CVE-2022-1941

一、漏洞信息
漏洞编号：CVE-2022-1941
漏洞归属组件：protobuf-arm
漏洞归属的版本：3.13.0
CVSS V3.0分值：
BaseScore：7.5 High
Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
漏洞简述：
A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated.
漏洞公开时间：2022-09-22 23:15:09
漏洞创建时间：2024-03-23 01:24:10
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2022-1941

更多参考(点击展开)

参考来源	参考链接	来源链接
cve-coordination.google.com	http://www.openwall.com/lists/oss-security/2022/09/27/1
cve-coordination.google.com	https://cloud.google.com/support/bulletins#GCP-2022-019
cve-coordination.google.com	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
cve-coordination.google.com	https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
cve-coordination.google.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
cve-coordination.google.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1941	https://bugzilla.suse.com/show_bug.cgi?id=1203681
suse_bugzilla	https://www.cve.org/CVERecord?id=CVE-2022-1941	https://bugzilla.suse.com/show_bug.cgi?id=1203681
suse_bugzilla	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf	https://bugzilla.suse.com/show_bug.cgi?id=1203681
suse_bugzilla	https://cloud.google.com/support/bulletins#GCP-2022-019	https://bugzilla.suse.com/show_bug.cgi?id=1203681
ubuntu	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1941	https://ubuntu.com/security/CVE-2022-1941
ubuntu	https://cloud.google.com/support/bulletins#GCP-2022-019	https://ubuntu.com/security/CVE-2022-1941
ubuntu	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf	https://ubuntu.com/security/CVE-2022-1941
ubuntu	https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.2	https://ubuntu.com/security/CVE-2022-1941
ubuntu	https://ubuntu.com/security/notices/USN-5769-1	https://ubuntu.com/security/CVE-2022-1941
ubuntu	https://ubuntu.com/security/notices/USN-5945-1	https://ubuntu.com/security/CVE-2022-1941
ubuntu	https://nvd.nist.gov/vuln/detail/CVE-2022-1941	https://ubuntu.com/security/CVE-2022-1941
ubuntu	https://launchpad.net/bugs/cve/CVE-2022-1941	https://ubuntu.com/security/CVE-2022-1941
ubuntu	https://security-tracker.debian.org/tracker/CVE-2022-1941	https://ubuntu.com/security/CVE-2022-1941
debian		https://security-tracker.debian.org/tracker/CVE-2022-1941
oracle		https://www.oracle.com/security-alerts/cpujan2023.html
anolis		https://anas.openanolis.cn/cves/detail/CVE-2022-1941
cve_search		https://cloud.google.com/support/bulletins#GCP-2022-019
cve_search		https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
cve_search		http://www.openwall.com/lists/oss-security/2022/09/27/1
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
cve_search		https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
cve_search		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
github_advisory	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf	https://github.com/advisories/GHSA-8gq9-2x98-w8hf
github_advisory	https://cloud.google.com/support/bulletins#GCP-2022-019	https://github.com/advisories/GHSA-8gq9-2x98-w8hf
github_advisory	https://nvd.nist.gov/vuln/detail/CVE-2022-1941	https://github.com/advisories/GHSA-8gq9-2x98-w8hf
github_advisory	http://www.openwall.com/lists/oss-security/2022/09/27/1	https://github.com/advisories/GHSA-8gq9-2x98-w8hf
github_advisory	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/	https://github.com/advisories/GHSA-8gq9-2x98-w8hf
github_advisory	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/	https://github.com/advisories/GHSA-8gq9-2x98-w8hf
github_advisory	https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html	https://github.com/advisories/GHSA-8gq9-2x98-w8hf
mageia		http://advisories.mageia.org/MGASA-2023-0092.html
protobuf		https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
osv	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf	https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
osv	https://nvd.nist.gov/vuln/detail/CVE-2022-1941	https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
osv	https://cloud.google.com/support/bulletins#GCP-2022-019	https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
osv	https://github.com/protocolbuffers/protobuf	https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
osv	https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html	https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
osv	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/	https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
osv	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/	https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
osv	http://www.openwall.com/lists/oss-security/2022/09/27/1	https://osv.dev/vulnerability/GHSA-8gq9-2x98-w8hf
amazon_linux_explore	https://access.redhat.com/security/cve/CVE-2022-1941	https://explore.alas.aws.amazon.com/CVE-2022-1941.html
amazon_linux_explore	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1941	https://explore.alas.aws.amazon.com/CVE-2022-1941.html
nvd	https://cloud.google.com/support/bulletins#GCP-2022-019
nvd	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
nvd	http://www.openwall.com/lists/oss-security/2022/09/27/1
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
nvd	https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
redhat	https://access.redhat.com/security/cve/CVE-2022-1941
nvd	https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP/
nvd	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3/
suse_bugzilla	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1941
suse_bugzilla	https://www.cve.org/CVERecord?id=CVE-2022-1941
suse_bugzilla	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
suse_bugzilla	https://cloud.google.com/support/bulletins#GCP-2022-019
debian	https://security-tracker.debian.org/tracker/CVE-2022-1941
nvd	http://www.openwall.com/lists/oss-security/2022/09/27/1
nvd	https://cloud.google.com/support/bulletins#GCP-2022-019
nvd	https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf

