[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remediate CVE-2021-21401 by updating to nanopb 0.3.9.8 or higher #7787

Closed
scottluxenberg opened this issue Mar 25, 2021 · 2 comments · Fixed by #7789
Closed

Remediate CVE-2021-21401 by updating to nanopb 0.3.9.8 or higher #7787

scottluxenberg opened this issue Mar 25, 2021 · 2 comments · Fixed by #7789
Assignees
@var-const
Labels
api: core
Milestone
7.10.0 - M93

Comments

@scottluxenberg
Copy link

[REQUIRED] Step 1: Describe your environment

  • Xcode version: 12.1
  • Firebase SDK version: 7.4.0
  • Installation method: CocoaPods (select one)
  • Firebase Component: nanopb

[REQUIRED] Step 2: Describe the problem

CVE-2021-21401: "In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field." Issue was reported on March 23, 2021, and was resolved with Nanopb 0.3.9.8 or 0.4.5

Steps to reproduce:

  • Install Firebase 7.4.0 or higher
  • Observe Nanopb is version 0.3.9.7 based on Google spec of Nanopb 2.03097.0
@google-oss-bot
Copy link

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

@paulb777 paulb777 added this to the 7.10.0 - M93 milestone Mar 25, 2021
@paulb777
Copy link
Member

@scottluxenberg Thanks for the report. The nanopb issue came from us and we're working to update Firebase's nanopb version in our next release.

@var-const var-const mentioned this issue Mar 25, 2021
Merged
@firebase firebase locked and limited conversation to collaborators Apr 29, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@var-const var-const

Labels
api: core
Projects
None yet
Milestone
7.10.0 - M93
Development

Successfully merging a pull request may close this issue.

Bump the nanopb version to 0.3.9.8 firebase/firebase-ios-sdk
5 participants
@paulb777 @scottluxenberg @var-const @google-oss-bot @rizafran