CVE-2021-22570

[Andrew Ryrie]

Hi,

Is there any official information about which parts of protobuf are affected by this vulnerability?

This CVE came up recently for a rather old issue which was fixed in 3.15.0, but affected versions of protobuf are still in fairly widespread use, e.g. Ubuntu distributes 3.6.1 in the latest LTS.  There seems to be fairly widespread confusion about what's affected - some places are saying that it's remotely exploitable, but after a look at the code I think it might be limited to bad input to the protobuf compiler.  Could someone with more knowledge than me confirm whether or not this is the case?

[Mike Kruskal]

Hey Andrew,

Sorry for the confusion here!  To clarify a bit more, this bug only came into play for invalid symbols in proto descriptors (e.g. package names).  So as long as you aren't using external inputs to generate proto files or in-memory proto descriptors, this should not be remotely exploitable.  For the vast majority of actual cases I would expect this to not be an issue, but there definitely exist some potential uses where it is remotely exploitable.

Cheers,

-Mike

[Andrew Ryrie]

Hi Mike - That's good to know, many thanks for confirming.

Andrew