Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firebase crashlytics 19.2.1 still includes CVE-2024-7254 vulnerable library #6534

Open
xiaobc-mika opened this issue Nov 25, 2024 · 2 comments
Open

Firebase crashlytics 19.2.1 still includes CVE-2024-7254 vulnerable library #6534

xiaobc-mika opened this issue Nov 25, 2024 · 2 comments
Assignees
@mrober
Labels
api: crashlytics type: feature request New feature or request

Comments

@xiaobc-mika
Copy link

Hello, according to the crashlytics 19.2.1 release notes, CVE-2024-7254 was resolved by updating protobuf.

However it seems a vulnerable version of protobuf-javalite com.google.protobuf:protobuf-javalite:3.10.0 is shaded into androidx.datastore:datastore-preferences-core:1.0.0

|    |    |    +--- com.google.firebase:firebase-crashlytics -> 19.2.1
|    |    |    |    +--- com.google.firebase:firebase-sessions:2.0.6
|    |    |    |    |    +--- androidx.datastore:datastore-preferences:1.0.0
|    |    |    |    |    |    \--- androidx.datastore:datastore-preferences-core:1.0.0

This is being picked up by the OWASP dependency scanner plugin, from the file File Path: /home/runner/.gradle/caches/modules-2/files-2.1/androidx.datastore/datastore-preferences-core/1.0.0/403f64499b9a8994f5f7010329ddd1ee5c919ed5/datastore-preferences-core-1.0.0.jar/META-INF/maven/com.google.protobuf/protobuf-javalite/pom.xml
@google-oss-bot
Copy link
Contributor

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

@lehcar09
Copy link
Contributor

Hi @xiaobc-mika, thank you for reaching out and reporting the vulnerability issue. I'll raise this to our engineers and see what we can do here. Thanks!

@MichaelVerdon MichaelVerdon added the type: feature request New feature or request label Dec 30, 2024
@mrober mrober self-assigned this Feb 7, 2025
@mrober mrober mentioned this issue Feb 10, 2025
Merged
mrober added a commit that referenced this issue Mar 4, 2025
@mrober
Update datastore dependency to 1.1.3 (#6688)
92632af 
Update datastore dependency to `1.1.3` to address
[CVE-2024-7254](GHSA-735f-pc8j-v9w8) in
AQS.

We had landed #6343, but it missed the datastore dependency because
version 1.0.0 "shaded" the vulnerable protobuf dependency, see #6534. I
verified this was happening by extracting the jar from
https://maven.google.com/web/index.html?q=datastore-pre#androidx.datastore:datastore-preferences-core:1.0.0
and seeing
`<groupId>com.google.protobuf</groupId><artifactId>protobuf-parent</artifactId><version>3.10.0</version>`
nested in a maven dir. I also verified datastore 1.1.3 has upgraded the
protobuf version to 4.28.2, a safe version. See
https://cs.android.com/androidx/platform/frameworks/support/+/androidx-datastore-release:gradle/libs.versions.toml;l=59.

This datastore update also includes the stable
`MultiProcessDataStoreFactory` which we can utilize in a future change
to optimize things like the settings fetch for multi-process apps.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrober mrober

Labels
api: crashlytics type: feature request New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mrober @google-oss-bot @MichaelVerdon @lehcar09 @xiaobc-mika