Hi, I am writing to ask about vulnerability reported GHSA-jwvw-v7c5-m82h <https://github.com/advisories/GHSA-jwvw-v7c5-m82h> for protobuf-java <https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java> which specifically talks about "*protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.*"
Specifically to ask about earlier versions < 3.4.0. Take for example a version 2.5.0, based on all the code i see for CodedInputStream <https://github.com/protocolbuffers/protobuf/blob/v2.5.0/java/src/main/java/com/google/protobuf/CodedInputStream.java> - methods such as readRawBytes/refillBuffer, which are performing either copy to/from or resizing , are all pretty safe from integer overflows. - there is also present a slow path, where we read buffer in chunks to potentially prevent out of memory issues. First Question: However i am not seeing any evidence where the package can be vulnerable to a buffer overflows issues Additionally given java is memory safe language i am failing to see how java ecosystem is susceptible to the afore mentioned vulnerability. Second Question: There is a question related / or along the same veins here https://github.com/protocolbuffers/protobuf/issues/760?reload=1#issuecomment-847162817 . The potential fix also suggests issue might be present only in c/c++ ecosystems. Any clarifications from the community would be appreciated. Thank you -- **Confidentiality Notice: *This email and any attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately and delete it from your system. Unauthorized use, disclosure, or copying of this email or its contents is strictly prohibited.* -- You received this message because you are subscribed to the Google Groups "Protocol Buffers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/protobuf/b1dd5d8b-f50e-4545-b5d5-98920fc9bea2n%40googlegroups.com.
