Hi, Is there any official information about which parts of protobuf are affected by this vulnerability?
This CVE came up recently for a rather old issue which was fixed in 3.15.0, but affected versions of protobuf are still in fairly widespread use, e.g. Ubuntu distributes 3.6.1 in the latest LTS. There seems to be fairly widespread confusion about what's affected - some places are saying that it's remotely exploitable, but after a look at the code I think it might be limited to bad input to the protobuf compiler. Could someone with more knowledge than me confirm whether or not this is the case? -- You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/protobuf/21dd0084-d151-46fe-a974-ce95d82144e6n%40googlegroups.com.
