grpc icon indicating copy to clipboard operation
grpc copied to clipboard
verified publisher icon grpc

CVE-2023-4785: Backport #33656 to 1.46.x to fix gRPC Core

Open DannyMeister opened this issue 1 year ago • 1 comments

What version of gRPC and what language are you using?

C# gRPC Core 2.46.6

What operating system (Linux, Windows,...) and version?

Windows 11

What runtime / compiler are you using (e.g. python version or version of gcc)

VS2022 dotnet compiler (.NET 8)

What did you do?

Black Duck reports a vulnerability in Grpc.Core 2.46.6 (BDSA-2023-2427) (CVE-2023-4785)

Anything else we should know about your project / environment?

This CVE has already been fixed in C++ with #33656 but has not been backported to 1.46.x, which is the branch for the still-in-maintenance gRPC.Core.

Annoying part for me is that we aren't even direct users of gRPC, but are only affected by the scan picking up on a transitive dependency from the IronPdf nuget package (commercial). If this is fixed in gRPC.Core, I will still have to get them to upgrade. I will get in touch with that vendor to see whether the dependency on gRPC.Core can be dropped since they are already using grpc-dotnet which supersedes it, but I don't know if it will be possible given their support of a wide variety of Windows and .NET versions.

DannyMeister avatar Apr 29 '24 17:04 DannyMeister

@apolcyn I've done the backport. Please manage getting the C# binaries built. Thanks!

drfloob avatar Apr 30 '24 23:04 drfloob

Any update?

DannyMeister avatar Jul 16 '24 14:07 DannyMeister

Pardon the nag. Our security exception is getting pretty stale. Is there a likely timeframe we can plan on for this?

DannyMeister avatar Sep 04 '24 15:09 DannyMeister