mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-14 05:49:57 +00:00
python3-protobuf: ignore CVE-2024-7254
CVE-2024-7254 is a stack overflow vulnerability caused by unbounded recursion, specifically within the Java Protobuf Lite and Full runtimes (including Kotlin and JRuby bindings). The python3-protobuf recipe builds the Python implementation using the C++ backend (--cpp_implementation). This implementation does not contain the vulnerable Java-specific parsing logic (such as DiscardUnknownFieldsParser or ArrayDecoders). Authoritative security sources, including Red Hat and GitHub Advisory have confirmed that non-Java implementations (Python/C++) are not affected by this specific flaw. Reference: https://access.redhat.com/security/cve/cve-2024-7254 Signed-off-by: Naman Jain <namanj1@kpit.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Naman Jain
committed by
Gyorgy Sarvari
Gyorgy Sarvari
parent
9d8ef26a96
commit
457e1a61e0
@@ -14,6 +14,9 @@ SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f33
|
||||
|
||||
CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python"
|
||||
|
||||
# CVE-2024-7254 is Java/ruby/kotlin specific and does not affect the Python/C++ implementation.
|
||||
CVE_CHECK_IGNORE += "CVE-2024-7254"
|
||||
|
||||
# http://errors.yoctoproject.org/Errors/Details/184715/
|
||||
# Can't find required file: ../src/google/protobuf/descriptor.proto
|
||||
CLEANBROKEN = "1"
|
||||
|
||||
Reference in New Issue
Block a user