diff --git a/CVE-2021-22570.rhel-8.patch b/CVE-2021-22570.rhel-8.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8910b4df06ebad44054d5a70d72004781174309c
--- /dev/null
+++ b/CVE-2021-22570.rhel-8.patch
@@ -0,0 +1,57 @@
+--- a/src/google/protobuf/descriptor.cc.orig	2017-11-13 19:47:29.000000000 +0100
++++ b/src/google/protobuf/descriptor.cc	2022-03-08 17:00:19.057041566 +0100
+@@ -2591,6 +2591,8 @@
+       const Descriptor::ReservedRange* range = reserved_range(i);
+       if (range->end == range->start + 1) {
+         strings::SubstituteAndAppend(contents, "$0, ", range->start);
++      } else if (range->end > FieldDescriptor::kMaxNumber) {
++        strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+       } else {
+         strings::SubstituteAndAppend(contents, "$0 to $1, ",
+                                      range->start, range->end - 1);
+@@ -2810,6 +2812,8 @@
+       const EnumDescriptor::ReservedRange* range = reserved_range(i);
+       if (range->end == range->start) {
+         strings::SubstituteAndAppend(contents, "$0, ", range->start);
++      } else if (range->end == INT_MAX) {
++        strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+       } else {
+         strings::SubstituteAndAppend(contents, "$0 to $1, ",
+                                      range->start, range->end);
+@@ -3983,6 +3987,11 @@
+   // Use its file as the parent instead.
+   if (parent == NULL) parent = file_;
+ 
++  if (full_name.find('\0') != std::string::npos) {
++    AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + full_name + "\" contains null character.");
++    return false;
++  }
+   if (tables_->AddSymbol(full_name, symbol)) {
+     if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
+       // This is only possible if there was already an error adding something of
+@@ -4020,6 +4029,11 @@
+ 
+ void DescriptorBuilder::AddPackage(
+     const string& name, const Message& proto, const FileDescriptor* file) {
++  if (name.find('\0') != std::string::npos) {
++    AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + name + "\" contains null character.");
++    return;
++  }
+   if (tables_->AddSymbol(name, Symbol(file))) {
+     // Success.  Also add parent package, if any.
+     string::size_type dot_pos = name.find_last_of('.');
+@@ -4288,6 +4302,12 @@
+   }
+   result->pool_ = pool_;
+ 
++  if (result->name().find('\0') != std::string::npos) {
++    AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
++             "\"" + result->name() + "\" contains null character.");
++    return nullptr;
++  }
++
+   // Add to tables.
+   if (!tables_->AddFile(result)) {
+     AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,
diff --git a/dist b/dist
new file mode 100644
index 0000000000000000000000000000000000000000..9c0e36ec42a2d9bfefacb21ac6354c9ddd910533
--- /dev/null
+++ b/dist
@@ -0,0 +1 @@
+an8
diff --git a/download b/download
new file mode 100644
index 0000000000000000000000000000000000000000..5105a572e6dd1fcd0ee36567cd88bc2fe2ed7bfb
--- /dev/null
+++ b/download
@@ -0,0 +1,3 @@
+13c3b4a57ad575763deb73fc0ad96e07  googlemock-1.7.0.tar.gz
+4ff6353b2560df0afecfbda3b2763847  googletest-1.7.0.tar.gz
+d95db321e1a9901fffc51ed8994afd36  protobuf-3.5.0.tar.gz
diff --git a/googlemock-1.7.0.tar.gz b/googlemock-1.7.0.tar.gz
deleted file mode 100644
index 91e50e17ddb4a37e3a0fabb4ec6054d811c5f9ae..0000000000000000000000000000000000000000
Binary files a/googlemock-1.7.0.tar.gz and /dev/null differ
diff --git a/googletest-1.7.0.tar.gz b/googletest-1.7.0.tar.gz
deleted file mode 100644
index 88afbaea71b4ba50b25f52e13e8c3b01f0f99494..0000000000000000000000000000000000000000
Binary files a/googletest-1.7.0.tar.gz and /dev/null differ
diff --git a/protobuf-3.5.0.tar.gz b/protobuf-3.5.0.tar.gz
deleted file mode 100644
index c3b91c39d42bc26cf5d0b75f1f45e16f09a2ab0a..0000000000000000000000000000000000000000
Binary files a/protobuf-3.5.0.tar.gz and /dev/null differ
diff --git a/protobuf.spec b/protobuf.spec
index 5e404fd754e7676ada8869e349248e036d8074df..3cf2ca0b54b689305f9dca0ad79bc4e55f88345b 100644
--- a/protobuf.spec
+++ b/protobuf.spec
@@ -14,7 +14,7 @@
 Summary:        Protocol Buffers - Google's data interchange format
 Name:           protobuf
 Version:        3.5.0
-Release:        13%{?dist}
+Release:        15%{?dist}
 License:        BSD
 URL:            https://github.com/google/protobuf
 Source:         https://github.com/google/protobuf/archive/v%{version}%{?rcver}/%{name}-%{version}%{?rcver}.tar.gz
@@ -25,6 +25,7 @@ Source3:        https://github.com/google/googlemock/archive/release-1.7.0.tar.g
 Source4:        https://github.com/google/googletest/archive/release-1.7.0.tar.gz#/googletest-1.7.0.tar.gz
 # Might be upstreamable, but for now temporary workaround
 Patch0:         0001-fix-build-on-s390x.patch
+Patch1:         CVE-2021-22570.rhel-8.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -421,6 +422,9 @@ install -p -m 0644 %{SOURCE2} $RPM_BUILD_ROOT%{emacs_startdir}
 %endif
 
 %changelog
+* Mon Mar 21 2022 Adrian Reber <areber@redhat.com> - 3.5.0-15
+- Applied patch for for CVE-2021-22570 (#2050494)
+
 * Thu May 28 2020 Adrian Reber <areber@redhat.com> - 3.5.0-13
 - Rebuild