CVE-2015-5237 in protobuf

[robertoschwald]

grails-asset-pipeline 2.14.1.1 uses closure-compiler-unshaded:v20160713, which has a dependency to protobuf-2.5.0. This got CVE-2015-5237.

This CVE was fixed in protobuf-3.4.0 which we can't use, as closure-compiler-unshaded:v20170806 is the last version for Java7.

So question is: Is grails-asset-pipeline affected by the buffer overflow flaw in protobuf? If not, maybe a note in the README would be great.

[davydotcom]

Since this dependency doesn’t get used in production mode but only during build time and development runtime I’d say not affected

…

Sent from my iPhone

On Oct 10, 2018, at 6:35 AM, Robert Oschwald ***@***.***> wrote: grails-asset-pipeline 2.14.1.1 uses closure-compiler-unshaded:v20160713, which has a dependency to protobuf-2.5.0. This got CVE-2015-5237. This CVE was fixed in protobuf-3.4.0 which we can't use, as closure-compiler-unshaded:v20170806 is the last version for Java7. So question is: Is grails-asset-pipeline affected by the buffer overflow flaw in protobuf? If not, maybe a note in the README would be great. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[robertoschwald]

At leased it gets bundled in the war file.