Candidate: CVE-2021-3121
PublicDate: 2021-01-11 06:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121
 https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2
Description:
 An issue was discovered in GoGo Protobuf before 1.3.2.
 plugin/unmarshal/unmarshal.go lacks certain index validation, aka the
 "skippy peanut butter" issue.
Ubuntu-Description:
Notes:
 sbeattie> still need to sort which of all of the golang sources that
   build-depend on golang-gogoprotobuf-dev and
   golang-github-gogo-protobuf-dev need to be rebuilt.
 sbeattie> not sure how the 1.2.1 -> 1.3.0 transition plays out
   here, it may be that some build dependencies had not been built
   yet with 1.3 .pb.go files, and rebuilding them in hirsute might
   trigger that. See https://github.com/gogo/protobuf#release-v130
   for discussion on potential compatibility issues
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H [8.6 HIGH]


Patches_golang-gogoprotobuf:
 upstream: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
upstream_golang-gogoprotobuf: released (1.3.2-1)
precise/esm_golang-gogoprotobuf: DNE
trusty_golang-gogoprotobuf: ignored (out of standard support)
trusty/esm_golang-gogoprotobuf: DNE
xenial_golang-gogoprotobuf: ignored (end of standard support, was needs-triage)
bionic_golang-gogoprotobuf: needs-triage
focal_golang-gogoprotobuf: needs-triage
groovy_golang-gogoprotobuf: ignored (reached end-of-life)
hirsute_golang-gogoprotobuf: released (1.3.2-1)
impish_golang-gogoprotobuf: released (1.3.2-1)
jammy_golang-gogoprotobuf: released (1.3.2-1)
devel_golang-gogoprotobuf: released (1.3.2-1)