Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gogo/protobuf security issue #35

Closed
iulian-gm opened this issue May 18, 2022 · 4 comments
Closed

gogo/protobuf security issue #35

iulian-gm opened this issue May 18, 2022 · 4 comments

Comments

@iulian-gm
Copy link

Thanks for a great project.

There is a security issue detected by Dependabot gogo/protobuf#752.

All that is needed is to upgrade the gogo version to the latest one (v1.3.2 I believe) where this is fixed.

As a side note, the gogo project is not really maintained anymore. Has anyone tested the performance of using the standard proto package?

@paulmach
Copy link
Owner

I think you're referring to GHSA-c3h9-896r-86jm which is a crash on malformed input.

I can look at removing the dependency on gogo/protobuf. It is just used to decode section headers that aren't performance critical.

I suspect using the standard proto package will be 2-3x slower and will definitely use 2-3x the memory.

@ghost
Copy link

ghost commented May 22, 2022

Hi, I tried to implement the suggested change in #36 . Looks like the CPU and Memory isn't that much an issue ?

@paulmach
Copy link
Owner

Sorry I was referring to using google.golang.org/protobuf/proto for all the osmpbf decoding.

@paulmach
Copy link
Owner

the protobuf encoding/decoding was moved to golang.orb/protobuf here #36

The new release with only this change is https://github.com/paulmach/osm/releases/tag/v0.4.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants