1. 漏洞描述

Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data. You can find protobuf's documentation on the Google Developers site.

Security Fix(es):

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.(CVE-2024-7254)

2. 影响范围

3. 影响组件

4. 修复版本

5. 修复方法

方法一：下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存，如 xxx.rpm
2、通过rpm命令升级，如 rpm -Uvh xxx.rpm

方法二：通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包，如 yum install 包名

6. 下载链接

V6:

x86_64:

     protobuf-bom   

     protobuf-java   

     protobuf-java-util   

     protobuf-javadoc   

     protobuf-javalite   

     protobuf-parent   

     python3-protobuf   

     protobuf   

     protobuf-compiler   

     protobuf-devel   

     protobuf-lite   

     protobuf-lite-devel   

aarch64:

     protobuf-bom   

     protobuf-java   

     protobuf-java-util   

     protobuf-javadoc   

     protobuf-javalite   

     protobuf-parent   

     python3-protobuf   

     protobuf   

     protobuf-compiler   

     protobuf-devel   

     protobuf-lite   

     protobuf-lite-devel