Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest version of google.golang.org/protobuf (v1.33.0) is no longer compatible with the latest version of github.com/golang/protobuf (v1.5.3) #1596

Closed
vadimsht opened this issue Mar 5, 2024 · 9 comments
Closed

Latest version of google.golang.org/protobuf (v1.33.0) is no longer compatible with the latest version of github.com/golang/protobuf (v1.5.3) #1596

vadimsht opened this issue Mar 5, 2024 · 9 comments

Comments

@vadimsht
Copy link

vadimsht commented Mar 5, 2024

What version of protobuf and what language are you using?
google.golang.org/protobuf (v1.33.0)
github.com/golang/protobuf (v1.5.3)

What did you do?
Trying to compile a package that imports github.com/golang/protobuf/protoc-gen-go/descriptor results in

# github.com/golang/protobuf/protoc-gen-go/descriptor
../../../../../../../golang/modcache/github.com/golang/[email protected]/protoc-gen-go/descriptor/descriptor.pb.go:106:61: undefined: descriptorpb.Default_FileOptions_PhpGenericServices

What did you expect to see?

No build errors :)

What did you see instead?

Build errors :)

This seems to be a combination of protocolbuffers/protobuf-go@99e193e#diff-ae68ca51f2811349cc1f596970cc40bb7fa15fd893bea35e199f3cbd7ca2b486L2247 that removed Default_FileOptions_PhpGenericServices and https://github.com/golang/protobuf/blob/master/protoc-gen-go/descriptor/descriptor.pb.go#L106 that still references it.
@vadimsht
Copy link
Author

vadimsht commented Mar 5, 2024

This blocks picking up a fix for https://groups.google.com/g/golang-announce/c/ArQ6CDgtEjY/m/oLMrdq_GBQAJ in code bases that still uses deprecated Go package. While the "correct" solution is to stop using the deprecated package, it is not really possible to do fast. And running vulnerable code is not nice... Please consider releasing a new compatible github.com/golang/protobuf version.

@rootulp
Copy link

rootulp commented Mar 5, 2024

+1 I encountered this on celestiaorg/celestia-app#3155. See this error.

@rootulp rootulp mentioned this issue Mar 5, 2024
Merged
@neild
Copy link
Contributor

neild commented Mar 5, 2024

Gah, apologies, I didn't expect that.

I think we have to make an updated version of github.com/golang/protobuf that updates descriptor.pb.go, thanks to a backwards-incompatible change in descriptor.proto.

neild added a commit that referenced this issue Mar 5, 2024
@neild
all: update descriptor.proto to latest version
2b86879 
A recent change to the upstream descriptor.proto, appearing in
google.golang.org/[email protected], removed the long-deprecated
FileOptions.php_generic_services field. This backwards-incompatible
change results in an incompatibility between the
github.com/golang/protobuf and google.golang.org/protobuf
modules.

Bump the google.golang.org/protobuf version in go.mod, regenerate
descriptors.

For #1596
@neild neild mentioned this issue Mar 5, 2024
Merged
neild added a commit that referenced this issue Mar 5, 2024
@neild
all: update descriptor.proto to latest version
f49d44a 
A recent change to the upstream descriptor.proto, appearing in
google.golang.org/[email protected], removed the long-deprecated
FileOptions.php_generic_services field. This backwards-incompatible
change results in an incompatibility between the
github.com/golang/protobuf and google.golang.org/protobuf
modules.

Bump the google.golang.org/protobuf version in go.mod, regenerate
descriptors.

Increase the minimum Go version requirement to go1.17 (the minimum
supported by v1.33.0).

For #1596
neild added a commit that referenced this issue Mar 5, 2024
@neild
all: update descriptor.proto to latest version
b7697bb 
A recent change to the upstream descriptor.proto, appearing in
google.golang.org/[email protected], removed the long-deprecated
FileOptions.php_generic_services field. This backwards-incompatible
change results in an incompatibility between the
github.com/golang/protobuf and google.golang.org/protobuf
modules.

Bump the google.golang.org/protobuf version in go.mod, regenerate
descriptors.

Increase the minimum Go version requirement to go1.17 (the minimum
supported by v1.33.0).

