Bugzilla – Bug 1194530
VUL-0: CVE-2021-22569: protobuf: potential Denial of Service in protobuf-java in the parsing procedure for binary data
Last modified: 2022-02-21 09:01:35 UTC
CVE-2021-22569 An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions. Probable upstream commit: https://github.com/protocolbuffers/protobuf/pull/9371/commits/5ea2bdf6d7483d64a6b02fcf00ee51fbfb80e847 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22569 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569 https://cloud.google.com/support/bulletins#gcp-2022-001
Affected codestreams: - SUSE:SLE-15-SP2:Update 3.9.2 - SUSE:SLE-15:Update 3.5.0 - openSUSE:Factory 3.17.3 - openSUSE:Leap:15.3:Update 3.9.2 - openSUSE:Leap:15.4:Update 3.9.2
I only just have one commit according to protobuf changelog, I didn't notice I'm the internal protobuf maintainer... I can submit the latest version that should fix this issue, is it ok for you?
The fix is contained in versions >= 3.16.1, >= 3.18.2 , >= 3.19.2. We are ok with bumping version in openSUSE:Factory, but we need to backport the patch on the other codestreams.
We can accept version bump for codestreams other than Factory only if you can ensure there are no breaking-changes between the start and the bumped version.