Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Build] Upgrade to latest protobuf #13335

Open
djee-ms opened this issue Oct 17, 2022 · 5 comments
Open

[Build] Upgrade to latest protobuf #13335

djee-ms opened this issue Oct 17, 2022 · 5 comments
Labels
build build issues; typically submitted using template

Comments

@djee-ms
Copy link
Member

djee-ms commented Oct 17, 2022

Describe the issue

Hi,

Could you please consider upgrading to the latest version of Google Protobuf?

The latest upgrade from 3.18.0 to 3.18.3 to avoid CVE-2022-1941 done in #13100 was only done 21 days ago by @snnn, but it upgrades to a version of protobuf that itself is over a year old, and 3 iterations away from the latest (3.18 -> 3.21). This is also a version which is not available via vcpkg, which causes a lot of pain trying to upgrade an existing codebase.

Is there any reason not to upgrade to the latest version 3.21? Or at the very least a version that is available via vcpkg? This would greatly simplify the integration of onnxruntime into any C/C++ codebase.

For reference, vcpkg versions are here: https://github.com/microsoft/vcpkg/blob/master/versions/p-/protobuf.json -- it seems that all versions below 3.21.x are affected by CVE-2022-1941 though, so the best candidate would be indeed the latest 3.21.6 I think.

Thanks!

Urgency

Critical - This is preventing upgrades away from 3.18.0 and CVE-2022-1941 for any project using vcpkg.

Target platform

Build script

Error / output

Visual Studio Version

VS 2022

GCC / Compiler Version

No response
@djee-ms djee-ms added the build build issues; typically submitted using template label Oct 17, 2022
@snnn
Copy link
Member

snnn commented Oct 17, 2022

I've sent you an email. I will explain it to you offline.

@mayeut
Copy link
Contributor

mayeut commented Oct 25, 2022
edited
Loading

It seems the change to avoid CVE-2022-1941 done in #13100 was reverted by #12899 and the main branch is now back to 3.18.1

@snnn
Copy link
Member

snnn commented Oct 25, 2022

@mayeut Thanks for pointing it out. We are processing it. The release we just published is fine.

@snnn snnn mentioned this issue Oct 29, 2022
Merged
@snnn
Copy link
Member

snnn commented Oct 29, 2022

First, in the main branch we change it back to 3.18.3.

Second, because the dev team of protobuf says 3.18.x is out of maintenance, I will follow @djee-ms's suggestion to update the version to 3.20.x. Also, I'm converting the protobuf submodule to a cmake external project, which will allow users to choose between the protobuf we provide and the one that is already installed in their environment. So, as long as ORT's source code is compatible to that protobuf version, you will be able to freely change it. And if there was build errors, for example the ones we have now for 3.20.x, welcome to submit your patches.

@djee-ms
Copy link
Member Author

djee-ms commented Nov 1, 2022

I'd actually go to 3.21 instead of 3.20, since that's the latest, but yes otherwise that sounds like a good plan, thanks!

@snnn snnn mentioned this issue Nov 5, 2022
Merged
@snnn snnn mentioned this issue Nov 18, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build build issues; typically submitted using template
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@snnn @mayeut @djee-ms