vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4

[thaJeztah]

• supersedes / closes build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 #4760

full diffs:

• protocolbuffers/protobuf-go@v1.31.0...v1.33.0
• golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
the google.golang.org/protobuf/encoding/protojson package which could cause
the Unmarshal function to enter an infinite loop when handling some invalid
inputs.

This condition could only occur when unmarshaling into a message which contains
a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
option is set. Unmarshal now correctly returns an error when handling these
inputs.

This is CVE-2024-24786.

In a follow-up post;

A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
option is set (as well as when unmarshaling into any message which contains a
google.protobuf.Any). There is no UnmarshalUnknown option.

In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
introduced an incompatibility with the older github.com/golang/protobuf
module. (golang/protobuf#1596) Users of the older
module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results shows that the solver/errdefs may hit this code:

govulncheck ./...
Scanning your code and 821 packages across 157 dependent modules for known vulnerabilities...

=== Symbol Results ===

Vulnerability #1: GO-2024-2611
    Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  More info: https://pkg.go.dev/vuln/GO-2024-2611
  Module: google.golang.org/protobuf
    Found in: google.golang.org/protobuf@v1.31.0
    Fixed in: google.golang.org/protobuf@v1.33.0
    Example traces found:
      #1: solver/errdefs/solve.go:73:25: errdefs.Solve.UnmarshalJSON calls jsonpb.Unmarshal, which eventually calls json.Decoder.Peek
      #2: solver/errdefs/solve.go:73:25: errdefs.Solve.UnmarshalJSON calls jsonpb.Unmarshal, which eventually calls json.Decoder.Read
      #3: solver/errdefs/solve.go:73:25: errdefs.Solve.UnmarshalJSON calls jsonpb.Unmarshal, which eventually calls protojson.UnmarshalOptions.Unmarshal

Your code is affected by 1 vulnerability from 1 module.
This scan found no other vulnerabilities in packages you import or modules you
require.
Use '-show verbose' for more details.

[crazy-max]

I think similar to #4318 (review) we should have this done in containerd repo first: https://github.com/containerd/containerd/blob/dcf2847247e18caba8dce86522029642f60fe96b/go.mod#L74

[thaJeztah]

Yeah, containerd should also be updated; that said, I'm not sure if that should always be the rule; it's a direct dependency here. We had a quick chat about this in the Moby maintainers call last Thursday (as we updated this dependency in Moby); consensus there was that we had enough coverage in the moby repository to validate it worked, so we went ahead and merged the update.

[thaJeztah]

Ah, looks like these were already updated since, and now were a no-op