protobuf-java: Denial of Service — GLSA 202301-09

A vulnerability has been discovered in protobuf-java which could result in denial of service.

Affected packages

dev-java/protobuf-java on all architectures
Affected versions < 3.20.3
Unaffected versions >= 3.20.3

Background

protobuf-java contains the Java bindings for Google's Protocol Buffers.

Description

Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Impact

Crafted input can trigger a denial of service via long garbage collection pauses.

Workaround

There is no known workaround at this time.

Resolution

All protobuf-java users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-java/protobuf-java-3.20.3"
 

References

Release date
January 11, 2023

Latest revision
January 11, 2023: 1

Severity
low

Exploitable
remote

Bugzilla entries