fix(deps): update module github.com/hamba/avro/v2 to v2.13.0 [security] - autoclosed #267
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.12.0
->v2.13.0
GitHub Vulnerability Alerts
CVE-2023-37475
Summary
A well-crafted string passed to avro's
github.com/hamba/avro/v2.Unmarshal()
can throw afatal error: runtime: out of memory
which is unrecoverable and can cause denial of service of the consumer of avro.Details
The root cause of the issue is that avro uses part of the input to
Unmarshal()
to determine the size when creating a new slice.In the reproducer below, the first few bytes determine the size of the slice.
The root cause is on line 239 here:
https://github.com/hamba/avro/blob/3abfe1e6382c5dccf2e1a00260c51a64bc1f1ca1/reader.go#L216-L242
PoC
The issue was found during a security audit of Dapr, and I attach a reproducer that shows how the issue affects Dapr.
Dapr uses an older version of the avro library, but it is also affected if bumping avro to latest.
To reproduce:
now add this test to the
pulsar_test.go
:run the test with
go test -run=TestParsePublishMetadata2
.You should see this stacktrace:
Impact
Any use case of the avro Unmarshalling routine that accepts untrusted input is affected.
The impact is that an attacker can crash the running application and cause denial of service.
Release Notes
hamba/avro (github.com/hamba/avro/v2)
v2.13.0
Compare Source
Potentially Breaking Change
For security reasons, the configuration
Config.MaxByteSliceSize
restricts the maximum size ofbytes
andstring
types createdby the
Reader
. The default maximum size is1MiB
and is configurable. This is required to stop untrusted input from consuming all memory and crashing the application. Should this not be need, setting a negative number will disable the behaviour.What's Changed
Full Changelog: hamba/avro@v2.12.0...v2.13.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.