Hi Mike - That's good to know, many thanks for confirming. Andrew On Friday, 11 February 2022 at 19:43:03 UTC Mike Kruskal wrote:
> Hey Andrew, > > Sorry for the confusion here! To clarify a bit more, this bug only came > into play for invalid symbols in proto descriptors (e.g. package names). > So as long as you aren't using external inputs to generate proto files or > in-memory proto descriptors, this should not be remotely exploitable. For > the vast majority of actual cases I would expect this to not be an issue, > but there definitely exist some potential uses where it is remotely > exploitable. > > Cheers, > -Mike > On Friday, February 11, 2022 at 3:09:10 AM UTC-8 Andrew Ryrie wrote: > >> Hi, >> >> Is there any official information about which parts of protobuf are >> affected by this vulnerability? >> >> This CVE came up recently for a rather old issue which was fixed in >> 3.15.0, but affected versions of protobuf are still in fairly widespread >> use, e.g. Ubuntu distributes 3.6.1 in the latest LTS. There seems to be >> fairly widespread confusion about what's affected - some places are saying >> that it's remotely exploitable, but after a look at the code I think it >> might be limited to bad input to the protobuf compiler. Could someone with >> more knowledge than me confirm whether or not this is the case? >> > -- You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To unsubscribe from this group and stop receiving emails from it, send an email to protobuf+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/protobuf/2cce9753-630f-44c8-a313-7041d68bccc0n%40googlegroups.com.
