mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-07-04 18:45:57 +00:00
CVE-2024-7254 is a stack overflow vulnerability caused by unbounded recursion, specifically within the Java Protobuf Lite and Full runtimes (including Kotlin and JRuby bindings). The python3-protobuf recipe builds the Python implementation using the C++ backend (--cpp_implementation). This implementation does not contain the vulnerable Java-specific parsing logic (such as DiscardUnknownFieldsParser or ArrayDecoders). Authoritative security sources, including Red Hat and GitHub Advisory have confirmed that non-Java implementations (Python/C++) are not affected by this specific flaw. Reference: https://access.redhat.com/security/cve/cve-2024-7254 Signed-off-by: Naman Jain <namanj1@kpit.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>