Hi Mike - That's good to know, many thanks for confirming. Andrew On Friday, 11 February 2022 at 19:43:03 UTC Mike Kruskal wrote:
> Hey Andrew, > > Sorry for the confusion here! To clarify a bit more, this bug only came > into play for invalid symbols in proto descriptors (e.g. package names). > So as long as you aren't using external inputs to generate proto files or > in-memory proto descriptors, this should not be remotely exploitable. For > the vast majority of actual cases I would expect this to not be an issue, > but there definitely exist some potential uses where it is remotely > exploitable. > > Cheers, > -Mike > On Friday, February 11, 2022 at 3:09:10 AM UTC-8 Andrew Ryrie wrote: > >> Hi, >> >> Is there any official information about which parts of protobuf are >> affected by this vulnerability? >> >> This CVE came up recently for a rather old issue which was fixed in >> 3.15.0, but affected versions of protobuf are still in fairly widespread >> use, e.g. Ubuntu distributes 3.6.1 in the latest LTS. There seems to be >> fairly widespread confusion about what's affected - some places are saying >> that it's remotely exploitable, but after a look at the code I think it >> might be limited to bad input to the protobuf compiler. Could someone with >> more knowledge than me confirm whether or not this is the case? >> > -- You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/protobuf/2cce9753-630f-44c8-a313-7041d68bccc0n%40googlegroups.com.
