Headline
CVE-2021-22570: Release Protocol Buffers v3.15.0 · protocolbuffers/protobuf
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file’s name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
Protocol Compiler
- Optional fields for proto3 are enabled by default, and no longer require
the --experimental_allow_proto3_optional flag.
C++
- MessageDifferencer: fixed bug when using custom ignore with multiple
unknown fields - Use init_seg in MSVC to push initialization to an earlier phase.
- Runtime no longer triggers -Wsign-compare warnings.
- Fixed -Wtautological-constant-out-of-range-compare warning.
- DynamicCastToGenerated works for nullptr input for even if RTTI is disabled
- Arena is refactored and optimized.
- Clarified/specified that the exact value of Arena::SpaceAllocated() is an
implementation detail users must not rely on. It should not be used in
unit tests. - Change the signature of Any::PackFrom() to return false on error.
- Add fast reflection getter API for strings.
- Constant initialize the global message instances
- Avoid potential for missed wakeup in UnknownFieldSet
- Now Proto3 Oneof fields have “has” methods for checking their presence in
C++. - Bugfix for NVCC
- Return early in _InternalSerialize for empty maps.
- Adding functionality for outputting map key values in proto path logging
output (does not affect comparison logic) and stop printing ‘value’ in the
path. The modified print functionality is in the
MessageDifferencer::StreamReporter. - Fixed #8129
- Ensure that null char symbol, package and file names do not result in a
crash. - Constant initialize the global message instances
- Pretty print ‘max’ instead of numeric values in reserved ranges.
- Removed remaining instances of std::is_pod, which is deprecated in C++20.
- Changes to reduce code size for unknown field handling by making uncommon
cases out of line. - Fix std::is_pod deprecated in C++20 (#7180)
- Fix some -Wunused-parameter warnings (#8053)
- Fix detecting file as directory on zOS issue #8051 (#8052)
- Don’t include sys/param.h for _BYTE_ORDER (#8106)
- remove CMAKE_THREAD_LIBS_INIT from pkgconfig CFLAGS (#8154)
- Fix TextFormatMapTest.DynamicMessage issue#5136 (#8159)
- Fix for compiler warning issue#8145 (#8160)
- fix: support deprecated enums for GCC < 6 (#8164)
- Fix some warning when compiling with Visual Studio 2019 on x64 target (#8125)
Python
- Provided an override for the reverse() method that will reverse the internal
collection directly instead of using the other methods of the BaseContainer. - MessageFactory.CreateProtoype can be overridden to customize class creation.
- Fix PyUnknownFields memory leak (#7928)
- Add macOS big sur compatibility (#8126)
JavaScript
- Generate getDescriptor methods with * as their this type.
- Enforce let/const for generated messages.
- js/binary/utils.js: Fix jspb.utils.joinUnsignedDecimalString to work with negative bitsLow and low but non-zero bitsHigh parameter. (#8170)
PHP
- Added support for PHP 8. (#8105)
- unregister INI entries and fix invalid read on shutdown (#8042)
- Fix PhpDoc comments for message accessors to include "|null". (#8136)
- fix: convert native PHP floats to single precision (#8187)
- Fixed PHP to support field numbers >=2**28. (#8235)
- feat: add support for deprecated fields to PHP compiler (#8223)
- Protect against stack overflow if the user derives from Message. (#8248)
- Fixed clone for Message, RepeatedField, and MapField. (#8245)
- Updated upb to allow nonzero offset minutes in JSON timestamps. (#8258)
Ruby
- Added support for Ruby 3. (#8184)
- Rewrote the data storage layer to be based on upb_msg objects from the
upb library. This should lead to much better parsing performance,
particularly for large messages. (#8184). - Fill out JRuby support (#7923)
- [Ruby] Fix: (SIGSEGV) gRPC-Ruby issue on Windows. memory alloc infinite
recursion/run out of memory (#8195) - Fix jruby support to handle messages nested more than 1 level deep (#8194)
Java
- Avoid possible UnsupportedOperationException when using CodedInputSteam
with a direct ByteBuffer. - Make Durations.comparator() and Timestamps.comparator() Serializable.
- Add more detailed error information for dynamic message field type
validation failure - Removed declarations of functions declared in java_names.h from
java_helpers.h. - Now Proto3 Oneof fields have “has” methods for checking their presence in
Java. - Annotates Java proto generated *_FIELD_NUMBER constants.
- Add -assumevalues to remove JvmMemoryAccessor on Android.
C#
- Fix parsing negative Int32Value that crosses segment boundary (#8035)
- Change ByteString to use memory and support unsafe create without copy (#7645)
- Optimize MapField serialization by removing MessageAdapter (#8143)
- Allow FileDescriptors to be parsed with extension registries (#8220)
- Optimize writing small strings (#8149)
Related news
Red Hat Security Advisory 2024-3433-03 - An update for protobuf is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.
Ubuntu Security Notice 5945-1 - It was discovered that Protocol Buffers did not properly validate field com.google.protobuf.UnknownFieldSet in protobuf-java. An attacker could possibly use this issue to perform a denial of service attack. This issue only affected protobuf Ubuntu 22.04 LTS and Ubuntu 22.10. It was discovered that Protocol Buffers did not properly parse certain symbols. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
Red Hat Security Advisory 2022-7399-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.0. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.
Red Hat OpenShift Container Platform release 4.12.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-2879: golang: arc...
Red Hat Security Advisory 2022-8893-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.20.
Red Hat OpenShift Container Platform release 4.11.20 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27191: golang: crash in a golang.org/x/crypto/ssh server
Red Hat Security Advisory 2022-8847-01 - An update for protobuf is now available for Red Hat OpenStack Platform 16.2.4 (Train).
An update for protobuf is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
An update for protobuf is now available for Red Hat OpenStack Platform 16.2.4 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Red Hat Security Advisory 2022-7970-01 - The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.
An update for protobuf is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Red Hat Security Advisory 2022-7464-01 - The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.
An update for protobuf is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22570: protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...