On Fri, Sep 26, 2025 at 6:09 PM Faidon Liambotis <[email protected]> wrote: > On Fri, Sep 19, 2025 at 09:19:20PM +0200, Lucas Nussbaum wrote: > > > File > > > "/usr/lib/python3/dist-packages/google/protobuf/internal/python_message.py", > > > line 1195, in InternalParse > > > pos = field_decoder(buffer, new_pos, end, self, field_dict) > > > File > > > "/usr/lib/python3/dist-packages/google/protobuf/internal/decoder.py", > > > line 715, in DecodeRepeatedField > > > current_depth += 1 > > > ^^^^^^^^^^^^^ > > > UnboundLocalError: cannot access local variable 'current_depth' where it > > > is not associated with a value > > I believe this to be caused by recent changes to the protobuf package, > and specifically, the backport for the fix for CVE-2025-4565 as > introduced in version 3.21.12-12. Yes, that's the case. Upload with the fix is in progress.
> More specifically, the source for CVE-2025-4565.patch seems to be: > https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901 > ("Add recursion depth limits to pure python") > > This code increments the "current_depth" field. > > However, as evident by the above backtrace, that field does not exist. > Looking further, it looks like the commit preceding it, introduced this: > https://github.com/protocolbuffers/protobuf/commit/a6fa5799ff0153e4f0f6f1d8263d6b492ac129e0 > ("Internal pure python fixes") Indeed, this is also needed with another commit. > (As a side note, it took me a while to figure out the source for this > patch, as there are no DEP-3 headers, and no no proper patch > attribution. The package also does not seem to be maintained in a Vcs > where I could track changes either. It'd be great if the package were to > be improved in these fronts.) I've added DEP-3 headers for the new patches. I plan to make it a standard from now on. Regards, Laszlo/GCS
