nanopb is vulnerable to denial of service (DoS). The vulnerability exists when decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof
field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times.
CPE | Name | Operator | Version |
---|---|---|---|
nanopb:sid | eq | 0.4.3-1 | |
nanopb:bullseye | eq | 0.4.3-1 |
github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt
github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c
github.com/nanopb/nanopb/issues/615
github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh
security-tracker.debian.org/tracker/CVE-2020-26243