Candidate: CVE-2015-5237
PublicDate: 2017-09-25 17:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5237
 https://github.com/google/protobuf/issues/760
Description:
 protobuf allows remote authenticated attackers to cause a heap-based buffer
 overflow.
Ubuntu-Description:
Notes:
 seth-arnold> since the message parsing limit defaults
  to 64 megabytes a software author would have to change the limit in order
  to handle larger messages anyway, and is thus unlikely to generate these
  messages in the short-term. (There is no actual limit on generation, so
  this might be an issue today -- it is just not a priority for the
  maintainer.)
 mdeslaur> per upstream bug, this was fixed in 3.4.0
Bugs:
Priority: low
Discovered-by: Florian Weimer
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]

Patches_protobuf:
upstream_protobuf: released (3.4.0)
precise_protobuf: ignored (reached end-of-life)
precise/esm_protobuf: DNE (precise was deferred [2015-08-27])
trusty_protobuf: ignored (out of standard support)
trusty/esm_protobuf: needed
vivid_protobuf: needed
vivid/stable-phone-overlay_protobuf: ignored (reached end-of-life)
vivid/ubuntu-core_protobuf: DNE
wily_protobuf: ignored (reached end-of-life)
xenial_protobuf: ignored (end of standard support, was deferred [2015-08-27])
esm-infra/xenial_protobuf: deferred (2015-08-27)
yakkety_protobuf: ignored (reached end-of-life)
zesty_protobuf: ignored (reached end-of-life)
artful_protobuf: ignored (reached end-of-life)
bionic_protobuf: needed
cosmic_protobuf: ignored (reached end-of-life)
disco_protobuf: ignored (reached end-of-life)
eoan_protobuf: ignored (reached end-of-life)
focal_protobuf: not-affected (3.6.1.3-2ubuntu5)
groovy_protobuf: ignored (reached end-of-life)
hirsute_protobuf: ignored (reached end-of-life)
impish_protobuf: not-affected (3.12.4-1ubuntu3)
jammy_protobuf: not-affected (3.12.4-1ubuntu5)
devel_protobuf: not-affected (3.12.4-1ubuntu5)