CVE-2023-24535

NameCVE-2023-24535
DescriptionParsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-google-protobuf (PTS)bullseye1.25.0+git20201208.160c747-1fixed
bookworm1.28.1-3fixed
sid, trixie1.33.0-1fixed
python3.4 (PTS)jessie, jessie (lts)3.4.2-1+deb8u17vulnerable
python3.5 (PTS)stretch (security)3.5.3-1+deb9u5vulnerable
stretch (lts), stretch3.5.3-1+deb9u9vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-google-protobufsource(unstable)(not affected)
python3.4source(unstable)(unfixed)unimportant
python3.5source(unstable)(unfixed)unimportant

Notes

- golang-google-protobuf <not-affected> (Vulnerable code not in a Debian released version)
https://go-review.googlesource.com/c/protobuf/+/475995
https://github.com/golang/protobuf/issues/1530
https://github.com/protocolbuffers/protobuf-go/commit/edaf511a7a37a90db2727b600d699e1e8d2840b4 (v1.29.1)
https://github.com/advisories/GHSA-hw7c-3rfg-p46j
Search for package or bug name: Reporting problems