Run gofmt to update formatting to go1.22 standards.

For #1596
@jerrybean
Copy link

Does google.golang.org/protobuf need a newer version than v1.33.0? I saw github.com/golang/protobuf (v1.5.4) already.

@rootulp
Copy link

rootulp commented Mar 6, 2024

Seems resolved via #1597 because https://github.com/golang/protobuf/releases/tag/v1.5.4 works for me.

@neild
Copy link
Contributor

neild commented Mar 6, 2024

Sorry for the inconvenience! github.com/golang/protobuf v1.5.4 should be compatible with google.golang.org/protobuf v1.33.0.

The problem, for reference, is that:

  • descriptor.proto (part of the upstream protobuf project) dropped the FileOptions.php_generic_services field.
  • google.golang.org/protobuf includes the generated package for descriptor.proto.
  • google.golang.org/protobuf v1.33.0 updates descriptor.proto, resulting in the const descriptorpb.Default_FileOptions_PhpGenericServices being removed.
  • github.com/golang/protobuf, for historical reasons, includes a stub version of descriptor.proto that forwards all its symbols to the canonical one in google.golang.org/protobuf.
  • github.com/golang/protobuf v1.5.3 is now incompatible with google.golang.org/protobuf v1.33.0, because it references a symbol that doesn't exist.

This is fixed in v1.5.4 by regenerating the forwarding package.

In retrospect, a better fix might have been in google.golang.org/protobuf: We could have added a declaration for Default_FileOptions_PhpGenericServices to that package for backwards compatibility. If we'd detected the problem in time, we could have done that in the v1.33.0 release and maintained compatibility with v1.5.3.

We should have a test that ensures this doesn't happen again in the future.

@neild neild closed this as completed Mar 6, 2024
@roger2hk roger2hk mentioned this issue Mar 7, 2024
Merged
2 tasks
ghstahl added a commit to fluffy-bunny/fluffycore-rage-identity that referenced this issue Mar 7, 2024
@ghstahl
downstream build break due to
7af9966 
golang/protobuf#1596
fixed by
bump google.golang.org/protobuf from 1.32.0 to 1.33.0 and bump github.com/golang/protobuf from 1.5.3 to 1.5.4
@deepthi deepthi mentioned this issue Mar 8, 2024
Closed
@derekbit derekbit mentioned this issue Mar 9, 2024
Merged
@jhump jhump mentioned this issue Mar 12, 2024
Merged
2uasimojo added a commit to 2uasimojo/hive that referenced this issue Mar 13, 2024
@2uasimojo
[mce-2.4] upgrade google.golang.org/protobuf to 1.33.0
0e128fe 
...to address these snyk-found vulns:

```
✗ Medium severity vulnerability found in google.golang.org/protobuf/internal/encoding/json
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFINTERNALENCODINGJSON-6393704
  Introduced through: google.golang.org/api/[email protected], github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, google.golang.org/api/cloudresourcemanager/[email protected], google.golang.org/api/compute/[email protected], google.golang.org/api/dns/[email protected], google.golang.org/api/serviceusage/[email protected], github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd
  From: google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/protobuf/encoding/[email protected] > google.golang.org/protobuf/internal/encoding/[email protected]
  From: github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd > google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/protobuf/encoding/[email protected] > google.golang.org/protobuf/internal/encoding/[email protected]
  From: google.golang.org/api/cloudresourcemanager/[email protected] > google.golang.org/api/transport/[email protected] > google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/protobuf/encoding/[email protected] > google.golang.org/protobuf/internal/encoding/[email protected]
  and 5 more...
  Fixed in: 1.33.0
✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6393703
  Introduced through: google.golang.org/api/cloudresourcemanager/[email protected], google.golang.org/api/compute/[email protected], google.golang.org/api/dns/[email protected], google.golang.org/api/serviceusage/[email protected], github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd, google.golang.org/api/[email protected], github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f
  From: google.golang.org/api/cloudresourcemanager/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  From: google.golang.org/api/compute/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  From: google.golang.org/api/dns/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  and 28 more...
  Fixed in: 1.33.0
```

Note that in this branch we also had to bump
google.golang.org/golang/protobuf to v1.5.4 due to
golang/protobuf#1596. Why this wasn't
necessary in the other branches... no idea.
:shakes-fist-at-golang-deps:

Manual cherry-pick of openshift#2239 / f7cf469
which was a
Manual cherry-pick of openshift#2231 / 2efba4b
@2uasimojo
Copy link

So this is weird. I upgraded google.golang.org/protobuf to 1.33.0 in my master branch (openshift/hive#2231) where github.com/golang/protobuf was still at 1.5.3. Worked fine.

