python3-protobuf: patch CVE-2026-0994

Pick patch from PR in NVD report. It is the only code change in 33.5 release. Skip the test file change as it's not shipped in python module sources. Resolve formatting-only conflict. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Peter Marko <peter.marko@siemens.com> 2026-02-02 22:32:27 +0100
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-02-09 09:35:49 +0530
commit: 0ae047668f07d3343450447e1ddb99dd95160797 (patch)
tree: 81ab0735145fa447ba92014da3e3c4c3987e986e /meta-python/recipes-devtools/python
parent: 79e37609350ef58ea0860e3739d9389967fe7480 (diff)
download: meta-openembedded-0ae047668f07d3343450447e1ddb99dd95160797.tar.gz
2 files changed, 49 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
new file mode 100644
index 0000000000..494a57ad63
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
@@ -0,0 +1,47 @@
+From c4eda3e58680528147a4cc7e2b3c9044f795c9c9 Mon Sep 17 00:00:00 2001
+From: zhangskz <sandyzhang@google.com>
+Date: Thu, 29 Jan 2026 14:31:08 -0500
+Subject: [PATCH] Fix Any recursion depth bypass in Python
+ json_format.ParseDict (#25239) (#25586)
+This fixes a security vulnerability where nested google.protobuf.Any messages could bypass the max_recursion_depth limit, potentially leading to denial of service via stack overflow.
+The root cause was that _ConvertAnyMessage() was calling itself recursively via methodcaller() for nested well-known types, bypassing the recursion depth tracking in ConvertMessage().
+The fix routes well-known type parsing through ConvertMessage() to ensure proper recursion depth accounting for all message types including nested Any.
+Fixes #25070
+Closes #25239
+COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/25239 from aviralgarg05:fix-any-recursion-depth-bypass 3cbbcbea142593d3afd2ceba2db14b05660f62f4
+PiperOrigin-RevId: 862740421
+Co-authored-by: Aviral Garg <gargaviral99@gmail.com>
+CVE: CVE-2026-0994
+Upstream-Status: Backport [https://github.com/protocolbuffers/protobuf/commit/c4eda3e58680528147a4cc7e2b3c9044f795c9c9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ google/protobuf/json_format.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/google/protobuf/json_format.py b/google/protobuf/json_format.py
+index 1b6ce9d03..9acbaefb5 100644
+--- a/google/protobuf/json_format.py
+++ b/google/protobuf/json_format.py
+@@ -644,9 +644,11 @@ class _Parser(object):
+       self._ConvertWrapperMessage(value['value'], sub_message,
+                                   '{0}.value'.format(path))
+     elif full_name in _WKTJSONMETHODS:
+-      methodcaller(_WKTJSONMETHODS[full_name][1], value['value'], sub_message,
+-                   '{0}.value'.format(path))(
+-                       self)
+      # For well-known types (including nested Any), use ConvertMessage
+      # to ensure recursion depth is properly tracked
+      self.ConvertMessage(
+          value['value'], sub_message, '{0}.value'.format(path)
+      )
+     else:
+       del value['@type']
+       self._ConvertFieldValuePair(value, sub_message, path)
diff --git a/meta-python/recipes-devtools/python/python3-protobuf_4.25.8.bb b/meta-python/recipes-devtools/python/python3-protobuf_4.25.8.bb
index aca30efdee..6ba24899f6 100644
--- a/meta-python/recipes-devtools/python/python3-protobuf_4.25.8.bb
+++ b/meta-python/recipes-devtools/python/python3-protobuf_4.25.8.bb
@@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "file://PKG-INFO;beginline=8;endline=8;md5=53dbfa56f61b90215a
 inherit pypi setuptools3
 SRC_URI[sha256sum] = "6135cf8affe1fc6f76cced2641e4ea8d3e59518d1f24ae41ba97bcad82d397cd"
+SRC_URI += "file://CVE-2026-0994.patch"
 # http://errors.yoctoproject.org/Errors/Details/184715/
 # Can't find required file: ../src/google/protobuf/descriptor.proto
 CLEANBROKEN = "1"
author	Peter Marko <peter.marko@siemens.com>	2026-02-02 22:32:27 +0100
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-09 09:35:49 +0530
commit	0ae047668f07d3343450447e1ddb99dd95160797 (patch)
tree	81ab0735145fa447ba92014da3e3c4c3987e986e /meta-python/recipes-devtools/python
parent	79e37609350ef58ea0860e3739d9389967fe7480 (diff)
download	meta-openembedded-0ae047668f07d3343450447e1ddb99dd95160797.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch new file mode 100644 index 0000000000..494a57ad63 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
@@ -0,0 +1,47 @@
		1	From c4eda3e58680528147a4cc7e2b3c9044f795c9c9 Mon Sep 17 00:00:00 2001
		2	From: zhangskz <sandyzhang@google.com>
		3	Date: Thu, 29 Jan 2026 14:31:08 -0500
		4	Subject: [PATCH] Fix Any recursion depth bypass in Python
		5	json_format.ParseDict (#25239) (#25586)
		6
		7	This fixes a security vulnerability where nested google.protobuf.Any messages could bypass the max_recursion_depth limit, potentially leading to denial of service via stack overflow.
