Thanks for this - could you please also add the same to the protobuf recipe in a separate patch? (This and the protobuf recipe share the same CVE_PRODUCT, and once a CVE is fixed in one recipe, the other recipe will show up in the weekly report)
On 3/30/26 08:51, Naman Jain via lists.openembedded.org wrote: > From: Naman Jain <[email protected]> > > CVE-2024-7254 is a stack overflow vulnerability caused by unbounded > recursion, specifically within the Java Protobuf Lite and Full runtimes > (including Kotlin and JRuby bindings). > > The python3-protobuf recipe builds the Python implementation using the > C++ backend (--cpp_implementation). This implementation does not > contain the vulnerable Java-specific parsing logic (such as > DiscardUnknownFieldsParser or ArrayDecoders). > > Authoritative security sources, including Red Hat and GitHub Advisory > have confirmed that non-Java implementations > (Python/C++) are not affected by this specific flaw. > > Reference: https://access.redhat.com/security/cve/cve-2024-7254 > > Signed-off-by: Naman Jain <[email protected]> > --- > meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb > b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb > index dbb30ad4df..52fea2ae6e 100644 > --- a/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb > +++ b/meta-python/recipes-devtools/python/python3-protobuf_3.20.3.bb > @@ -14,6 +14,9 @@ SRC_URI[sha256sum] = > "2e3427429c9cffebf259491be0af70189607f365c2f41c7c3764af6f33 > > CVE_PRODUCT += "google:protobuf protobuf:protobuf google-protobuf > protobuf-python" > > +# CVE-2024-7254 is Java/ruby/kotlin specific and does not affect the > Python/C++ implementation. > +CVE_CHECK_IGNORE += "CVE-2024-7254" > + > # http://errors.yoctoproject.org/Errors/Details/184715/ > # Can't find required file: ../src/google/protobuf/descriptor.proto > CLEANBROKEN = "1" > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#125835): https://lists.openembedded.org/g/openembedded-devel/message/125835 Mute This Topic: https://lists.openembedded.org/mt/118575124/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