Applied that same change to a recent release branch (openshift/hive#2239). Worked fine.

Applied that same change to an earlier release branch (openshift/hive#2240) and ran into this problem.

All three branches started with github.com/golang/protobuf at 1.5.3. But only that third one broke.

@2uasimojo 2uasimojo mentioned this issue Mar 13, 2024
Merged
2uasimojo added a commit to 2uasimojo/hive that referenced this issue Mar 13, 2024
@2uasimojo
[mce-2.3] upgrade google.golang.org/protobuf to 1.33.0
d8c9a5d 
...to address these snyk-found vulns:

```
✗ Medium severity vulnerability found in google.golang.org/protobuf/internal/encoding/json
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFINTERNALENCODINGJSON-6393704
  Introduced through: google.golang.org/api/[email protected], github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, google.golang.org/api/cloudresourcemanager/[email protected], google.golang.org/api/compute/[email protected], google.golang.org/api/dns/[email protected], google.golang.org/api/serviceusage/[email protected], github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd
  From: google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/protobuf/encoding/[email protected] > google.golang.org/protobuf/internal/encoding/[email protected]
  From: github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd > google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/protobuf/encoding/[email protected] > google.golang.org/protobuf/internal/encoding/[email protected]
  From: google.golang.org/api/cloudresourcemanager/[email protected] > google.golang.org/api/transport/[email protected] > google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/protobuf/encoding/[email protected] > google.golang.org/protobuf/internal/encoding/[email protected]
  and 5 more...
  Fixed in: 1.33.0
✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6393703
  Introduced through: google.golang.org/api/cloudresourcemanager/[email protected], google.golang.org/api/compute/[email protected], google.golang.org/api/dns/[email protected], google.golang.org/api/serviceusage/[email protected], github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd, google.golang.org/api/[email protected], github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f
  From: google.golang.org/api/cloudresourcemanager/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  From: google.golang.org/api/compute/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  From: google.golang.org/api/dns/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  and 28 more...
  Fixed in: 1.33.0
```

Note that in this branch we also had to bump
google.golang.org/golang/protobuf to v1.5.4 due to
golang/protobuf#1596. Why this wasn't
necessary in the other branches... no idea.
:shakes-fist-at-golang-deps:

Manual cherry-pick of openshift#2240 / 0e128fe
which was a
Manual cherry-pick of openshift#2239 / f7cf469
which was a
Manual cherry-pick of openshift#2231 / 2efba4b
@2uasimojo 2uasimojo mentioned this issue Mar 13, 2024
Merged
2uasimojo added a commit to 2uasimojo/hive that referenced this issue Mar 13, 2024
@2uasimojo
[mce-2.2] upgrade google.golang.org/protobuf to 1.33.0
33be746 
...to address these snyk-found vulns:

```
✗ Medium severity vulnerability found in google.golang.org/protobuf/internal/encoding/json
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFINTERNALENCODINGJSON-6393704
  Introduced through: google.golang.org/api/[email protected], github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, google.golang.org/api/cloudresourcemanager/[email protected], google.golang.org/api/compute/[email protected], google.golang.org/api/dns/[email protected], google.golang.org/api/serviceusage/[email protected], github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd
  From: google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/protobuf/encoding/[email protected] > google.golang.org/protobuf/internal/encoding/[email protected]
  From: github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd > google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/protobuf/encoding/[email protected] > google.golang.org/protobuf/internal/encoding/[email protected]
  From: google.golang.org/api/cloudresourcemanager/[email protected] > google.golang.org/api/transport/[email protected] > google.golang.org/api/[email protected] > google.golang.org/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/grpc/internal/[email protected] > google.golang.org/protobuf/encoding/[email protected] > google.golang.org/protobuf/internal/encoding/[email protected]
  and 5 more...
  Fixed in: 1.33.0
✗ Medium severity vulnerability found in google.golang.org/protobuf/encoding/protojson
  Description: Infinite loop
  Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOGLEGOLANGORGPROTOBUFENCODINGPROTOJSON-6393703
  Introduced through: google.golang.org/api/cloudresourcemanager/[email protected], google.golang.org/api/compute/[email protected], google.golang.org/api/dns/[email protected], google.golang.org/api/serviceusage/[email protected], github.com/openshift/installer/pkg/asset/machines/gcp@#f168b97656bd, github.com/openshift/installer/pkg/destroy/gcp@#f168b97656bd, google.golang.org/api/[email protected], github.com/openshift/generic-admission-server/pkg/cmd@#8dcc3c9b298f
  From: google.golang.org/api/cloudresourcemanager/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  From: google.golang.org/api/compute/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  From: google.golang.org/api/dns/[email protected] > google.golang.org/api/internal/[email protected] > github.com/googleapis/gax-go/v2/[email protected] > google.golang.org/protobuf/encoding/[email protected]
  and 28 more...
  Fixed in: 1.33.0
```

