| Message ID | 20260330065150.2931505-1-naman.jain@partner.bmw.de |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-python,kirkstone] python3-protobuf: ignore CVE-2024-7254 | expand |
Thanks for this - could you please also add the same to the protobuf recipe in a separate patch? (This and the protobuf recipe share the same CVE_PRODUCT, and once a CVE is fixed in one recipe, the other recipe will show up in the weekly report) On 3/30/26 08:51, Naman Jain via lists.openembedded.org wrote: > From: Naman Jain <namanj1@kpit.com> > > CVE-2024-7254 is a stack overflow vulnerability caused by unbounded > recursion, specifically within the Java Protobuf Lite and Full runtimes > (including Kotlin and JRuby bindings). > > The python3-protobuf recipe builds the Python implementation using the > C++ backend (--cpp_implementation). This implementation does not > contain the vulnerable Java-specific parsing logic (such as > DiscardUnknownFieldsParser or ArrayDecoders). > > Authoritative security sources, including Red Hat and GitHub Advisory > have confirmed that non-Java implementations > (Python/C++) are not affected by this specific flaw. > > Reference: https://access.redhat.com/security/cve/cve-2024-7254 > > Signed-off-by: Naman Jain <namanj1@kpit.com> > --- > meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb > index dbb30ad4df..52fea2ae6e 100644 > --- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb > +++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb > @@ -14,6 +14,9 @@ SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f33 > > CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python" > > +# CVE-2024-7254 is Java/ruby/kotlin specific and does not affect the Python/C++ implementation. > +CVE_CHECK_IGNORE += "CVE-2024-7254" > + > # http://errors.yoctoproject.org/Errors/Details/184715/ > # Can't find required file: ../src/google/protobuf/descriptor.proto > CLEANBROKEN = "1" > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#125833): https://lists.openembedded.org/g/openembedded-devel/message/125833 > Mute This Topic: https://lists.openembedded.org/mt/118575124/6084445 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb index dbb30ad4df..52fea2ae6e 100644 --- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb +++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb @@ -14,6 +14,9 @@ SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f33 CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python" +# CVE-2024-7254 is Java/ruby/kotlin specific and does not affect the Python/C++ implementation. +CVE_CHECK_IGNORE += "CVE-2024-7254" + # http://errors.yoctoproject.org/Errors/Details/184715/ # Can't find required file: ../src/google/protobuf/descriptor.proto CLEANBROKEN = "1"