CVE-2024-7254 is a stack overflow vulnerability caused by unbounded
recursion, specifically within the Java Protobuf Lite and Full runtimes
(including Kotlin and JRuby bindings).
The python3-protobuf recipe builds the Python implementation using the
C++ backend (--cpp_implementation). This implementation does not
contain the vulnerable Java-specific parsing logic (such as
DiscardUnknownFieldsParser or ArrayDecoders).
Authoritative security sources, including Red Hat and GitHub Advisory
have confirmed that non-Java implementations
(Python/C++) are not affected by this specific flaw.
Reference: https://access.redhat.com/security/cve/cve-2024-7254
Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Pick patch from PR in NVD report.
It is the only code change in 33.5 release.
Skip the test file change as it's not shipped in python module sources.
Resolve formatting-only conflict.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This CVE fix was added to protobuf recipe but since it's patching python
code, it should have been submitted to python3-protobuf.
Take the patch from protobuf recipe and adapt to python3-protobuf.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Naman Jain
Peter Marko
Chen Qi
He Zhe