import protobuf-3.14.0-13.el9

SOURCES/CVE-2021-22570.patch

@@ -0,0 +1,77 @@
+diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc
+index 7af37c57f3..03c4e2b516 100644
+--- a/src/google/protobuf/descriptor.cc
++++ b/src/google/protobuf/descriptor.cc
+@@ -1090,7 +1090,7 @@ inline void DescriptorPool::Tables::FindAllExtensions(
+ 
+ bool DescriptorPool::Tables::AddSymbol(const std::string& full_name,
+                                        Symbol symbol) {
+-  if (InsertIfNotPresent(&symbols_by_name_, full_name.c_str(), symbol)) {
++  if (InsertIfNotPresent(&symbols_by_name_, full_name, symbol)) {
+     symbols_after_checkpoint_.push_back(full_name.c_str());
+     return true;
+   } else {
+@@ -1106,7 +1106,7 @@ bool FileDescriptorTables::AddAliasUnderParent(const void* parent,
+ }
+ 
+ bool DescriptorPool::Tables::AddFile(const FileDescriptor* file) {
+-  if (InsertIfNotPresent(&files_by_name_, file->name().c_str(), file)) {
++  if (InsertIfNotPresent(&files_by_name_, file->name(), file)) {
+     files_after_checkpoint_.push_back(file->name().c_str());
+     return true;
+   } else {
+@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string* contents,
+       const Descriptor::ReservedRange* range = reserved_range(i);
+       if (range->end == range->start + 1) {
+         strings::SubstituteAndAppend(contents, "$0, ", range->start);
++      } else if (range->end > FieldDescriptor::kMaxNumber) {
++        strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+       } else {
+         strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+                                   range->end - 1);
+@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString(
+       const EnumDescriptor::ReservedRange* range = reserved_range(i);
+       if (range->end == range->start) {
+         strings::SubstituteAndAppend(contents, "$0, ", range->start);
++      } else if (range->end == INT_MAX) {
++        strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+       } else {
+         strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+                                   range->end);
+@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+   // Use its file as the parent instead.
+   if (parent == nullptr) parent = file_;
+ 
++  if (full_name.find('\0') != std::string::npos) {
++    AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + full_name + "\" contains null character.");
++    return false;
++  }
+   if (tables_->AddSymbol(full_name, symbol)) {
+     if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
+       // This is only possible if there was already an error adding something of
+@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+ void DescriptorBuilder::AddPackage(const std::string& name,
+                                    const Message& proto,
+                                    const FileDescriptor* file) {
++  if (name.find('\0') != std::string::npos) {
++    AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + name + "\" contains null character.");
++    return;
++  }
+   if (tables_->AddSymbol(name, Symbol(file))) {
+     // Success.  Also add parent package, if any.
+     std::string::size_type dot_pos = name.find_last_of('.');
+@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl(
+   }
+   result->pool_ = pool_;
+ 
++  if (result->name().find('\0') != std::string::npos) {
++    AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + result->name() + "\" contains null character.");
++    return nullptr;
++  }
++
+   // Add to tables.
+   if (!tables_->AddFile(result)) {
+     AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,

SPECS/protobuf.spec

@@ -10,7 +10,7 @@
 Summary:        Protocol Buffers - Google's data interchange format
 Name:           protobuf
 Version:        3.14.0
-Release:        9%{?dist}
+Release:        13%{?dist}
 License:        BSD
 URL:            https://github.com/protocolbuffers/protobuf
 Source:         https://github.com/protocolbuffers/protobuf/archive/v%{version}%{?rcver}/%{name}-%{version}%{?rcver}-all.tar.gz
@@ -22,6 +22,12 @@ Source3:        https://github.com/google/googletest/archive/5ec7f0c4a113e2f18ac
 # https://github.com/protocolbuffers/protobuf/issues/8082
 Patch1:         protobuf-3.14-disable-IoTest.LargeOutput.patch
 
+# Fix for CVE-2021-22570 "protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference"
+# https://bugzilla.redhat.com/show_bug.cgi?id=2050492
+# Based on https://github.com/protocolbuffers/protobuf/commit/af95001202a035d78ff997e737bd67fca22ab32a
+# As described in https://bugzilla.suse.com/show_bug.cgi?id=1195258
+Patch2:         CVE-2021-22570.patch
+
 BuildRequires:  make
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -205,6 +211,7 @@ descriptions in the Emacs editor.
 # IoTest.LargeOutput fails sometimes if not enough memory is available
 # https://github.com/protocolbuffers/protobuf/issues/8082
 %patch1 -p1
+%patch2 -p1
 mv googletest-5ec7f0c4a113e2f18ac2c6cc7df51ad6afc24081/* third_party/googletest/
 find -name \*.cc -o -name \*.h | xargs chmod -x
 chmod 644 examples/*
@@ -384,6 +391,15 @@ install -p -m 0644 %{SOURCE2} %{buildroot}%{_emacs_sitestartdir}
 
 
 %changelog
+* Wed Mar 23 2022 Adrian Reber <areber@redhat.com> - 3.14.0-13
+- Rebuilt for test fixes
+
+* Tue Mar 22 2022 Adrian Reber <areber@redhat.com> - 3.14.0-12
+- Rebuilt for test fixes
+
+* Tue Mar 08 2022 Adrian Reber <areber@redhat.com> - 3.14.0-11
+- Applied patch for for CVE-2021-22570 (#2055641)
+
 * Wed Feb 23 2022 Adrian Reber <areber@redhat.com> - 3.14.0-9
 - Rebuilt for errata