Bug 2049429 (CVE-2021-22570) - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Summary: CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol le...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22570
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2050492 2050493 2050494 2050495 2050496 2053740 2053741 2055641 2055642 2055643 2055644 2055645 2055646 2055647 2055648 2055649 2064043 2064044 2064045
Blocks: 2049422
TreeView+ depends on / blocked
 
Reported: 2022-02-02 09:20 UTC by Vipul Nair
Modified: 2024-05-28 14:24 UTC (History)
32 users (show)

Fixed In Version: protobuf 3.15.0
Clone Of:
Environment:
Last Closed: 2022-12-10 00:33:35 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7464 0 None None None 2022-11-08 09:12:25 UTC
Red Hat Product Errata RHSA-2022:7970 0 None None None 2022-11-15 09:50:27 UTC
Red Hat Product Errata RHSA-2022:8847 0 None None None 2022-12-07 19:25:23 UTC
Red Hat Product Errata RHSA-2022:8860 0 None None None 2022-12-07 20:26:17 UTC
Red Hat Product Errata RHSA-2024:3433 0 None None None 2024-05-28 14:24:34 UTC

Description Vipul Nair 2022-02-02 09:20:17 UTC 
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
Comment 2 Sandipan Roy 2022-02-04 07:13:40 UTC 
Created protobuf tracking bugs for this issue:

Affects: fedora-all [bug 2050492]
Affects: openstack-rdo [bug 2050493]
Comment 4 Vipul Nair 2022-02-04 07:21:22 UTC 
Created mingw-protobuf tracking bugs for this issue:

Affects: fedora-all [bug 2050496]
Comment 6 Vipul Nair 2022-02-17 12:57:44 UTC 
Created cascadia-code-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2055643]


Created chromium tracking bugs for this issue:

Affects: epel-all [bug 2055642]
Affects: fedora-all [bug 2055644]


Created pychromecast tracking bugs for this issue:

Affects: fedora-all [bug 2055645]


Created python-aioesphomeapi tracking bugs for this issue:

Affects: fedora-all [bug 2055646]


Created qt5-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2055647]


Created sorkintype-merriweather-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2055648]


Created sorkintype-merriweather-sans-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2055649]
Comment 12 errata-xmlrpc 2022-11-08 09:12:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7464 https://access.redhat.com/errata/RHSA-2022:7464
Comment 13 errata-xmlrpc 2022-11-15 09:50:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7970 https://access.redhat.com/errata/RHSA-2022:7970
Comment 14 errata-xmlrpc 2022-12-07 19:25:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:8847 https://access.redhat.com/errata/RHSA-2022:8847
Comment 15 errata-xmlrpc 2022-12-07 20:26:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:8860 https://access.redhat.com/errata/RHSA-2022:8860
Comment 16 Product Security DevOps Team 2022-12-10 00:33:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22570
Comment 18 errata-xmlrpc 2024-05-28 14:24:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:3433 https://access.redhat.com/errata/RHSA-2024:3433
Note You need to log in before you can comment on or make changes to this bug.