-
Notifications
You must be signed in to change notification settings - Fork 1
Commit bdf356e
authored
fix(deps): Update dependency protobuf to v5.29.5 [SECURITY] (#162)
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [protobuf](https://developers.google.com/protocol-buffers/) | patch | `==5.29.4` -> `==5.29.5` |
### GitHub Vulnerability Alerts
#### [CVE-2025-4565](https://redirect.github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8)
### Summary
Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit.
Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
[ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com)
Affected versions: This issue only affects the [pure-Python implementation](https://redirect.github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.
This is a Python variant of a [previous issue affecting protobuf-java](https://redirect.github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8).
### Severity
This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.
### Proof of Concept
For reproduction details, please refer to the unit tests [decoder_test.py](https://redirect.github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98) and [message_test](https://redirect.github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478)
### Remediation and Mitigation
A mitigation is available now. Please update to the latest available versions of the following packages:
* protobuf-python(4.25.8, 5.29.5, 6.31.1)
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIiwic2VjdXJpdHkiXX0=-->1 parent ecf4258 commit bdf356eCopy full SHA for bdf356e
File tree
Expand file treeCollapse file tree
1 file changed
+1
-1
lines changedFilter options
Expand file treeCollapse file tree
1 file changed
+1
-1
lines changedrequirements.txt
Copy file name to clipboard+1-1Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | 3 | | |
4 | | - | |
| 4 | + | |
5 | 5 | | |
6 | 6 | | |
0 commit comments