8000 Comparing v0.0.43...v0.0.44 · cloudquery/plugin-pb-python · GitHub
[go: up one dir, main page]
Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: cloudquery/plugin-pb-python
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.0.43
Choose a base ref
...
head repository: cloudquery/plugin-pb-python
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v0.0.44
Choose a head ref
  • 3 commits
  • 6 files changed
  • 1 contributor

Commits on Jun 16, 2025

  1. fix(deps): Update dependency protobuf to v5.29.5 [SECURITY] (#162) 

    This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [protobuf](https://developers.google.com/protocol-buffers/) | patch | `==5.29.4` -> `==5.29.5` |

### GitHub Vulnerability Alerts

#### [CVE-2025-4565](https://redirect.github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8)

### Summary
Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
[ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com)

Affected versions: This issue only affects the [pure-Python implementation](https://redirect.github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a [previous issue affecting protobuf-java](https://redirect.github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8).

### Severity
This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

### Proof of Concept
For reproduction details, please refer to the unit tests [decoder_test.py](https://redirect.github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98) and [message_test](https://redirect.github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478)

### Remediation and Mitigation
A mitigation is available now. Please update to the latest available versions of the following packages:
* protobuf-python(4.25.8, 5.29.5, 6.31.1)

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4yMi4xIiwidXBkYXRlZEluVmVyIjoiNDAuMjIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21lcmdlIiwic2VjdXJpdHkiXX0=-->
    @cq-bot
    cq-bot authored Jun 16, 2025
    Configuration menu
    Copy the full SHA
    bdf356e View commit details
    Browse the repository at this point in the history

Commits on Jun 25, 2025

  1. fix: Generate Python Code from plugin-pb (#164) 

    This PR was created by a scheduled workflow to regenerate the Python code from `plugin-pb`.
    @cq-bot
    cq-bot authored Jun 25, 2025
    Configuration menu
    Copy the full SHA
    386b701 View commit details
    Browse the repository at this point in the history

Commits on Jun 26, 2025

  1. chore(main): Release v0.0.44 (#163) 

    🤖 I have created a release *beep* *boop*
---


## [0.0.44](v0.0.43...v0.0.44) (2025-06-25)


### Bug Fixes

* **deps:** Update dependency protobuf to v5.29.5 [SECURITY] ([#162](#162)) ([bdf356e](bdf356e))
* Generate Python Code from `plugin-pb` ([#164](#164)) ([386b701](386b701))

---
This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
    @cq-bot
    cq-bot authored Jun 26, 2025
    Configuration menu
    Copy the full SHA
    3004e96 View commit details
    Browse the repository at this point in the history
Loading
0