Bug 1195258 (CVE-2021-22570)

Summary: VUL-0: CVE-2021-22570: protobuf: Nullptr dereference when a null char is present in a proto symbol
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Max Lin <mlin>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: andreas.taschner, carlos.lopez, dmueller, gianluca.gabrielli, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/321783/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-22570:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2022-01-28 09:15:57 UTC 
CVE-2021-22570

Nullptr dereference when a null char is present in a proto symbol. The symbol is
parsed incorrectly, leading to an unchecked call into the proto file's name
during generation of the resulting error message. Since the symbol is
incorrectly parsed, the file is nullptr. We recommend upgrading to version
3.15.0 or greater.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22570
https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
Comment 1 Carlos López 2022-01-28 09:20:59 UTC 
There is not a lot of information about the bug, but going through the commit history, it seems that the fix is included in the changes to src/google/protobuf/descriptor.cc in:
https://github.com/protocolbuffers/protobuf/commit/af95001202a035d78ff997e737bd67fca22ab32a

Based on that, the affected codestreams are:
 - SUSE:SLE-15:Update
 - SUSE:SLE-15-SP2:Update
 - openSUSE:Backports:SLE-12-SP2:Update

The fix was included in release 3.15.0, so openSUSE:Factory is not affected.
Comment 2 Max Lin 2022-02-21 07:40:55 UTC 
I only just have one commit according to protobuf changelog, I didn't notice I'm the internal protobuf maintainer... I can submit the latest version that should fix this issue, is it ok for you?
Comment 3 Gianluca Gabrielli 2022-02-21 09:14:44 UTC 
Hi Max, same as bsc#1194530#c4 [0].

[0] https://bugzilla.suse.com/show_bug.cgi?id=1194530#c4
Comment 5 Max Lin 2022-03-11 14:08:18 UTC 
MR#267360 for SUSE:SLE-15-SP2:Update
MR#267361 for SUSE:SLE-15:Update
Comment 9 Swamp Workflow Management 2022-03-14 17:25:38 UTC 
openSUSE-SU-2022:0823-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195258
CVE References: CVE-2021-22570
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    protobuf-3.5.0-5.5.1
openSUSE Leap 15.3 (src):    protobuf-3.5.0-5.5.1
Comment 10 Swamp Workflow Management 2022-03-30 13:27:37 UTC 
openSUSE-SU-2022:1040-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195258
CVE References: CVE-2021-22570
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    protobuf-3.9.2-4.12.1
openSUSE Leap 15.3 (src):    protobuf-3.9.2-4.12.1
Comment 11 Swamp Workflow Management 2022-03-30 13:28:39 UTC 
SUSE-SU-2022:1040-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195258
CVE References: CVE-2021-22570
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Micro 5.1 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Micro 5.0 (src):    protobuf-3.9.2-4.12.1
SUSE Linux Enterprise Installer 15-SP2 (src):    protobuf-3.9.2-4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-04-19 22:35:15 UTC 
SUSE-SU-2022:1040-2: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195258
CVE References: CVE-2021-22570
JIRA References: 
Sources used:
SUSE Linux Enterprise Micro 5.2 (src):    protobuf-3.9.2-4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.