Debian Security Advisory

DLA-3393-1 protobuf -- LTS security update

Date Reported:
18 Apr 2023
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2021-22569, CVE-2021-22570, CVE-2022-1941.
More information:

This update fixes a NULL pointer derference and two denial of service conditions in in protobuf.

  • CVE-2021-22569

    An issue in protobuf-java allowed the interleaving of fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses.

  • CVE-2021-22570

    Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr.

  • CVE-2022-1941

    A parsing vulnerability for the MessageSet type in the ProtocolBuffers can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input.

For Debian 10 buster, these problems have been fixed in version

We recommend that you upgrade your protobuf packages.

For the detailed security status of protobuf please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: