Control: reassign -1 protobuf 3.21.12-12 Control: affects -1 nanopb On Fri, Sep 19, 2025 at 09:19:20PM +0200, Lucas Nussbaum wrote: > <snip> > > > File > > "/usr/lib/python3/dist-packages/google/protobuf/internal/python_message.py", > > line 1195, in InternalParse > > pos = field_decoder(buffer, new_pos, end, self, field_dict) > > File > > "/usr/lib/python3/dist-packages/google/protobuf/internal/decoder.py", line > > 715, in DecodeRepeatedField > > current_depth += 1 > > ^^^^^^^^^^^^^ > > UnboundLocalError: cannot access local variable 'current_depth' where it is > > not associated with a value
I believe this to be caused by recent changes to the protobuf package, and specifically, the backport for the fix for CVE-2025-4565 as introduced in version 3.21.12-12. More specifically, the source for CVE-2025-4565.patch seems to be: https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901 ("Add recursion depth limits to pure python") This code increments the "current_depth" field. However, as evident by the above backtrace, that field does not exist. Looking further, it looks like the commit preceding it, introduced this: https://github.com/protocolbuffers/protobuf/commit/a6fa5799ff0153e4f0f6f1d8263d6b492ac129e0 ("Internal pure python fixes") I believe the fact that this was a 2-part commit change was missed, and the fix for this bug would be to also backport this second commit. I have not tested that, and going just by my rudimentary reading of the code. (As a side note, it took me a while to figure out the source for this patch, as there are no DEP-3 headers, and no no proper patch attribution. The package also does not seem to be maintained in a Vcs where I could track changes either. It'd be great if the package were to be improved in these fronts.) Regards, Faidon
