CVE-2020-26243

25.11.2020, 17:15

Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
nanopb_project	nanopb	𝑥 < 0.3.9.7
nanopb_project	nanopb	0.4.0 ≤ 𝑥 < 0.4.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

nanopb

bullseye	0.4.4-2 fixed
bookworm	0.4.7-2 fixed
sid	0.4.9-1 fixed
trixie	0.4.9-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

nanopb

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	ignored
focal	Fixed 0.4.1-1ubuntu0.1~esm1 released
bionic	dne
xenial	dne
trusty	dne

Known Exploits!

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt

https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c

https://github.com/nanopb/nanopb/issues/615

https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh

https://github.com/nanopb/nanopb/blob/2b48a361786dfb1f63d229840217a93aae064667/CHANGELOG.txt

https://github.com/nanopb/nanopb/commit/4fe23595732b6f1254cfc11a9b8d6da900b55b0c

https://github.com/nanopb/nanopb/issues/615

https://github.com/nanopb/nanopb/security/advisories/GHSA-85rr-4rh9-hhwh