fix(deps): update module google.golang.org/protobuf to v1.33.0 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
google.golang.org/protobuf	v1.28.1 → v1.33.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-24786

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

---

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

CGA-2vgr-6mqh-4r48 / CGA-v9cm-f6x8-5vj7 / CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-24786
• https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023
• https://github.com/protocolbuffers/protobuf-go
• https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0
• https://go.dev/cl/569356
• https://lists.fedoraproject.org/archives/list/[email protected]/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU
• https://pkg.go.dev/vuln/GO-2024-2611
• https://security.netapp.com/advisory/ntap-20240517-0002
• http://www.openwall.com/lists/oss-security/2024/03/08/4

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Infinite loop in JSON unmarshaling in google.golang.org/protobuf

CGA-2vgr-6mqh-4r48 / CGA-v9cm-f6x8-5vj7 / CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Unknown

References

• https://go.dev/cl/569356

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf)

v1.33.0

Compare Source

This release contains one security fix:

• encoding/protojson: Unmarshal could enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. Unmarshal now correctly returns an error when handling these inputs. This is CVE-2024-24786.

v1.32.0

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See golang/protobuf#1583 and golang/protobuf#1584 for details.

v1.31.0

Compare Source

Notable changes

New Features

• CL/489316: types/dynamicpb: add NewTypes
  • Add a function to construct a dynamic type registry from a protoregistry.Files
• CL/489615: encoding: add MarshalAppend to protojson and prototext

Minor performance improvements

• CL/491596: encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one
• CL/500695: proto: store the size of tag to avoid multiple calculations

Bug fixes

• CL/497935: internal/order: fix sorting of synthetic oneofs to be deterministic
• CL/505555: encoding/protodelim: fix handling of io.EOF

v1.30.0

Compare Source

• Notable changes

Announcement
In the previous two releases, v1.29.0 and v1.29.1, we associated the tags with the wrong commits and thus the tags do not reference any commit in this repository. This tag, v1.30.0, refers to an existing commit again. Sorry for the inconvenience.

Notable changes

New Features

• CL/449576: protoadapt: helper functions to convert v1 or v2 message to either v1 or v2 message.

v1.29.1

Compare Source

• Notable changes

Notable changes

Bug fixes

• CL/475995: internal/encoding/text: fix parsing of incomplete numbers

v1.29.0

Compare Source

• Overview
• Notable changes

Overview

This version introduces a new package protodelim to marshal and unmarshal size-delimited messages.
It also brings the implementation up to date with the latest protobuf features.

Notable changes

New Features

• CL/419254: encoding: add protodelim package
• CL/450775: reflect/protoreflect: add Value.Equal method
• CL/462315: cmd/protoc-gen-go: make deprecated messages more descriptive
• CL/473015: encoding/prototext: allow whitespace and comments between minus sign and number in negative numeric literal

Alignment with protobuf

• CL/426054: types/descriptorpb: update *.pb.go to use latest protoc release, 21.5
• CL/425554: encoding/protojson: fix parsing of google.protobuf.Timestamp
• CL/461238: protobuf: remove the check for reserved field numbers
• CL/469255: types/descriptorpb: regenerate using latest protobuf v22.0 release
• CL/472696: cmd/protoc-gen-go: support protobuf retention feature

Documentation improvements:

• CL/464275: proto: document Equal behavior of invalid messages
• CL/466375: all: update links to Protocol Buffer documentation

Minor performance improvements

• CL/460215: types/known/structpb: preallocate map in AsMap
• CL/465115: internal/strs: avoid unnecessary allocations in Builder

Breaking changes

• CL/461238: protobuf: remove the check for reserved field numbers
  • protowire.(Number).IsValid() no longer returns false for reserved fields because reserved fields are considered semantically valid by the protobuf spec.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

[github-actions]

😢 zizmor failed with exit code 14.

Expand for full output

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf-lint.yml:13:9
   |
13 |       - uses: bufbuild/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf-lint.yml:16:9
   |
16 |       - uses: bufbuild/buf-lint-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf-lint.yml:19:9
   |
19 |       - uses: bufbuild/buf-breaking-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:12:9
   |
12 |       - uses: bufbuild/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:15:9
   |
15 |       - uses: bufbuild/buf-lint-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:18:9
   |
18 |       - uses: bufbuild/buf-breaking-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/buf.yml:22:9
   |
22 |       - uses: bufbuild/buf-push-action@v1
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/ci.yml:208:66
    |
208 |         run: ./scripts/ui_release.sh --check-package "$(echo ${{ github.ref_name }}|sed s/v2/v0/)"
    |         --- this run block                                       ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → High
    = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/ci.yml:16:9
   |
16 |       - uses: prometheus/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/ci.yml:38:9
   |
38 |       - uses: prometheus/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:107:9
    |
107 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:130:9
    |
130 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:149:9
    |
149 |         uses: golangci/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:165:9
    |
165 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:179:9
    |
179 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/ci.yml:194:9
    |
194 |       - uses: prometheus/[email protected]
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/codeql-analysis.yml:29:9
   |
29 |         uses: github/codeql-action/init@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/codeql-analysis.yml:34:9
   |
34 |         uses: github/codeql-action/autobuild@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/codeql-analysis.yml:37:9
   |
37 |         uses: github/codeql-action/analyze@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/fuzzing.yml:10:9
   |
10 |         uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/fuzzing.yml:15:9
   |
15 |         uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/lock.yml:18:9
   |
18 |       - uses: dessant/lock-threads@v4
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-images]: unpinned image references
  --> ./.github/workflows/repo_sync.yml:10:7
   |
10 |       image: quay.io/prometheus/golang-builder
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ container image is unpinned
   |
   = note: audit confidence → High

83 findings (37 ignored, 23 suppressed, 1 fixable): 0 informational, 0 low, 0 medium, 23 high