From 7e513a2277756a8a725bc8490df8e6f9329506dd Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 15 2022 06:32:33 +0000 Subject: import protobuf-3.14.0-13.el9 --- diff --git a/SOURCES/CVE-2021-22570.patch b/SOURCES/CVE-2021-22570.patch new file mode 100644 index 0000000..078db13 --- /dev/null +++ b/SOURCES/CVE-2021-22570.patch @@ -0,0 +1,77 @@ +diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc +index 7af37c57f3..03c4e2b516 100644 +--- a/src/google/protobuf/descriptor.cc ++++ b/src/google/protobuf/descriptor.cc +@@ -1090,7 +1090,7 @@ inline void DescriptorPool::Tables::FindAllExtensions( + + bool DescriptorPool::Tables::AddSymbol(const std::string& full_name, + Symbol symbol) { +- if (InsertIfNotPresent(&symbols_by_name_, full_name.c_str(), symbol)) { ++ if (InsertIfNotPresent(&symbols_by_name_, full_name, symbol)) { + symbols_after_checkpoint_.push_back(full_name.c_str()); + return true; + } else { +@@ -1106,7 +1106,7 @@ bool FileDescriptorTables::AddAliasUnderParent(const void* parent, + } + + bool DescriptorPool::Tables::AddFile(const FileDescriptor* file) { +- if (InsertIfNotPresent(&files_by_name_, file->name().c_str(), file)) { ++ if (InsertIfNotPresent(&files_by_name_, file->name(), file)) { + files_after_checkpoint_.push_back(file->name().c_str()); + return true; + } else { +@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string* contents, + const Descriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start + 1) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end > FieldDescriptor::kMaxNumber) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end - 1); +@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString( + const EnumDescriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end == INT_MAX) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end); +@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + // Use its file as the parent instead. + if (parent == nullptr) parent = file_; + ++ if (full_name.find('\0') != std::string::npos) { ++ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + full_name + "\" contains null character."); ++ return false; ++ } + if (tables_->AddSymbol(full_name, symbol)) { + if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) { + // This is only possible if there was already an error adding something of +@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + void DescriptorBuilder::AddPackage(const std::string& name, + const Message& proto, + const FileDescriptor* file) { ++ if (name.find('\0') != std::string::npos) { ++ AddError(name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + name + "\" contains null character."); ++ return; ++ } + if (tables_->AddSymbol(name, Symbol(file))) { + // Success. Also add parent package, if any. + std::string::size_type dot_pos = name.find_last_of('.'); +@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl( + } + result->pool_ = pool_; + ++ if (result->name().find('\0') != std::string::npos) { ++ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + result->name() + "\" contains null character."); ++ return nullptr; ++ } ++ + // Add to tables. + if (!tables_->AddFile(result)) { + AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER, diff --git a/SPECS/protobuf.spec b/SPECS/protobuf.spec index 06a4477..197203b 100644 --- a/SPECS/protobuf.spec +++ b/SPECS/protobuf.spec @@ -10,7 +10,7 @@ Summary: Protocol Buffers - Google's data interchange format Name: protobuf Version: 3.14.0 -Release: 9%{?dist} +Release: 13%{?dist} License: BSD URL: https://github.com/protocolbuffers/protobuf Source: https://github.com/protocolbuffers/protobuf/archive/v%{version}%{?rcver}/%{name}-%{version}%{?rcver}-all.tar.gz @@ -22,6 +22,12 @@ Source3: https://github.com/google/googletest/archive/5ec7f0c4a113e2f18ac # https://github.com/protocolbuffers/protobuf/issues/8082 Patch1: protobuf-3.14-disable-IoTest.LargeOutput.patch +# Fix for CVE-2021-22570 "protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference" +# https://bugzilla.redhat.com/show_bug.cgi?id=2050492 +# Based on https://github.com/protocolbuffers/protobuf/commit/af95001202a035d78ff997e737bd67fca22ab32a +# As described in https://bugzilla.suse.com/show_bug.cgi?id=1195258 +Patch2: CVE-2021-22570.patch + BuildRequires: make BuildRequires: autoconf BuildRequires: automake @@ -205,6 +211,7 @@ descriptions in the Emacs editor. # IoTest.LargeOutput fails sometimes if not enough memory is available # https://github.com/protocolbuffers/protobuf/issues/8082 %patch1 -p1 +%patch2 -p1 mv googletest-5ec7f0c4a113e2f18ac2c6cc7df51ad6afc24081/* third_party/googletest/ find -name \*.cc -o -name \*.h | xargs chmod -x chmod 644 examples/* @@ -384,6 +391,15 @@ install -p -m 0644 %{SOURCE2} %{buildroot}%{_emacs_sitestartdir} %changelog +* Wed Mar 23 2022 Adrian Reber - 3.14.0-13 +- Rebuilt for test fixes + +* Tue Mar 22 2022 Adrian Reber - 3.14.0-12 +- Rebuilt for test fixes + +* Tue Mar 08 2022 Adrian Reber - 3.14.0-11 +- Applied patch for for CVE-2021-22570 (#2055641) + * Wed Feb 23 2022 Adrian Reber - 3.14.0-9 - Rebuilt for errata