summaryrefslogtreecommitdiffstats
path: root/meta-python/recipes-devtools/python/python3-protobuf/CVE-2026-0994.patch
blob: 494a57ad63c704929a4350f0d84a0c9c870fb635 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

From c4eda3e58680528147a4cc7e2b3c9044f795c9c9 Mon Sep 17 00:00:00 2001
From: zhangskz <sandyzhang@google.com>
Date: Thu, 29 Jan 2026 14:31:08 -0500
Subject: [PATCH] Fix Any recursion depth bypass in Python
 json_format.ParseDict (#25239) (#25586)

This fixes a security vulnerability where nested google.protobuf.Any messages could bypass the max_recursion_depth limit, potentially leading to denial of service via stack overflow.

The root cause was that _ConvertAnyMessage() was calling itself recursively via methodcaller() for nested well-known types, bypassing the recursion depth tracking in ConvertMessage().

The fix routes well-known type parsing through ConvertMessage() to ensure proper recursion depth accounting for all message types including nested Any.

Fixes #25070

Closes #25239

COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/25239 from aviralgarg05:fix-any-recursion-depth-bypass 3cbbcbea142593d3afd2ceba2db14b05660f62f4
PiperOrigin-RevId: 862740421

Co-authored-by: Aviral Garg <gargaviral99@gmail.com>

CVE: CVE-2026-0994
Upstream-Status: Backport [https://github.com/protocolbuffers/protobuf/commit/c4eda3e58680528147a4cc7e2b3c9044f795c9c9]
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 google/protobuf/json_format.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/google/protobuf/json_format.py b/google/protobuf/json_format.py
index 1b6ce9d03..9acbaefb5 100644
--- a/google/protobuf/json_format.py
+++ b/google/protobuf/json_format.py
@@ -644,9 +644,11 @@ class _Parser(object):
       self._ConvertWrapperMessage(value['value'], sub_message,
                                   '{0}.value'.format(path))
     elif full_name in _WKTJSONMETHODS:
-      methodcaller(_WKTJSONMETHODS[full_name][1], value['value'], sub_message,
-                   '{0}.value'.format(path))(
-                       self)
+      # For well-known types (including nested Any), use ConvertMessage
+      # to ensure recursion depth is properly tracked
+      self.ConvertMessage(
+          value['value'], sub_message, '{0}.value'.format(path)
+      )
     else:
       del value['@type']
       self._ConvertFieldValuePair(value, sub_message, path)
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-05-15 10:22:22 +0000