		8
		9	The root cause was that _ConvertAnyMessage() was calling itself recursively via methodcaller() for nested well-known types, bypassing the recursion depth tracking in ConvertMessage().
		10
		11	The fix routes well-known type parsing through ConvertMessage() to ensure proper recursion depth accounting for all message types including nested Any.
		12
		13	Fixes #25070
		14
		15	Closes #25239
		16
		17	COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/25239 from aviralgarg05:fix-any-recursion-depth-bypass 3cbbcbea142593d3afd2ceba2db14b05660f62f4
		18	PiperOrigin-RevId: 862740421
		19
		20	Co-authored-by: Aviral Garg <gargaviral99@gmail.com>
		21
		22	CVE: CVE-2026-0994
		23	Upstream-Status: Backport [https://github.com/protocolbuffers/protobuf/commit/c4eda3e58680528147a4cc7e2b3c9044f795c9c9]
		24	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		25	---
		26	google/protobuf/json_format.py \| 8 +++++---
		27	1 file changed, 5 insertions(+), 3 deletions(-)
		28
		29	diff --git a/google/protobuf/json_format.py b/google/protobuf/json_format.py
		30	index 1b6ce9d03..9acbaefb5 100644
		31	--- a/google/protobuf/json_format.py
		32	+++ b/google/protobuf/json_format.py
		33	@@ -644,9 +644,11 @@ class _Parser(object):
		34	self._ConvertWrapperMessage(value['value'], sub_message,
		35	'{0}.value'.format(path))
		36	elif full_name in _WKTJSONMETHODS:
		37	- methodcaller(_WKTJSONMETHODS[full_name][1], value['value'], sub_message,
		38	- '{0}.value'.format(path))(
		39	- self)
		40	+ # For well-known types (including nested Any), use ConvertMessage
		41	+ # to ensure recursion depth is properly tracked
		42	+ self.ConvertMessage(
		43	+ value['value'], sub_message, '{0}.value'.format(path)
		44	+ )
		45	else:
		46	del value['@type']
		47	self._ConvertFieldValuePair(value, sub_message, path)


diff --git a/meta-python/recipes-devtools/python/python3-protobuf_4.25.8.bb b/meta-python/recipes-devtools/python/python3-protobuf_4.25.8.bb index aca30efdee..6ba24899f6 100644 --- a/meta-python/recipes-devtools/python/python3-protobuf_4.25.8.bb +++ b/meta-python/recipes-devtools/python/python3-protobuf_4.25.8.bb
@@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "file://PKG-INFO;beginline=8;endline=8;md5=53dbfa56f61b90215a
8	inherit pypi setuptools3	8	inherit pypi setuptools3
9	SRC_URI[sha256sum] = "6135cf8affe1fc6f76cced2641e4ea8d3e59518d1f24ae41ba97bcad82d397cd"	9	SRC_URI[sha256sum] = "6135cf8affe1fc6f76cced2641e4ea8d3e59518d1f24ae41ba97bcad82d397cd"
10		10
		11	SRC_URI += "file://CVE-2026-0994.patch"
		12
11	# http://errors.yoctoproject.org/Errors/Details/184715/	13	# http://errors.yoctoproject.org/Errors/Details/184715/
12	# Can't find required file: ../src/google/protobuf/descriptor.proto	14	# Can't find required file: ../src/google/protobuf/descriptor.proto
13	CLEANBROKEN = "1"	15	CLEANBROKEN = "1"