漏洞分析指导链接：
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

详情(点击展开)

影响的包	修复版本	修复补丁	问题引入补丁	来源
protobuf		https://github.com/protocolbuffers/protobuf/commit/b4c395aaedfacb32e2414d361fa85968c0991b34		ubuntu

二、漏洞分析结构反馈
影响性分析说明：

MindSpore评分：

受影响版本排查(受影响/不受影响)：
1.master:
2.v1.10:
3.v1.9.0:
4.v2.0.0:
5.v2.1.0:
6.v2.2.0:
7.v2.2.10:

@bryanbj ,@liuchao ,@huangbingjian ,@dairenjie ,@liyuxia ,@zyli2020 ,@emmmmtang ,@Henry Shi ,@fangzhou0329 ,@shenwei41 ,@jxl ,@chenhaozhe ,@zhanghaibo ,@yanghaoran ,@looop5 ,@kyang ,@chengang ,@mindspore_ding ,@ougongchang ,@zhunaipan ,@herryshi1 ,@Zenzenzense ,@zhaoting ,@徐永飞 ,@yxx ,@ZPaC ,@Greatpan ,@yefeng ,@fangzehua
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, MindSpore评分, 受影响版本排查(受影响/不受影响))不能省略,省略后cve-manager将无法正常解析填写内容.

影响性分析说明:

MindSpore评分: (评分和向量)

受影响版本排查(受影响/不受影响):
1.master:
2.v1.10:
3.v1.9.0:
4.v2.0.0:
5.v2.1.0:
6.v2.2.0:
7.v2.2.10:

issue处理具体操作请参考:
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

Please assign maintainer to check this issue.
请为此issue分配处理人。
@mindspore-ci-bot

感谢您的提问，您可以评论//mindspore-assistant更快获取帮助：

如果您刚刚接触MindSpore，或许您可以在教程找到答案
如果您是资深Pytorch用户，您或许需要：

如果您遇到动态图问题，可以设置set_context(pynative_synchronize=True)查看报错栈协助定位
模型精度调优问题可参考官网调优指南
如果您反馈的是框架BUG，请确认您在ISSUE中提供了MindSpore版本、使用的后端类型（CPU、GPU、Ascend）、环境、训练的代码官方链接以及可以复现报错的代码的启动方式等必要的定位信息
如果您已经定位出问题根因，欢迎提交PR参与MindSpore开源社区，我们会尽快review

GVP MindSpore / mindspore

内容风险标识

评论 (3)

GVPMindSpore / mindspore

内容风险标识

CVE-2022-1941

评论 (3)

搜索帮助

GVP MindSpore / mindspore