Advisory GHSA-77rm-9x9h-xj3g - Clarification required on ecosystems impacted #6038
Description
Hello everyone
Writing to talk about GHSA-77rm-9x9h-xj3g
For protobuf-java which specifically talks about "Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater."
Question : Given the below clarifications from protobuf , is it sufficient to mark java as not being impacted by the vulnerability?
protocolbuffers/protobuf#9483 - This issue was with the protoc compiler itself not any of the runtimes.
golang/protobuf#1425 - Even for golang - This appears to be a bug in the C++ code. The Go protobuf implementation does not link in any of the C++ code
Regards,
Somak