Note that in this branch we also had to bump
google.golang.org/golang/protobuf to v1.5.4 due to
golang/protobuf#1596. Why this wasn't
necessary in the other branches... no idea.
:shakes-fist-at-golang-deps:

Manual cherry-pick of openshift#2241 / d8c9a5d
which was a
Manual cherry-pick of openshift#2240 / 0e128fe
which was a
Manual cherry-pick of openshift#2239 / f7cf469
which was a
Manual cherry-pick of openshift#2231 / 2efba4b
@2uasimojo 2uasimojo mentioned this issue Mar 13, 2024
Merged
@Strum355 Strum355 mentioned this issue Mar 13, 2024
Merged
Strum355 added a commit to sourcegraph/sourcegraph-public-snapshot that referenced this issue Mar 13, 2024
@Strum355
chore: bump golang/protobuf to 1.5.4 because of nonsense (#61127)
fac966d 
Man I dont even know. Why does golang.google.org/protobuf even depend on github.com/golang/protobuf if the latter is deprecated and explicitly states to use the former...? golang/protobuf#1596

## Test plan

go build & CI
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Mar 14, 2024
@machine424
deps: upgrade github.com/golang/protobuf to v1.5.4 for better compati…
1cbacce 
…bilty, see golang/protobuf#1596 (comment)

upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.44.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
@machine424 machine424 mentioned this issue Mar 14, 2024
Merged
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Mar 14, 2024
@machine424
deps: upgrade github.com/golang/protobuf to v1.5.4 for better compati…
bf14b70 
…bilty, see golang/protobuf#1596 (comment)

upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.49.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Mar 14, 2024
@machine424
OCPBUGS-30532: upgrade github.com/golang/protobuf to v1.5.4 for bette…
abb8c0e 
…r compatibilty, see golang/protobuf#1596 (comment)

OCPBUGS-22630: upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.49.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
thaJeztah added a commit to thaJeztah/containerd that referenced this issue Mar 18, 2024
@thaJeztah
vendor: github.com/golang/protobuf v1.5.4
45e425c 
commit 10c7f03 updated google.golang.org/protobuf
to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the
Golang security list issued a warning that the v1.33.0 update introduced a
breaking change, causing compatibility with github.com/golang/protobuf to be
broken;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/[email protected].

Containerd itself does not appear to be using this code, but consumers may be,
so update the github.com/golang/protobuf to restore compatibility.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah thaJeztah mentioned this issue Mar 18, 2024
Merged
This was referenced Mar 20, 2024
Closed
Merged
thaJeztah added a commit to thaJeztah/containerd that referenced this issue Mar 20, 2024
@thaJeztah
vendor: github.com/golang/protobuf v1.5.4
2dbb59b 
commit 10c7f03 updated google.golang.org/protobuf
to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the
Golang security list issued a warning that the v1.33.0 update introduced a
breaking change, causing compatibility with github.com/golang/protobuf to be
broken;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/[email protected].

