From: Peter Marko <[email protected]> Pick patch from PR in NVD report. It is the only code change in 33.5 release. Skip the test file change as it's not shipped in python module sources. Resolve formatting-only conflict.
Signed-off-by: Peter Marko <[email protected]> --- .../python3-protobuf/CVE-2026-0994.patch | 47 +++++++++++++++++++ .../python/python3-protobuf_3.20.3.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch diff --git a/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch new file mode 100644 index 0000000000..156be3be29 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch @@ -0,0 +1,47 @@ +From c4eda3e58680528147a4cc7e2b3c9044f795c9c9 Mon Sep 17 00:00:00 2001 +From: zhangskz <[email protected]> +Date: Thu, 29 Jan 2026 14:31:08 -0500 +Subject: [PATCH] Fix Any recursion depth bypass in Python + json_format.ParseDict (#25239) (#25586) + +This fixes a security vulnerability where nested google.protobuf.Any messages could bypass the max_recursion_depth limit, potentially leading to denial of service via stack overflow. + +The root cause was that _ConvertAnyMessage() was calling itself recursively via methodcaller() for nested well-known types, bypassing the recursion depth tracking in ConvertMessage(). + +The fix routes well-known type parsing through ConvertMessage() to ensure proper recursion depth accounting for all message types including nested Any. + +Fixes #25070 + +Closes #25239 + +COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/25239 from aviralgarg05:fix-any-recursion-depth-bypass 3cbbcbea142593d3afd2ceba2db14b05660f62f4 +PiperOrigin-RevId: 862740421 + +Co-authored-by: Aviral Garg <[email protected]> + +CVE: CVE-2026-0994 +Upstream-Status: Backport [https://github.com/protocolbuffers/protobuf/commit/c4eda3e58680528147a4cc7e2b3c9044f795c9c9] +Signed-off-by: Peter Marko <[email protected]> +--- + google/protobuf/json_format.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/google/protobuf/json_format.py b/google/protobuf/json_format.py +index 1b6ce9d03..9acbaefb5 100644 +--- a/google/protobuf/json_format.py ++++ b/google/protobuf/json_format.py +@@ -652,9 +652,11 @@ class _Parser(object): + self._ConvertWrapperMessage(value['value'], sub_message, + '{0}.value'.format(path)) + elif full_name in _WKTJSONMETHODS: +- methodcaller(_WKTJSONMETHODS[full_name][1], value['value'], sub_message, +- '{0}.value'.format(path))( +- self) ++ # For well-known types (including nested Any), use ConvertMessage ++ # to ensure recursion depth is properly tracked ++ self.ConvertMessage( ++ value['value'], sub_message, '{0}.value'.format(path) ++ ) + else: + del value['@type'] + self._ConvertFieldValuePair(value, sub_message, path) diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb index b3846ddeb3..dbb30ad4df 100644 --- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb +++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://PKG-INFO;beginline=8;endline=8;md5=53dbfa56f61b90215a inherit pypi setuptools3 SRC_URI += "file://CVE-2025-4565.patch" +SRC_URI += "file://CVE-2026-0994.patch" SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f337105f2"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124089): https://lists.openembedded.org/g/openembedded-devel/message/124089 Mute This Topic: https://lists.openembedded.org/mt/117605262/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
