[meta-python][kirkstone][PATCH] python3-protobuf: ignore CVE-2024-7254

[meta-python][kirkstone][PATCH] python3-protobuf: ignore CVE-2024-7254

[Naman Jain]

From: Naman Jain <namanj1@kpit.com>

CVE-2024-7254 is a stack overflow vulnerability caused by unbounded
recursion, specifically within the Java Protobuf Lite and Full runtimes
(including Kotlin and JRuby bindings).

The python3-protobuf recipe builds the Python implementation using the
C++ backend (--cpp_implementation). This implementation does not
contain the vulnerable Java-specific parsing logic (such as
DiscardUnknownFieldsParser or ArrayDecoders).

Authoritative security sources, including Red Hat and GitHub Advisory
have confirmed that non-Java implementations
(Python/C++) are not affected by this specific flaw.

Reference: https://access.redhat.com/security/cve/cve-2024-7254

Signed-off-by: Naman Jain <namanj1@kpit.com>
---
 meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
index dbb30ad4df..52fea2ae6e 100644
--- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
+++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
@@ -14,6 +14,9 @@ SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f33
 
 CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python"
 
+# CVE-2024-7254 is Java/ruby/kotlin specific and does not affect the Python/C++ implementation.
+CVE_CHECK_IGNORE += "CVE-2024-7254"
+
 # http://errors.yoctoproject.org/Errors/Details/184715/
 # Can't find required file: ../src/google/protobuf/descriptor.proto
 CLEANBROKEN = "1"
-- 
2.34.1

Re: [oe] [meta-python][kirkstone][PATCH] python3-protobuf: ignore CVE-2024-7254

[Gyorgy Sarvari]

Thanks for this - could you please also add the same to the protobuf
recipe in a separate patch?
(This and the protobuf recipe share the same CVE_PRODUCT, and once a CVE
is fixed in one recipe, the other recipe will show up in the weekly report)

On 3/30/26 08:51, Naman Jain via lists.openembedded.org wrote:
> From: Naman Jain <namanj1@kpit.com>
> 
> CVE-2024-7254 is a stack overflow vulnerability caused by unbounded
> recursion, specifically within the Java Protobuf Lite and Full runtimes
> (including Kotlin and JRuby bindings).
> 
> The python3-protobuf recipe builds the Python implementation using the
> C++ backend (--cpp_implementation). This implementation does not
> contain the vulnerable Java-specific parsing logic (such as
> DiscardUnknownFieldsParser or ArrayDecoders).
> 
> Authoritative security sources, including Red Hat and GitHub Advisory
> have confirmed that non-Java implementations
> (Python/C++) are not affected by this specific flaw.
> 
> Reference: https://access.redhat.com/security/cve/cve-2024-7254
> 
> Signed-off-by: Naman Jain <namanj1@kpit.com>
> ---
>  meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
> index dbb30ad4df..52fea2ae6e 100644
> --- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
> +++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
> @@ -14,6 +14,9 @@ SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f33
>  
>  CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python"
>  
> +# CVE-2024-7254 is Java/ruby/kotlin specific and does not affect the Python/C++ implementation.
> +CVE_CHECK_IGNORE += "CVE-2024-7254"
> +
>  # http://errors.yoctoproject.org/Errors/Details/184715/
>  # Can't find required file: ../src/google/protobuf/descriptor.proto
>  CLEANBROKEN = "1"
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#125833): https://lists.openembedded.org/g/openembedded-devel/message/125833
> Mute This Topic: https://lists.openembedded.org/mt/118575124/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [meta-python][kirkstone][PATCH] python3-protobuf: ignore CVE-2024-7254

[Naman Jain]

[-- Attachment #1: Type: text/plain, Size: 272 bytes --]

Hello,
Please note that protobuf_3.19.6 in kirkstone uses java implementation and already has a patch for CVE-2024-7254
Ref: https://git.openembedded.org/meta-openembedded/commit/?h=kirkstone&id=f17b6e36fc2eef7f24d08885c50732d62f2754e5
Thanks and Regards,
Naman jain

[-- Attachment #2: Type: text/html, Size: 491 bytes --]

Re: [oe] [meta-python][kirkstone][PATCH] python3-protobuf: ignore CVE-2024-7254

[Gyorgy Sarvari]

On 3/31/26 06:11, Naman Jain via lists.openembedded.org wrote:
> Hello,
> Please note that protobuf_3.19.6 in kirkstone uses java implementation
> and already has a patch for CVE-2024-7254
> Ref: https://git.openembedded.org/meta-openembedded/commit/?
> h=kirkstone&id=f17b6e36fc2eef7f24d08885c50732d62f2754e5 <https://
> git.openembedded.org/meta-openembedded/commit/?
> h=kirkstone&id=f17b6e36fc2eef7f24d08885c50732d62f2754e5>

Thanks a lot for checking, indeed, I missed this patch in the recipe -
sorry for the noise.

> Thanks and Regards,
> Naman jain
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#125870): https://lists.openembedded.org/g/openembedded-devel/message/125870
> Mute This Topic: https://lists.openembedded.org/mt/118575124/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>