diff mbox series

[meta-python,kirkstone] python3-protobuf: patch CVE-2026-0994

Message ID 20260202213206.2116704-1-peter.marko@siemens.com
State New
Headers show
Series [meta-python,kirkstone] python3-protobuf: patch CVE-2026-0994 | expand

Commit Message

Marko, Peter Feb. 2, 2026, 9:32 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

Pick patch from PR in NVD report.
It is the only code change in 33.5 release.
Skip the test file change as it's not shipped in python module sources.
Resolve formatting-only conflict.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../python3-protobuf/CVE-2026-0994.patch      | 47 +++++++++++++++++++
 .../python/python3-protobuf_3.20.3.bb         |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
new file mode 100644
index 0000000000..156be3be29
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
@@ -0,0 +1,47 @@ 
+From c4eda3e58680528147a4cc7e2b3c9044f795c9c9 Mon Sep 17 00:00:00 2001
+From: zhangskz <sandyzhang@google.com>
+Date: Thu, 29 Jan 2026 14:31:08 -0500
+Subject: [PATCH] Fix Any recursion depth bypass in Python
+ json_format.ParseDict (#25239) (#25586)
+
+This fixes a security vulnerability where nested google.protobuf.Any messages could bypass the max_recursion_depth limit, potentially leading to denial of service via stack overflow.
+
+The root cause was that _ConvertAnyMessage() was calling itself recursively via methodcaller() for nested well-known types, bypassing the recursion depth tracking in ConvertMessage().
+
+The fix routes well-known type parsing through ConvertMessage() to ensure proper recursion depth accounting for all message types including nested Any.
+
+Fixes #25070
+
+Closes #25239
+
+COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/25239 from aviralgarg05:fix-any-recursion-depth-bypass 3cbbcbea142593d3afd2ceba2db14b05660f62f4
+PiperOrigin-RevId: 862740421
+
+Co-authored-by: Aviral Garg <gargaviral99@gmail.com>
+
+CVE: CVE-2026-0994
+Upstream-Status: Backport [https://github.com/protocolbuffers/protobuf/commit/c4eda3e58680528147a4cc7e2b3c9044f795c9c9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ google/protobuf/json_format.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/google/protobuf/json_format.py b/google/protobuf/json_format.py
+index 1b6ce9d03..9acbaefb5 100644
+--- a/google/protobuf/json_format.py
++++ b/google/protobuf/json_format.py
+@@ -652,9 +652,11 @@ class _Parser(object):
+       self._ConvertWrapperMessage(value['value'], sub_message,
+                                   '{0}.value'.format(path))
+     elif full_name in _WKTJSONMETHODS:
+-      methodcaller(_WKTJSONMETHODS[full_name][1], value['value'], sub_message,
+-                   '{0}.value'.format(path))(
+-                       self)
++      # For well-known types (including nested Any), use ConvertMessage
++      # to ensure recursion depth is properly tracked
++      self.ConvertMessage(
++          value['value'], sub_message, '{0}.value'.format(path)
++      )
+     else:
+       del value['@type']
+       self._ConvertFieldValuePair(value, sub_message, path)
diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
index b3846ddeb3..dbb30ad4df 100644
--- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
+++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
@@ -8,6 +8,7 @@  LIC_FILES_CHKSUM = "file://PKG-INFO;beginline=8;endline=8;md5=53dbfa56f61b90215a
 inherit pypi setuptools3
 
 SRC_URI += "file://CVE-2025-4565.patch"
+SRC_URI += "file://CVE-2026-0994.patch"
 
 SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f337105f2"