CVE-2021-22570: NULL Pointer Dereference in Protocol Buffers

January 27, 2022 (updated October 21, 2024)

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file’s name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

References

github.com/advisories/GHSA-77rm-9x9h-xj3g
github.com/protocolbuffers/protobuf
github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
github.com/pypa/advisory-database/tree/main/vulns/protobuf/PYSEC-2022-48.yaml
lists.debian.org/debian-lts-announce/2023/04/msg00019.html
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP
nvd.nist.gov/vuln/detail/CVE-2021-22570
security.netapp.com/advisory/ntap-20220429-0005
www.oracle.com/security-alerts/cpuapr2022.html

Code Behaviors & Features

Detect and mitigate CVE-2021-22570 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →