-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Build] Upgrade to latest protobuf #13335
Comments
I've sent you an email. I will explain it to you offline. |
It seems the change to avoid CVE-2022-1941 done in #13100 was reverted by #12899 and the main branch is now back to 3.18.1 |
@mayeut Thanks for pointing it out. We are processing it. The release we just published is fine. |
First, in the main branch we change it back to 3.18.3. Second, because the dev team of protobuf says 3.18.x is out of maintenance, I will follow @djee-ms's suggestion to update the version to 3.20.x. Also, I'm converting the protobuf submodule to a cmake external project, which will allow users to choose between the protobuf we provide and the one that is already installed in their environment. So, as long as ORT's source code is compatible to that protobuf version, you will be able to freely change it. And if there was build errors, for example the ones we have now for 3.20.x, welcome to submit your patches. |
I'd actually go to 3.21 instead of 3.20, since that's the latest, but yes otherwise that sounds like a good plan, thanks! |
Describe the issue
Hi,
Could you please consider upgrading to the latest version of Google Protobuf?
The latest upgrade from 3.18.0 to 3.18.3 to avoid CVE-2022-1941 done in #13100 was only done 21 days ago by @snnn, but it upgrades to a version of protobuf that itself is over a year old, and 3 iterations away from the latest (3.18 -> 3.21). This is also a version which is not available via
vcpkg
, which causes a lot of pain trying to upgrade an existing codebase.Is there any reason not to upgrade to the latest version 3.21? Or at the very least a version that is available via
vcpkg
? This would greatly simplify the integration of onnxruntime into any C/C++ codebase.For reference,
vcpkg
versions are here: https://github.com/microsoft/vcpkg/blob/master/versions/p-/protobuf.json -- it seems that all versions below 3.21.x are affected by CVE-2022-1941 though, so the best candidate would be indeed the latest 3.21.6 I think.Thanks!
Urgency
Critical - This is preventing upgrades away from 3.18.0 and CVE-2022-1941 for any project using
vcpkg
.Target platform
Build script
Error / output
Visual Studio Version
VS 2022
GCC / Compiler Version
No response
The text was updated successfully, but these errors were encountered: