CL/489615: encoding: add MarshalAppend to protojson and prototext

Minor performance improvements

• CL/491596: encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one
• CL/500695: proto: store the size of tag to avoid multiple calculations

Bug fixes

• CL/497935: internal/order: fix sorting of synthetic oneofs to be deterministic
• CL/505555: encoding/protodelim: fix handling of io.EOF

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/server/beaver_triple_service/go.sum

Command failed: go get -t ./...
go: github.com/acompany-develop/QuickMPC/proto/common_types@v0.0.0-00010101000000-000000000000 (replaced by ./../proto/common_types): reading ../proto/common_types/go.mod: open /tmp/renovate/repos/github/acompany-develop/QuickMPC/packages/server/proto/common_types/go.mod: no such file or directory

File name: packages/server/manage_container/go.sum

Command failed: go get -t ./...
go: github.com/acompany-develop/QuickMPC/proto/common_types@v0.0.0-20231203214653-87608b4d6aa5 (replaced by ./../proto/common_types): reading ../proto/common_types/go.mod: open /tmp/renovate/repos/github/acompany-develop/QuickMPC/packages/server/proto/common_types/go.mod: no such file or directory