Bugzilla – Full Text Bug Listing |
Summary: | VUL-0: CVE-2021-22570: protobuf: Nullptr dereference when a null char is present in a proto symbol | ||
---|---|---|---|
Product: | [Novell Products] SUSE Security Incidents | Reporter: | Carlos López <carlos.lopez> |
Component: | Incidents | Assignee: | Max Lin <mlin> |
Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
Severity: | Normal | ||
Priority: | P2 - High | CC: | andreas.taschner, carlos.lopez, dmueller, gianluca.gabrielli, meissner, smash_bz |
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Other | ||
URL: | https://smash.suse.de/issue/321783/ | ||
Whiteboard: | CVSSv3.1:SUSE:CVE-2021-22570:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) | ||
Found By: | Security Response Team | Services Priority: | |
Business Priority: | Blocker: | --- | |
Marketing QA Status: | --- | IT Deployment: | --- |
Description
Carlos López
2022-01-28 09:15:57 UTC
There is not a lot of information about the bug, but going through the commit history, it seems that the fix is included in the changes to src/google/protobuf/descriptor.cc in: https://github.com/protocolbuffers/protobuf/commit/af95001202a035d78ff997e737bd67fca22ab32a Based on that, the affected codestreams are: - SUSE:SLE-15:Update - SUSE:SLE-15-SP2:Update - openSUSE:Backports:SLE-12-SP2:Update The fix was included in release 3.15.0, so openSUSE:Factory is not affected. I only just have one commit according to protobuf changelog, I didn't notice I'm the internal protobuf maintainer... I can submit the latest version that should fix this issue, is it ok for you? Hi Max, same as bsc#1194530#c4 [0]. [0] https://bugzilla.suse.com/show_bug.cgi?id=1194530#c4 MR#267360 for SUSE:SLE-15-SP2:Update MR#267361 for SUSE:SLE-15:Update openSUSE-SU-2022:0823-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1195258 CVE References: CVE-2021-22570 JIRA References: Sources used: openSUSE Leap 15.4 (src): protobuf-3.5.0-5.5.1 openSUSE Leap 15.3 (src): protobuf-3.5.0-5.5.1 openSUSE-SU-2022:1040-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1195258 CVE References: CVE-2021-22570 JIRA References: Sources used: openSUSE Leap 15.4 (src): protobuf-3.9.2-4.12.1 openSUSE Leap 15.3 (src): protobuf-3.9.2-4.12.1 SUSE-SU-2022:1040-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1195258 CVE References: CVE-2021-22570 JIRA References: Sources used: SUSE Linux Enterprise Realtime Extension 15-SP2 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Micro 5.1 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Micro 5.0 (src): protobuf-3.9.2-4.12.1 SUSE Linux Enterprise Installer 15-SP2 (src): protobuf-3.9.2-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2022:1040-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1195258 CVE References: CVE-2021-22570 JIRA References: Sources used: SUSE Linux Enterprise Micro 5.2 (src): protobuf-3.9.2-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |