Security Vulnerability - Action Required: Integer Overflow or Wraparound vulnerability may in your project

[Crispy-fried-chicken]

Hi,
we have detected that your project may be vulnerable to Integer Overflow or Wraparound in the function of parse_required_member in the file of lib/cmetrics/src/external/protobuf-c.c . It shares similarities to a recent CVE disclosure CVE-2022-48468 in the https://github.com/protobuf-c/protobuf-c.
The source vulnerability information is as follows:

Vulnerability Detail:
CVE Identifier: CVE-2022-48468
Description: protobuf-c before 1.4.1 has an unsigned integer overflow in parse_required_member.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-48468
Patch: protobuf-c/protobuf-c@ec3d900

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[patrick-stephens]

Please report security issues via the policy: https://github.com/fluent/fluent-bit/security/policy
This looks to be a medium level CVE related to the version of protobuf-c used by cmetrics so needs an update to cmetrics to resolve I think then pulled in here.

[leonardo-albertovich]

Hi @Crispy-fried-chicken, yes, we have verified that this bug has been fixed upstream and a PR that updates the relevant files in cmetrics would be welcome.

Thank you for taking the time to report this issue.

[Crispy-fried-chicken]

Hi, @leonardo-albertovich I've already request a PR which is #9369, please review it.