chore(deps): Update module github.com/apache/thrift to v0.23.0 [SECURITY] (release-3.7.x)#21778
Open
renovate-sh-app[bot] wants to merge 1 commit intorelease-3.7.xfrom
Conversation
…ITY] | datasource | package | from | to | | ---------- | ------------------------ | ------- | ------- | | go | github.com/apache/thrift | v0.22.0 | v0.23.0 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: int32 multiplication overflow bypasses protocol size check
- Replaced overflowing int32 size multiplications with int64-based validation that checks the element count before applying minimum serialized element size.
Or push these changes by commenting:
@cursor push 99a134916a
Preview (99a134916a)
diff --git a/vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go b/vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go
--- a/vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go
+++ b/vendor/github.com/apache/thrift/lib/go/thrift/binary_protocol.go
@@ -356,8 +356,7 @@
return
}
minElemSize := p.getMinSerializedSize(kType) + p.getMinSerializedSize(vType)
- totalMinSize := size32 * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkSizeForProtocolMinSerializedSize(int64(size32), minElemSize, p.cfg)
if err != nil {
return
}
@@ -382,8 +381,7 @@
return
}
minElemSize := p.getMinSerializedSize(elemType)
- totalMinSize := size32 * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkSizeForProtocolMinSerializedSize(int64(size32), minElemSize, p.cfg)
if err != nil {
return
}
@@ -409,8 +407,7 @@
return
}
minElemSize := p.getMinSerializedSize(elemType)
- totalMinSize := size32 * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkSizeForProtocolMinSerializedSize(int64(size32), minElemSize, p.cfg)
if err != nil {
return
}
diff --git a/vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go b/vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go
--- a/vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go
+++ b/vendor/github.com/apache/thrift/lib/go/thrift/compact_protocol.go
@@ -499,8 +499,7 @@
valueType, _ = p.getTType(tCompactType(keyAndValueType & 0xf))
minElemSize := p.getMinSerializedSize(keyType) + p.getMinSerializedSize(valueType)
- totalMinSize := size32 * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkSizeForProtocolMinSerializedSize(int64(size32), minElemSize, p.cfg)
if err != nil {
return
}
@@ -534,8 +533,7 @@
}
minElemSize := p.getMinSerializedSize(elemType)
- totalMinSize := int32(size) * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkSizeForProtocolMinSerializedSize(int64(size), minElemSize, p.cfg)
if err != nil {
return
}
diff --git a/vendor/github.com/apache/thrift/lib/go/thrift/configuration.go b/vendor/github.com/apache/thrift/lib/go/thrift/configuration.go
--- a/vendor/github.com/apache/thrift/lib/go/thrift/configuration.go
+++ b/vendor/github.com/apache/thrift/lib/go/thrift/configuration.go
@@ -317,13 +317,24 @@
}
func checkSizeForProtocol(size int32, cfg *TConfiguration) error {
+ return checkSizeForProtocolInt64(int64(size), cfg)
+}
+
+func checkSizeForProtocolMinSerializedSize(size int64, minSerializedSize int32, cfg *TConfiguration) error {
+ if err := checkSizeForProtocolInt64(size, cfg); err != nil {
+ return err
+ }
+ return checkSizeForProtocolInt64(size*int64(minSerializedSize), cfg)
+}
+
+func checkSizeForProtocolInt64(size int64, cfg *TConfiguration) error {
if size < 0 {
return NewTProtocolExceptionWithType(
NEGATIVE_SIZE,
fmt.Errorf("negative size: %d", size),
)
}
- if size > cfg.GetMaxMessageSize() {
+ if size > int64(cfg.GetMaxMessageSize()) {
return NewTProtocolExceptionWithType(
SIZE_LIMIT,
fmt.Errorf("size exceeded max allowed: %d", size),
diff --git a/vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go b/vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go
--- a/vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go
+++ b/vendor/github.com/apache/thrift/lib/go/thrift/json_protocol.go
@@ -317,8 +317,7 @@
size = int(iSize)
minElemSize := p.getMinSerializedSize(keyType) + p.getMinSerializedSize(valueType)
- totalMinSize := int32(iSize) * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkSizeForProtocolMinSerializedSize(iSize, minElemSize, p.cfg)
if err != nil {
return keyType, valueType, 0, err
}
@@ -498,8 +497,7 @@
size = int(nSize)
minElemSize := p.getMinSerializedSize(elemType)
- totalMinSize := int32(nSize) * minElemSize
- err = checkSizeForProtocol(totalMinSize, p.cfg)
+ err = checkSizeForProtocolMinSerializedSize(nSize, minElemSize, p.cfg)
if err != nil {
return elemType, 0, err
}You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit a8a3a60. Configure here.
| err = checkSizeForProtocol(size32, p.cfg) | ||
| minElemSize := p.getMinSerializedSize(kType) + p.getMinSerializedSize(vType) | ||
| totalMinSize := size32 * minElemSize | ||
| err = checkSizeForProtocol(totalMinSize, p.cfg) |
There was a problem hiding this comment.
int32 multiplication overflow bypasses protocol size check
Medium Severity
The totalMinSize := size32 * minElemSize computation uses int32 * int32 arithmetic, which silently wraps on overflow in Go. A crafted size32 value can cause the product to wrap to a small non-negative int32, bypassing checkSizeForProtocol. For example, with map key/value types both DOUBLE (minElemSize = 16), an attacker-supplied size32 of 268435456 produces totalMinSize of 0 (since 268435456 × 16 = 2³², wrapping to 0). The old code directly checked size32 against maxMessageSize and would have rejected this value. Using int64 for the multiplication would prevent the wraparound.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit a8a3a60. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.22.0→v0.23.0Apache Thrift TFramedTransport Go language implementation has an Integer Overflow or Wraparound vulnerability
CVE-2026-41602 / GHSA-wf45-q9ch-q8gh
More information
Details
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Thrift TFramedTransport Go language implementation has an Integer Overflow or Wraparound vulnerability
BIT-thrift-2026-41602 / CVE-2026-41602 / GHSA-wf45-q9ch-q8gh
More information
Details
Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version 0.23.0, which fixes the issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
apache/thrift (github.com/apache/thrift)
v0.23.0: Version 0.23.0Compare Source
Please head over to the official release download source:
http://thrift.apache.org/download
The assets listed below are added by Github based on the release tag and they will therefore not match the checkums published on the Thrift project website.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
Need help?
You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.