chore(deps): update module google.golang.org/protobuf to v1.33.0 [security] (release-2.9.x)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
google.golang.org/protobuf	v1.28.1 -> v1.33.0
google.golang.org/protobuf	v1.29.1 -> v1.33.0
google.golang.org/protobuf	v1.30.0 -> v1.33.0

---

Infinite loop in JSON unmarshaling in google.golang.org/protobuf

CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Unknown

References

• https://go.dev/cl/569356

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON

CVE-2024-24786 / GHSA-8r3f-844c-mc37 / GO-2024-2611

More information

Details

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

Severity

Moderate

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-24786
• https://github.com/protocolbuffers/protobuf-go/commit/f01a588e5810b90996452eec4a28f22a0afae023
• https://github.com/protocolbuffers/protobuf-go
• https://github.com/protocolbuffers/protobuf-go/releases/tag/v1.33.0
• https://go.dev/cl/569356
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDMBHAVSDU2FBDZ45U3A2VLSM35OJ2HU
• https://pkg.go.dev/vuln/GO-2024-2611

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

protocolbuffers/protobuf-go (google.golang.org/protobuf)

v1.33.0

Compare Source

v1.32.0

Compare Source

Full Changelog: protocolbuffers/protobuf-go@v1.31.0...v1.32.0

This release contains commit protocolbuffers/protobuf-go@bfcd647, which fixes a denial of service vulnerability by preventing a stack overflow through a default maximum recursion limit. See https://github.com/golang/protobuf/issues/1583 and https://github.com/golang/protobuf/issues/1584 for details.

v1.31.0

Compare Source

Notable changes

New Features

• CL/489316: types/dynamicpb: add NewTypes
  • Add a function to construct a dynamic type registry from a protoregistry.Files
• CL/489615: encoding: add MarshalAppend to protojson and prototext

Minor performance improvements

• CL/491596: encoding/protodelim: If UnmarshalFrom gets a bufio.Reader, try to reuse its buffer instead of creating a new one
• CL/500695: proto: store the size of tag to avoid multiple calculations

Bug fixes

• CL/497935: internal/order: fix sorting of synthetic oneofs to be deterministic
• CL/505555: encoding/protodelim: fix handling of io.EOF

v1.30.0

Compare Source

• Notable changes

Announcement
In the previous two releases, v1.29.0 and v1.29.1, we associated the tags with the wrong commits and thus the tags do not reference any commit in this repository. This tag, v1.30.0, refers to an existing commit again. Sorry for the inconvenience.

Notable changes

New Features

• CL/449576: protoadapt: helper functions to convert v1 or v2 message to either v1 or v2 message.

v1.29.1

Compare Source

• Notable changes

Notable changes

Bug fixes

• CL/475995: internal/encoding/text: fix parsing of incomplete numbers

v1.29.0

Compare Source

• Overview
• Notable changes

Overview

This version introduces a new package protodelim to marshal and unmarshal size-delimited messages.
It also brings the implementation up to date with the latest protobuf features.

Notable changes

New Features

• CL/419254: encoding: add protodelim package
• CL/450775: reflect/protoreflect: add Value.Equal method
• CL/462315: cmd/protoc-gen-go: make deprecated messages more descriptive
• CL/473015: encoding/prototext: allow whitespace and comments between minus sign and number in negative numeric literal

Alignment with protobuf

• CL/426054: types/descriptorpb: update *.pb.go to use latest protoc release, 21.5
• CL/425554: encoding/protojson: fix parsing of google.protobuf.Timestamp
• CL/461238: protobuf: remove the check for reserved field numbers
• CL/469255: types/descriptorpb: regenerate using latest protobuf v22.0 release
• CL/472696: cmd/protoc-gen-go: support protobuf retention feature

Documentation improvements:

• CL/464275: proto: document Equal behavior of invalid messages
• CL/466375: all: update links to Protocol Buffer documentation

Minor performance improvements

• CL/460215: types/known/structpb: preallocate map in AsMap
• CL/465115: internal/strs: avoid unnecessary allocations in Builder

Breaking changes

• CL/461238: protobuf: remove the check for reserved field numbers
  • protowire.(Number).IsValid() no longer returns false for reserved fields because reserved fields are considered semantically valid by the protobuf spec.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.33.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.