Containerd itself does not appear to be using this code, but consumers may be,
so update the github.com/golang/protobuf to restore compatibility.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 45e425c)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah added a commit to thaJeztah/containerd that referenced this issue Mar 20, 2024
@thaJeztah
vendor: github.com/golang/protobuf v1.5.4
e6d91d8 
commit 10c7f03 updated google.golang.org/protobuf
to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the
Golang security list issued a warning that the v1.33.0 update introduced a
breaking change, causing compatibility with github.com/golang/protobuf to be
broken;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/[email protected].

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 45e425c)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@TheSpiritXIII TheSpiritXIII mentioned this issue Mar 25, 2024
Merged
@tuxcanfly tuxcanfly mentioned this issue Mar 27, 2024
Closed
@zbuchheit zbuchheit mentioned this issue Apr 2, 2024
Closed
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Apr 4, 2024
@machine424
deps: upgrade github.com/golang/protobuf to v1.5.4 for better compati…
4d5c98d 
…bilty, see golang/protobuf#1596 (comment)

upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.49.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Apr 8, 2024
@machine424
OCPBUGS-30532: upgrade github.com/golang/protobuf to v1.5.4 for bette…
5c0cd2a 
…r compatibilty, see golang/protobuf#1596 (comment)

OCPBUGS-22630: upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.45.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
machine424 added a commit to machine424/prometheus-adapter that referenced this issue Apr 15, 2024
@machine424
deps: upgrade github.com/golang/protobuf to v1.5.4 for better compati…
20be893 
…bilty, see golang/protobuf#1596 (comment)

deps: upgrade go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.45.0 to address CVE-2023-45142 even though prometheus-adapter isn't using it directly and isn't exposing any traces.
@machine424 machine424 mentioned this issue Apr 15, 2024
Merged
@cbartoszDell cbartoszDell mentioned this issue Apr 18, 2024
Merged
austinvazquez pushed a commit to austinvazquez/moby that referenced this issue Apr 25, 2024
@thaJeztah @austinvazquez
vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobu…
4f96fbf 
…f v1.5.4

full diffs:

- protocolbuffers/protobuf-go@v1.31.0...v1.33.0
- golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/[email protected].

govulncheck results in our code:

    govulncheck ./...
    Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities...

    === Symbol Results ===

    Vulnerability #1: GO-2024-2611
        Infinite loop in JSON unmarshaling in google.golang.org/protobuf
      More info: https://pkg.go.dev/vuln/GO-2024-2611
      Module: google.golang.org/protobuf
        Found in: google.golang.org/[email protected]
        Fixed in: google.golang.org/[email protected]
        Example traces found:
          #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek
          #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read
          #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal

    Your code is affected by 1 vulnerability from 1 module.
    This scan found no other vulnerabilities in packages you import or modules you
    require.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 1ca89d7)
Signed-off-by: Austin Vazquez <[email protected]>
austinvazquez pushed a commit to austinvazquez/moby that referenced this issue Apr 25, 2024
@thaJeztah @austinvazquez
vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobu…
1bbbbbf 
…f v1.5.4

full diffs:

- protocolbuffers/protobuf-go@v1.31.0...v1.33.0
- golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/[email protected].

govulncheck results in our code:

    govulncheck ./...
    Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities...

    === Symbol Results ===

    Vulnerability #1: GO-2024-2611
        Infinite loop in JSON unmarshaling in google.golang.org/protobuf
      More info: https://pkg.go.dev/vuln/GO-2024-2611
      Module: google.golang.org/protobuf
        Found in: google.golang.org/[email protected]
        Fixed in: google.golang.org/[email protected]
        Example traces found:
          #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek
          #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read
          #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal

    Your code is affected by 1 vulnerability from 1 module.
    This scan found no other vulnerabilities in packages you import or modules you
    require.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 1ca89d7)
Signed-off-by: Austin Vazquez <[email protected]>
austinvazquez pushed a commit to austinvazquez/moby that referenced this issue Apr 25, 2024
@thaJeztah @austinvazquez
vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobu…
3d56d73 
…f v1.5.4

full diffs:

- protocolbuffers/protobuf-go@v1.31.0...v1.33.0
- golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/[email protected].

govulncheck results in our code:

    govulncheck ./...
    Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities...

