import protobuf-3.5.0-15.el8

SOURCES/CVE-2021-22570.rhel-8.patch

@@ -0,0 +1,57 @@
+--- a/src/google/protobuf/descriptor.cc.orig	2017-11-13 19:47:29.000000000 +0100
++++ b/src/google/protobuf/descriptor.cc	2022-03-08 17:00:19.057041566 +0100
+@@ -2591,6 +2591,8 @@
+       const Descriptor::ReservedRange* range = reserved_range(i);
+       if (range->end == range->start + 1) {
+         strings::SubstituteAndAppend(contents, "$0, ", range->start);
++      } else if (range->end > FieldDescriptor::kMaxNumber) {
++        strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+       } else {
+         strings::SubstituteAndAppend(contents, "$0 to $1, ",
+                                      range->start, range->end - 1);
+@@ -2810,6 +2812,8 @@
+       const EnumDescriptor::ReservedRange* range = reserved_range(i);
+       if (range->end == range->start) {
+         strings::SubstituteAndAppend(contents, "$0, ", range->start);
++      } else if (range->end == INT_MAX) {
++        strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+       } else {
+         strings::SubstituteAndAppend(contents, "$0 to $1, ",
+                                      range->start, range->end);
+@@ -3983,6 +3987,11 @@
+   // Use its file as the parent instead.
+   if (parent == NULL) parent = file_;
+ 
++  if (full_name.find('\0') != std::string::npos) {
++    AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + full_name + "\" contains null character.");
++    return false;
++  }
+   if (tables_->AddSymbol(full_name, symbol)) {
+     if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
+       // This is only possible if there was already an error adding something of
+@@ -4020,6 +4029,11 @@
+ 
+ void DescriptorBuilder::AddPackage(
+     const string& name, const Message& proto, const FileDescriptor* file) {
++  if (name.find('\0') != std::string::npos) {
++    AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + name + "\" contains null character.");
++    return;
++  }
+   if (tables_->AddSymbol(name, Symbol(file))) {
+     // Success.  Also add parent package, if any.
+     string::size_type dot_pos = name.find_last_of('.');
+@@ -4288,6 +4302,12 @@
+   }
+   result->pool_ = pool_;
+ 
++  if (result->name().find('\0') != std::string::npos) {
++    AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + result->name() + "\" contains null character.");
++    return nullptr;
++  }
++
+   // Add to tables.
+   if (!tables_->AddFile(result)) {
+     AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,

SPECS/protobuf.spec

@@ -14,7 +14,7 @@
 Summary:        Protocol Buffers - Google's data interchange format
 Name:           protobuf
 Version:        3.5.0
-Release:        13%{?dist}
+Release:        15%{?dist}
 License:        BSD
 URL:            https://github.com/google/protobuf
 Source:         https://github.com/google/protobuf/archive/v%{version}%{?rcver}/%{name}-%{version}%{?rcver}.tar.gz
@@ -25,6 +25,7 @@ Source3:        https://github.com/google/googlemock/archive/release-1.7.0.tar.g
 Source4:        https://github.com/google/googletest/archive/release-1.7.0.tar.gz#/googletest-1.7.0.tar.gz
 # Might be upstreamable, but for now temporary workaround
 Patch0:         0001-fix-build-on-s390x.patch
+Patch1:         CVE-2021-22570.rhel-8.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -421,6 +422,9 @@ install -p -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{emacs_startdir}
 %endif
 
 %changelog
+* Mon Mar 21 2022 Adrian Reber <areber@redhat.com> - 3.5.0-15
+- Applied patch for for CVE-2021-22570 (#2050494)
+
 * Thu May 28 2020 Adrian Reber <areber@redhat.com> - 3.5.0-13
 - Rebuild