mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
Files
kirkstone
meta-openembedded/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
T
Naman Jain 457e1a61e0 python3-protobuf: ignore CVE-2024-7254 
CVE-2024-7254 is a stack overflow vulnerability caused by unbounded
recursion, specifically within the Java Protobuf Lite and Full runtimes
(including Kotlin and JRuby bindings).

The python3-protobuf recipe builds the Python implementation using the
C++ backend (--cpp_implementation). This implementation does not
contain the vulnerable Java-specific parsing logic (such as
DiscardUnknownFieldsParser or ArrayDecoders).

Authoritative security sources, including Red Hat and GitHub Advisory
have confirmed that non-Java implementations
(Python/C++) are not affected by this specific flaw.

Reference: https://access.redhat.com/security/cve/cve-2024-7254

Signed-off-by: Naman Jain <namanj1@kpit.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-04-03 10:40:37 +00:00

49 lines
1.4 KiB
BlitzBasic
Raw Permalink Blame History

DESCRIPTION = "Protocol Buffers"
HOMEPAGE = "https://developers.google.com/protocol-buffers/"
SECTION = "devel/python"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://PKG-INFO;beginline=8;endline=8;md5=53dbfa56f61b90215a9f8f0d527c043d"
inherit pypi setuptools3
SRC_URI += "file://CVE-2025-4565.patch"
SRC_URI += "file://CVE-2026-0994.patch"
SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f337105f2"
CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python"
# CVE-2024-7254 is Java/ruby/kotlin specific and does not affect the Python/C++ implementation.
CVE_CHECK_IGNORE += "CVE-2024-7254"
# http://errors.yoctoproject.org/Errors/Details/184715/
# Can't find required file: ../src/google/protobuf/descriptor.proto
CLEANBROKEN = "1"
UPSTREAM_CHECK_REGEX = "protobuf/(?P<pver>\d+(\.\d+)+)/"
DEPENDS += "protobuf"
RDEPENDS:${PN} += " \
${PYTHON_PN}-ctypes \
${PYTHON_PN}-datetime \
${PYTHON_PN}-json \
${PYTHON_PN}-logging \
${PYTHON_PN}-netclient \
${PYTHON_PN}-numbers \
${PYTHON_PN}-pkgutil \
${PYTHON_PN}-six \
${PYTHON_PN}-unittest \
"
# For usage in other recipies when compiling protobuf files (e.g. by grpcio-tools)
BBCLASSEXTEND = "native nativesdk"
DISTUTILS_BUILD_ARGS += "--cpp_implementation"
DISTUTILS_INSTALL_ARGS += "--cpp_implementation"
do_compile:prepend:class-native () {
export KOKORO_BUILD_NUMBER="1"
}
Reference in New Issue View Git Blame Copy Permalink