- Package:
- src:protobuf
- Source:
- src:protobuf
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-21 15:55:01 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for protobuf. Filling a bug mainlly for tracking for now the upstream issue. Need closer assessment. CVE-2026-0994[0]: | A denial-of-service (DoS) vulnerability exists in | google.protobuf.json_format.ParseDict() in Python, where the | max_recursion_depth limit can be bypassed when parsing nested | google.protobuf.Any messages. Due to missing recursion depth | accounting inside the internal Any-handling logic, an attacker can | supply deeply nested Any structures that bypass the intended | recursion limit, eventually exhausting Python’s recursion stack and | causing a RecursionError. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-0994 https://www.cve.org/CVERecord?id=CVE-2026-0994 [1] https://github.com/protocolbuffers/protobuf/issues/25070 [2] https://github.com/protocolbuffers/protobuf/pull/25239 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
protobuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1126302@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated protobuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 25 Jan 2026 08:55:08 +0100
Source: protobuf
Architecture: source
Version: 3.25.7-1
Distribution: experimental
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1126302 1126379
Changes:
protobuf (3.25.7-1) experimental; urgency=medium
.
[ Laszlo Boszormenyi (GCS) ]
* New upstream release.
* Backport upstream security fix for CVE-2026-0994: denial of service
vulnerability in google.protobuf.json_format.ParseDict() in Python
(closes: #1126302).
.
[ Matthias Klose <doko@ubuntu.com> ]
* Fix one more FTBFS with GCC 15 (closes: #1126379).
Checksums-Sha1:
6848d221756013e138e6a8bf0758180be8c6f7c2 3109 protobuf_3.25.7-1.dsc
e84a89abc849c8e92de02cb0c913e2c1843af7ac 5879649 protobuf_3.25.7.orig.tar.gz
4b0e117d273996457560159c6beebe6dbf318f7f 38652 protobuf_3.25.7-1.debian.tar.xz
Checksums-Sha256:
9daf0f579b3e892a1ce4dcdbee740499e3b29c7fd06b72c9610d64cb8857d332 3109 protobuf_3.25.7-1.dsc
3c4459f2d3c619e353ae68e00ebaafea423a4773cf229ed71946fcc9fe5e347a 5879649 protobuf_3.25.7.orig.tar.gz
7826ae34739a407d2d22f307a3cfc7a169f9a18922d8aa5a45c8a354ecfd5d33 38652 protobuf_3.25.7-1.debian.tar.xz
Files:
e0537f92d1746767aa2d9152b41a6378 3109 devel optional protobuf_3.25.7-1.dsc
a0fa453f9d5b0abe378f6e741744619f 5879649 devel optional protobuf_3.25.7.orig.tar.gz
a661e22b71ee55f13d95594a5ab63ad4 38652 devel optional protobuf_3.25.7-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAml15Z0ACgkQ3OMQ54ZM
yL/SZRAApqCqznivqZgQpIzCwpy0NDxG6DnSOjxHMxmaFlSv16Iwc4xme8hh6qvK
+GXQQhjDxmuV1ywxnRkJvo7vdj9HKpHQeYR6JtZ9VBvMTzCHsCiMf63ZGkn0uf3h
TYdwQ0SunBESj/gSa/1tdpubonDRhMdaS95a6tWAGhXRfQq2beNYmpdBWiTBqrBC
JvnTflAtN0ZL+oRsytQv51bqa0cgbw86gWdDx4CknjTe3bt6qFDL2rXnIEFQ934k
VwXVl3KNtLrkSWtuqSlqpK70PTk6LRHcbTk3kSKIFy+OpUwWs3jxEGoUa6wHv4xJ
EE45X88exzKjUG1x+ayqokS1fDBbL1NUXj1FdjIrlOJ/drz5WEbFK03mAOWSxUuO
