Bug 2049429 (CVE-2021-22570) - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Summary: CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol l...
Keywords:
Status: NEW
Alias: CVE-2021-22570
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2050493 2050494 2050495 2053740 2053741 2055641 2055646 2055647 2055648 2055649 2064043 2050492 2050496 2055642 2055643 2055644 2055645 2064044 2064045
Blocks: 2049422
TreeView+ depends on / blocked
 
Reported: 2022-02-02 09:20 UTC by Vipul Nair
Modified: 2022-05-09 08:30 UTC (History)
33 users (show)

Fixed In Version: protobuf 3.15.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in protobuf. The vulnerability occurs due to incorrect parsing of a NULL character in the proto symbol and leads to a Null pointer dereference. This flaw allows an attacker to execute unauthorized code or commands, read memory, modify memory.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Vipul Nair 2022-02-02 09:20:17 UTC
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0

Comment 2 Sandipan Roy 2022-02-04 07:13:40 UTC
Created protobuf tracking bugs for this issue:

Affects: fedora-all [bug 2050492]
Affects: openstack-rdo [bug 2050493]

Comment 4 Vipul Nair 2022-02-04 07:21:22 UTC
Created mingw-protobuf tracking bugs for this issue:

Affects: fedora-all [bug 2050496]

Comment 6 Vipul Nair 2022-02-17 12:57:44 UTC
Created cascadia-code-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2055643]


Created chromium tracking bugs for this issue:

Affects: epel-all [bug 2055642]
Affects: fedora-all [bug 2055644]


Created pychromecast tracking bugs for this issue:

Affects: fedora-all [bug 2055645]


Created python-aioesphomeapi tracking bugs for this issue:

Affects: fedora-all [bug 2055646]


Created qt5-qtwebengine tracking bugs for this issue:

Affects: fedora-all [bug 2055647]


Created sorkintype-merriweather-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2055648]


Created sorkintype-merriweather-sans-fonts tracking bugs for this issue:

Affects: fedora-all [bug 2055649]


Note You need to log in before you can comment on or make changes to this bug.