From 457e1a61e09e26e722f1e136de6a04896c8bc1a6 Mon Sep 17 00:00:00 2001 From: Naman Jain Date: Mon, 30 Mar 2026 12:21:50 +0530 Subject: [PATCH] python3-protobuf: ignore CVE-2024-7254 CVE-2024-7254 is a stack overflow vulnerability caused by unbounded recursion, specifically within the Java Protobuf Lite and Full runtimes (including Kotlin and JRuby bindings). The python3-protobuf recipe builds the Python implementation using the C++ backend (--cpp_implementation). This implementation does not contain the vulnerable Java-specific parsing logic (such as DiscardUnknownFieldsParser or ArrayDecoders). Authoritative security sources, including Red Hat and GitHub Advisory have confirmed that non-Java implementations (Python/C++) are not affected by this specific flaw. Reference: https://access.redhat.com/security/cve/cve-2024-7254 Signed-off-by: Naman Jain Signed-off-by: Gyorgy Sarvari --- meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb index dbb30ad4df..52fea2ae6e 100644 --- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb +++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb @@ -14,6 +14,9 @@ SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f33 CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python" +# CVE-2024-7254 is Java/ruby/kotlin specific and does not affect the Python/C++ implementation. +CVE_CHECK_IGNORE += "CVE-2024-7254" + # http://errors.yoctoproject.org/Errors/Details/184715/ # Can't find required file: ../src/google/protobuf/descriptor.proto CLEANBROKEN = "1"