python3-protobuf: patch CVE-2026-0994

Pick patch from PR in NVD report. It is the only code change in 33.5 release. Skip the test file change as it's not shipped in python module sources. Resolve formatting-only conflict. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Peter Marko <peter.marko@siemens.com> 2026-02-02 22:32:06 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2026-02-03 19:53:58 +0100
commit: 9492cdbbf8e87cf7daa0cf52f896bace6f9da70e (patch)
tree: 8a8d96a5af32326d1e2754f2db648d9d48654d58 /meta-python
parent: a817392c05cbd144bafa34f2c340ea8169c08fed (diff)
download: meta-openembedded-9492cdbbf8e87cf7daa0cf52f896bace6f9da70e.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
new file mode 100644
index 0000000000..156be3be29
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
@@ -0,0 +1,47 @@
+From c4eda3e58680528147a4cc7e2b3c9044f795c9c9 Mon Sep 17 00:00:00 2001
+From: zhangskz <sandyzhang@google.com>
+Date: Thu, 29 Jan 2026 14:31:08 -0500
+Subject: [PATCH] Fix Any recursion depth bypass in Python
+ json_format.ParseDict (#25239) (#25586)
+This fixes a security vulnerability where nested google.protobuf.Any messages could bypass the max_recursion_depth limit, potentially leading to denial of service via stack overflow.
+The root cause was that _ConvertAnyMessage() was calling itself recursively via methodcaller() for nested well-known types, bypassing the recursion depth tracking in ConvertMessage().
+The fix routes well-known type parsing through ConvertMessage() to ensure proper recursion depth accounting for all message types including nested Any.
+Fixes #25070
+Closes #25239
+COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/25239 from aviralgarg05:fix-any-recursion-depth-bypass 3cbbcbea142593d3afd2ceba2db14b05660f62f4
+PiperOrigin-RevId: 862740421
+Co-authored-by: Aviral Garg <gargaviral99@gmail.com>
+CVE: CVE-2026-0994
+Upstream-Status: Backport [https://github.com/protocolbuffers/protobuf/commit/c4eda3e58680528147a4cc7e2b3c9044f795c9c9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ google/protobuf/json_format.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/google/protobuf/json_format.py b/google/protobuf/json_format.py
+index 1b6ce9d03..9acbaefb5 100644
+--- a/google/protobuf/json_format.py
+++ b/google/protobuf/json_format.py
+@@ -652,9 +652,11 @@ class _Parser(object):
+       self._ConvertWrapperMessage(value['value'], sub_message,
+                                   '{0}.value'.format(path))
+     elif full_name in _WKTJSONMETHODS:
+-      methodcaller(_WKTJSONMETHODS[full_name][1], value['value'], sub_message,
+-                   '{0}.value'.format(path))(
+-                       self)
+      # For well-known types (including nested Any), use ConvertMessage
+      # to ensure recursion depth is properly tracked
+      self.ConvertMessage(
+          value['value'], sub_message, '{0}.value'.format(path)
+      )
+     else:
+       del value['@type']
+       self._ConvertFieldValuePair(value, sub_message, path)
diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
index b3846ddeb3..dbb30ad4df 100644
--- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
+++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://PKG-INFO;beginline=8;endline=8;md5=53dbfa56f61b90215a
 inherit pypi setuptools3
 SRC_URI += "file://CVE-2025-4565.patch"
+SRC_URI += "file://CVE-2026-0994.patch"
 SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f337105f2"
author	Peter Marko <peter.marko@siemens.com>	2026-02-02 22:32:06 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2026-02-03 19:53:58 +0100
commit	9492cdbbf8e87cf7daa0cf52f896bace6f9da70e (patch)
tree	8a8d96a5af32326d1e2754f2db648d9d48654d58 /meta-python
parent	a817392c05cbd144bafa34f2c340ea8169c08fed (diff)
download	meta-openembedded-9492cdbbf8e87cf7daa0cf52f896bace6f9da70e.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch new file mode 100644 index 0000000000..156be3be29 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
@@ -0,0 +1,47 @@
		1	From c4eda3e58680528147a4cc7e2b3c9044f795c9c9 Mon Sep 17 00:00:00 2001
		2	From: zhangskz <sandyzhang@google.com>
		3	Date: Thu, 29 Jan 2026 14:31:08 -0500
		4	Subject: [PATCH] Fix Any recursion depth bypass in Python
		5	json_format.ParseDict (#25239) (#25586)
		6
		7	This fixes a security vulnerability where nested google.protobuf.Any messages could bypass the max_recursion_depth limit, potentially leading to denial of service via stack overflow.
		8
		9	The root cause was that _ConvertAnyMessage() was calling itself recursively via methodcaller() for nested well-known types, bypassing the recursion depth tracking in ConvertMessage().
		10
		11	The fix routes well-known type parsing through ConvertMessage() to ensure proper recursion depth accounting for all message types including nested Any.
		12
		13	Fixes #25070
		14
		15	Closes #25239
		16
		17	COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/25239 from aviralgarg05:fix-any-recursion-depth-bypass 3cbbcbea142593d3afd2ceba2db14b05660f62f4
		18	PiperOrigin-RevId: 862740421
		19
		20	Co-authored-by: Aviral Garg <gargaviral99@gmail.com>
		21
		22	CVE: CVE-2026-0994
		23	Upstream-Status: Backport [https://github.com/protocolbuffers/protobuf/commit/c4eda3e58680528147a4cc7e2b3c9044f795c9c9]
		24	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		25	---
		26	google/protobuf/json_format.py \| 8 +++++---
		27	1 file changed, 5 insertions(+), 3 deletions(-)
		28
		29	diff --git a/google/protobuf/json_format.py b/google/protobuf/json_format.py
		30	index 1b6ce9d03..9acbaefb5 100644
		31	--- a/google/protobuf/json_format.py
		32	+++ b/google/protobuf/json_format.py
		33	@@ -652,9 +652,11 @@ class _Parser(object):
		34	self._ConvertWrapperMessage(value['value'], sub_message,
		35	'{0}.value'.format(path))
		36	elif full_name in _WKTJSONMETHODS:
		37	- methodcaller(_WKTJSONMETHODS[full_name][1], value['value'], sub_message,
		38	- '{0}.value'.format(path))(
		39	- self)
		40	+ # For well-known types (including nested Any), use ConvertMessage
		41	+ # to ensure recursion depth is properly tracked
		42	+ self.ConvertMessage(
		43	+ value['value'], sub_message, '{0}.value'.format(path)
		44	+ )
		45	else:
		46	del value['@type']
		47	self._ConvertFieldValuePair(value, sub_message, path)


diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb index b3846ddeb3..dbb30ad4df 100644 --- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb +++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://PKG-INFO;beginline=8;endline=8;md5=53dbfa56f61b90215a
8	inherit pypi setuptools3	8	inherit pypi setuptools3
9		9
10	SRC_URI += "file://CVE-2025-4565.patch"	10	SRC_URI += "file://CVE-2025-4565.patch"
		11	SRC_URI += "file://CVE-2026-0994.patch"
11		12
12	SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f337105f2"	13	SRC_URI[sha256sum] = "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f337105f2"
13		14