CVE-2020-26243 – nanopb

Package

Manager: pip
Name: nanopb
Vulnerable Version: <=0.3.9.6 || >=0.4.0 <0.4.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00107 pctl0.29457

Details

Memory leak in Nanopb ### Impact Decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. ### Patches Preliminary patch is [available on git](https://github.com/nanopb/nanopb/commit/edf6dcbffee4d614ac0c2c1b258ab95185bdb6e9) and problem will be patched in versions 0.3.9.7 and 0.4.4 once testing has been completed. ### Workarounds Following workarounds are available: * Set the option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. * Set the type of the submessage field inside oneof to `FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not executed. * Use an arena allocator for nanopb, to make sure all memory can be released afterwards. ### References Bug report: https://github.com/nanopb/nanopb/issues/615 ### For more information If you have any questions or comments about this advisory, comment on the bug report linked above.

Metadata

Created: 2020-11-25T16:53:27Z
Modified: 2021-01-07T22:39:39Z
Source: MANUAL
CWE IDs: ["CWE-119", "CWE-20"]
Alternative ID: GHSA-85rr-4rh9-hhwh
Finding: F184
Auto approve: 1