    === Symbol Results ===

    Vulnerability #1: GO-2024-2611
        Infinite loop in JSON unmarshaling in google.golang.org/protobuf
      More info: https://pkg.go.dev/vuln/GO-2024-2611
      Module: google.golang.org/protobuf
        Found in: google.golang.org/[email protected]
        Fixed in: google.golang.org/[email protected]
        Example traces found:
          #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek
          #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read
          #3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal

    Your code is affected by 1 vulnerability from 1 module.
    This scan found no other vulnerabilities in packages you import or modules you
    require.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 1ca89d7)
Signed-off-by: Austin Vazquez <[email protected]>
@elboulangero elboulangero mentioned this issue Apr 26, 2024
Closed
r4f4 added a commit to r4f4/installer that referenced this issue May 9, 2024
@r4f4
OCPBUGS-30516: bump golang-protobuf for CVE fix
cf97222 
Bump golang.org/protobuf to v1.33.0 for CVE-2024-24786 fix.

Notice that, in some cases, github.com/golang/protobuf had to be bumped
to v1.5.4 because of golang/protobuf#1596.
@r4f4 r4f4 mentioned this issue May 9, 2024
Merged
r4f4 added a commit to r4f4/installer that referenced this issue May 23, 2024
@r4f4
OCPBUGS-30516: bump golang-protobuf for CVE fix
5fcfd45 
Bump golang.org/protobuf to v1.33.0 for CVE-2024-24786 fix.

Notice that, in some cases, github.com/golang/protobuf had to be bumped
to v1.5.4 because of golang/protobuf#1596.
@yxun yxun mentioned this issue May 23, 2024
Closed
r4f4 added a commit to r4f4/installer that referenced this issue May 27, 2024
@r4f4
OCPBUGS-30516: bump golang-protobuf for CVE fix
a480538 
Bump golang.org/protobuf to v1.33.0 for CVE-2024-24786 fix.

Notice that, in some cases, github.com/golang/protobuf had to be bumped
to v1.5.4 because of golang/protobuf#1596.
pawanpinjarkar pushed a commit to pawanpinjarkar/installer that referenced this issue May 28, 2024
@r4f4 @pawanpinjarkar
OCPBUGS-30516: bump golang-protobuf for CVE fix
425ad8f 
Bump golang.org/protobuf to v1.33.0 for CVE-2024-24786 fix.

Notice that, in some cases, github.com/golang/protobuf had to be bumped
to v1.5.4 because of golang/protobuf#1596.
@jooola jooola mentioned this issue May 31, 2024
Merged
1 task
@mandre mandre mentioned this issue Aug 14, 2024
Merged
azr pushed a commit to azr/containerd that referenced this issue Aug 30, 2024
@thaJeztah @azr
vendor: github.com/golang/protobuf v1.5.4
d54c6b1 
commit 10c7f03 updated google.golang.org/protobuf
to v1.33.0, which addresses CVE-2024-24786, however a follow-up post on the
Golang security list issued a warning that the v1.33.0 update introduced a
breaking change, causing compatibility with github.com/golang/protobuf to be
broken;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/[email protected].

Containerd itself does not appear to be using this code, but consumers may be,
so update the github.com/golang/protobuf to restore compatibility.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
@deep-explorer
Copy link

I installed google.golang.org/protobuf v1.34.2 but it doesn't support descriptor.
And alternatively, I tried to install github.com/golang/protobuf module but can't install this one as well.

could not import google.golang.org/protobuf/protoc-gen-go/descriptor (no required module provides package "google.golang.org/protobuf/protoc-gen-go/descriptor")compilerBrokenImport

@puellanivis
Copy link
Collaborator

If you look in the github.com/golang/protobuf/protoc-gen-go/descriptor package, you can see what the correct module for the descriptor package is (as the package primarily just type aliases, and const/var copies everything over): google.golang.org/protobuf/types/descriptorpb (The package has been moved to a more consistent path to join the other general protobufs.)

@slobad123 slobad123 mentioned this issue Oct 31, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@neild @vadimsht @rootulp @2uasimojo @jerrybean @puellanivis @deep-explorer