CVE-2024-53984

Publication date 3 December 2024

Last updated 3 December 2024

Ubuntu priority

Nanopb is a small code-size Protocol Buffers implementation. When the compile time option PB_ENABLE_MALLOC is enabled, the message contains at least one field with FT_POINTER field type, custom stream callback is used with unknown stream length. and the pb_decode_ex() function is used with flag PB_DECODE_DELIMITED, then the pb_decode_ex() function does not automatically call pb_release(), like is done for other failure cases. This could lead to memory leak and potential denial-of-service. This vulnerability is fixed in 0.4.9.1.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nanopb	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-53984
https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378
https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r