Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remediate CVE-2020-26243 by updating to nanopb 0.3.9.7 or higher #7090

Closed
jszumski opened this issue Dec 3, 2020 · 2 comments · Fixed by #7108
Closed

Remediate CVE-2020-26243 by updating to nanopb 0.3.9.7 or higher #7090

jszumski opened this issue Dec 3, 2020 · 2 comments · Fixed by #7108
Assignees
@paulb777
Labels
api: core
Milestone
7.4.0 - M87

Comments

@jszumski
Copy link

jszumski commented Dec 3, 2020

[REQUIRED] Step 1: Describe your environment

  • Xcode version: 12.0
  • Firebase SDK version: 7.2.0
  • Installation method: CocoaPods
  • Firebase Component: nanopb

[REQUIRED] Step 2: Describe the problem

CVE-2020-26243 "nanopb: oneof fields with PB_ENABLE_MALLOC can leak memory" was reported on Nov. 11 and fixed on Nov. 26 upstream in 0.3.9.7.

Steps to reproduce:

  • Install Firebase 7.2.0
  • Observe that Google's mirror of nanopb uses 2.30906.0 (which equates to nanopb 0.3.9.6)
@google-oss-bot
Copy link

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

@paulb777 paulb777 added this to the 7.4.0 - M87 milestone Dec 3, 2020
@paulb777
Copy link
Member

paulb777 commented Dec 3, 2020

@jszumski Thanks for the report. I'll work on it later this month.

@paulb777 paulb777 self-assigned this Dec 3, 2020
@paulb777 paulb777 mentioned this issue Dec 5, 2020
Merged
@firebase firebase locked and limited conversation to collaborators Jan 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@paulb777 paulb777

Labels
api: core
Projects
None yet
Milestone
7.4.0 - M87
Development

Successfully merging a pull request may close this issue.

Bump nanopb to 0.3.9.7 firebase/firebase-ios-sdk
3 participants
@paulb777 @jszumski @google-oss-bot