UbuntuUpdates.org

Package "python3-protobuf"

Name: python3-protobuf

Description:

Python 3 bindings for protocol buffers
Latest version: 3.12.4-1ubuntu7.22.04.4
Release: jammy (22.04)
Level: security
Repository: main
Head package: protobuf
Homepage: https://github.com/google/protobuf/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "python3-protobuf"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "python3-protobuf" in Jammy

Repository Area Version
base main 3.12.4-1ubuntu7
updates main 3.12.4-1ubuntu7.22.04.4

Changelog

Version: 3.12.4-1ubuntu7.22.04.4 2025-07-09 15:07:14 UTC

  protobuf (3.12.4-1ubuntu7.22.04.4) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS via python recursion limit
    - debian/patches/CVE-2025-4565.patch: add recursion depth limits to
      python/google/protobuf/internal/decoder.py,
      python/google/protobuf/internal/decoder_test.py,
      python/google/protobuf/internal/message_test.py,
      python/google/protobuf/internal/python_message.py,
      python/google/protobuf/internal/self_recursive.proto,
      python/setup.py.
    - CVE-2025-4565

 -- Marc Deslauriers <email address hidden> Fri, 04 Jul 2025 12:02:11 -0400
Source diff to previous version
CVE-2025-4565 Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recur

Version: 3.12.4-1ubuntu7.22.04.2 2025-04-14 16:07:03 UTC

  protobuf (3.12.4-1ubuntu7.22.04.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Stack overflow.
    - debian/patches/CVE-2024-7254-*.patch: Add recursion checks and recursion
      limit in .../protobuf/ArrayDecoders.java,
      .../protobuf/CodedInputStream.java, .../protobuf/MessageSchema.java, and
      .../protobuf/MessageSetSchema.java. Add tests.
    - CVE-2024-7254

 -- Hlib Korzhynskyy <email address hidden> Mon, 07 Apr 2025 15:47:33 -0230
Source diff to previous version
CVE-2024-7254 Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exce

Version: 3.12.4-1ubuntu7.22.04.1 2023-03-13 07:06:58 UTC

  protobuf (3.12.4-1ubuntu7.22.04.1) jammy-security; urgency=medium

  * SECURITY UPDATE: DoS in protobuf-java parser
    - debian/patches/CVE-2021-22569.patch: Improve performance of parsing
      unknown fields in Java
    - CVE-2021-22569
  * SECURITY UPDATE: Null pointer dereference issue
    - debian/patches/CVE-2021-22570.patch: fix null pointer dereference
    - CVE-2021-22570
  * SECURITY UPDATE: Dos vulnerability in cpp and python parser
    - debian/patches/CVE-2022-1941.patch: fix parsing vulnerability for the
      MessageSet type
    - CVE-2022-1941

 -- Nishit Majithia <email address hidden> Thu, 09 Mar 2023 15:05:50 +0530
CVE-2021-22569 An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order.
CVE-2021-22570 Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file
CVE-2022-1941 A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.2


About   -   Send Feedback to @ubuntu_updates