From: Gyorgy Sarvari <skandigraun@gmail.com>
To: nmjain23@gmail.com, openembedded-devel@lists.openembedded.org
Cc: Naman Jain <namanj1@kpit.com>
Subject: Re: [oe] [meta-python][kirkstone][PATCH] python3-protobuf: ignore CVE-2024-7254
Date: Mon, 30 Mar 2026 09:44:14 +0200 [thread overview]
Message-ID: <5fd5bee4-3884-44f4-bfee-c7bb30ce5b7f@gmail.com> (raw)
In-Reply-To: <20260330065150.2931505-1-naman.jain@partner.bmw.de>
Thanks for this - could you please also add the same to the protobuf
recipe in a separate patch?
(This and the protobuf recipe share the same CVE_PRODUCT, and once a CVE
is fixed in one recipe, the other recipe will show up in the weekly report)
On 3/30/26 08:51, Naman Jain via lists.openembedded.org wrote:
> From: Naman Jain <namanj1@kpit.com>
>
> CVE-2024-7254 is a stack overflow vulnerability caused by unbounded
> recursion, specifically within the Java Protobuf Lite and Full runtimes
> (including Kotlin and JRuby bindings).
>
> The python3-protobuf recipe builds the Python implementation using the
> C++ backend (--cpp_implementation). This implementation does not
> contain the vulnerable Java-specific parsing logic (such as
> DiscardUnknownFieldsParser or ArrayDecoders).
>
> Authoritative security sources, including Red Hat and GitHub Advisory
> have confirmed that non-Java implementations
> (Python/C++) are not affected by this specific flaw.
>
> Reference: https://access.redhat.com/security/cve/cve-2024-7254
>
> Signed-off-by: Naman Jain <namanj1@kpit.com>
> ---
> meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
> index dbb30ad4df..52fea2ae6e 100644
> --- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
> +++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
> @@ -14,6 +14,9 @@ SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f33
>
> CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf protobuf-python"
>
> +# CVE-2024-7254 is Java/ruby/kotlin specific and does not affect the Python/C++ implementation.
> +CVE_CHECK_IGNORE += "CVE-2024-7254"
> +
> # http://errors.yoctoproject.org/Errors/Details/184715/
> # Can't find required file: ../src/google/protobuf/descriptor.proto
> CLEANBROKEN = "1"
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#125833): https://lists.openembedded.org/g/openembedded-devel/message/125833
> Mute This Topic: https://lists.openembedded.org/mt/118575124/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2026-03-30 7:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 6:51 [meta-python][kirkstone][PATCH] python3-protobuf: ignore CVE-2024-7254 Naman Jain
2026-03-30 7:44 ` Gyorgy Sarvari [this message]
2026-03-31 4:11 ` Naman Jain
2026-03-31 4:30 ` [oe] " Gyorgy Sarvari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5fd5bee4-3884-44f4-bfee-c7bb30ce5b7f@gmail.com \
--to=skandigraun@gmail.com \
--cc=namanj1@kpit.com \
--cc=nmjain23@gmail.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.