Remediate CVE-2021-21401 by updating to nanopb 0.3.9.8 or higher

[scottluxenberg]

[REQUIRED] Step 1: Describe your environment

• Xcode version: 12.1
• Firebase SDK version: 7.4.0
• Installation method: CocoaPods (select one)
• Firebase Component: nanopb

[REQUIRED] Step 2: Describe the problem

CVE-2021-21401: "In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free() or realloc() calls if the message type contains an oneof field, and the oneof directly contains both a pointer field and a non-pointer field." Issue was reported on March 23, 2021, and was resolved with Nanopb 0.3.9.8 or 0.4.5

Steps to reproduce:

• Install Firebase 7.4.0 or higher
• Observe Nanopb is version 0.3.9.7 based on Google spec of Nanopb 2.03097.0

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[paulb777]

@scottluxenberg Thanks for the report. The nanopb issue came from us and we're working to update Firebase's nanopb version in our next release.