CVE-2024-53984

NameCVE-2024-53984
DescriptionNanopb is a small code-size Protocol Buffers implementation. When the compile time option PB_ENABLE_MALLOC is enabled, the message contains at least one field with FT_POINTER field type, custom stream callback is used with unknown stream length. and the pb_decode_ex() function is used with flag PB_DECODE_DELIMITED, then the pb_decode_ex() function does not automatically call pb_release(), like is done for other failure cases. This could lead to memory leak and potential denial-of-service. This vulnerability is fixed in 0.4.9.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1088994

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nanopb (PTS)bullseye0.4.4-2vulnerable
bookworm0.4.7-2vulnerable
forky, sid, trixie0.4.9.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nanopbsource(unstable)0.4.9.1-11088994

Notes

[bookworm] - nanopb <no-dsa> (Minor issue)
[bullseye] - nanopb <postponed> (Minor issue)
https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r
Fixed by: https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378
Search for package or bug name: Reporting problems