UIBmAb2pStsMSVcZrY7Spsyp1Pa83yet2h+viYm7e4L6emaBSqfC/btRP+uAc94O
VllwY5qpJ0mRCJcy6/jViiYOBc/MvQ0x//aum4QhoD5RbeWqx9CQ0f5wqs35vkP6
QjQqBeTF3MlhyFcmpelEkobEFMC1s+95fKc6McqzvOdaXCVtAirvu+mSLa7xgXa0
4PHyOyMk/dGvoolKnSyhDqQb1F5b+cdpCmvr9zD4R9aaoxCUysUk/jrWbYTMVKI8
I3SbXVFhBKa2GpMZ3IhHC+736iROcWdDSzg3JAMhsYeefvz1L0k=
=nmwv
-----END PGP SIGNATURE-----
Dear maintainer, I've prepared an NMU for protobuf (versioned as 3.21.12-15.1) and uploaded it to DELAYED/7. Please feel free to tell me if I should cancel it. cu Adrian
Hi Adrian, Thanks for your work. If you ping me, I apply your patches and the NMU is not necessary. Still, the upload with your changes is in progress. Cheers, Laszlo/GCS
We believe that the bug you reported is fixed in the latest version of protobuf, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1126302@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated protobuf package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sun, 21 Jun 2026 15:36:07 +0200 Source: protobuf Architecture: source Version: 3.21.12-16 Distribution: unstable Urgency: medium Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org> Closes: 1126302 1134895 Changes: protobuf (3.21.12-16) unstable; urgency=medium . [ Adrian Bunk <bunk@debian.org> ] * Fix CVE-2026-0994: JSON recursion depth bypass (closes: #1126302). * Fix CVE-2026-6409: PHP Denial of Service (closes: #1134895). Checksums-Sha1: 8008be478cbff43043aedfd5c7d725f42889cff4 3073 protobuf_3.21.12-16.dsc af34331566c514742aa230acf04ffb285be4f79a 49176 protobuf_3.21.12-16.debian.tar.xz Checksums-Sha256: 17d46b94cf664e3711bf63b6847d14db255c77035a96603f56469c76a1866573 3073 protobuf_3.21.12-16.dsc 30b0925b802e58cb4883dd414f64dfbc50b139893da7f65c3a9f42a97a785f82 49176 protobuf_3.21.12-16.debian.tar.xz Files: a6b7b363a7928e08f442575be04dfb0d 3073 devel optional protobuf_3.21.12-16.dsc 40351a274987c4cc79f0ec85be30b1ed 49176 devel optional protobuf_3.21.12-16.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmo375cACgkQ3OMQ54ZM yL+Fuw//YLOgc61F7SHcGv7YY0+v9qNSBap4wrLVxed098qUKnSE8LJtBoC8i8TX d36ZkRr3HZ1NqZYZmSAw/iFtdGYKfx2cjNn+iH12D0X+ARE2u6A/g3q/ejxqgz+o xQ0085kzkuGTFV3Q0e44s3XvX7cvjghD4/AfqgElOOLo1oZC1U9HNHMWNu6sfzXX 45dnaq1TWk6J3arNbwGETLogP1O4BlzQS8gjGRTujq2ijA9gG8ZMoGpoXgo+c3n8 g5PO0LpukfhnkC0EAohiwdjGajh2xu/OH93+mQapLRmAX20AC6U9/xQJktO5c1SS TkPgVGOq6K9mmGo5cNeYpxBBIxytWSibQUSIStdymE6YQg/S9Lz6DidrYAIlyjit +U79nQAl1WwxImYcMl58YZ7+zLEFB3GmlDX2xeWQcaT+uD7GBfr5ywEKo/btKmZW yow3gVi3eO7C9T6i74EUfBNSYWGk7GgCaTnNcq3tRlD0ip6q9m0dmTdQn1hMB4gS DP6URRHzl6FVPWkmzCbx2ZLeHqz5mvxcdklEFGKr4PYqTX/cpRoeLGQ8xkaKcViL RgPBVE5LJe6fCoyNM0bhkJ1BB3t9Qc23ZqZrcCFjp8LsARY1f7mB2UMh8rYnfi/V BAzrgh9REeVzbjRLpiJVgLKUjF3NPxoVTb9weO0JfiUKNouQaMg= =KgAU -----END PGP SIGNATURE-----
Hi László, I guessed that you would react quickly, but it's still faster for me to do the NMU to delayed: Preparing an NMU is not more work for me than sending patches to the BTS. And in the many cases where a maintainer does not react it saves me the additional work to later revisit the package and do an NMU. cu Adrian