diff --git a/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch b/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch index 4c5310edfa..8556c5bdbc 100644 --- a/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch +++ b/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch @@ -21,18 +21,18 @@ CVE: CVE-2025-68131 Upstream-Status: Backport [https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0] Signed-off-by: Hitendra Prajapati --- - cbor2/decoder.py | 26 ++++++++++++++-- - cbor2/encoder.py | 42 +++++++++++++++++++++----- + cbor2/decoder.py | 38 +++++++++++++++++++----- + cbor2/encoder.py | 43 ++++++++++++++++++++++----- source/decoder.c | 28 +++++++++++++++++- source/decoder.h | 1 + source/encoder.c | 23 +++++++++++++-- source/encoder.h | 1 + tests/test_decoder.py | 62 ++++++++++++++++++++++++++++++++++++++ tests/test_encoder.py | 69 +++++++++++++++++++++++++++++++++++++++++++ - 8 files changed, 239 insertions(+), 13 deletions(-) + 8 files changed, 246 insertions(+), 19 deletions(-) diff --git a/cbor2/decoder.py b/cbor2/decoder.py -index be7198b..f2d818c 100644 +index be7198b..6cdd752 100644 --- a/cbor2/decoder.py +++ b/cbor2/decoder.py @@ -2,6 +2,7 @@ import re @@ -94,16 +94,28 @@ index be7198b..f2d818c 100644 def decode_from_bytes(self, buf): """ -@@ -190,6 +211,7 @@ class CBORDecoder: +@@ -190,12 +211,13 @@ class CBORDecoder: object needs to be decoded separately from the rest but while still taking advantage of the shared value registry. """ +- with BytesIO(buf) as fp: +- old_fp = self.fp +- self.fp = fp +- retval = self._decode() +- self.fp = old_fp +- return retval + with self._decoding_context(): - with BytesIO(buf) as fp: - old_fp = self.fp - self.fp = fp ++ with BytesIO(buf) as fp: ++ old_fp = self.fp ++ self.fp = fp ++ retval = self._decode() ++ self.fp = old_fp ++ return retval + + def _decode_length(self, subtype, allow_indefinite=False): + if subtype < 24: diff --git a/cbor2/encoder.py b/cbor2/encoder.py -index 42526c0..0a5722d 100644 +index 42526c0..fc22458 100644 --- a/cbor2/encoder.py +++ b/cbor2/encoder.py @@ -109,7 +109,7 @@ class CBOREncoder: @@ -147,13 +159,14 @@ index 42526c0..0a5722d 100644 def encode(self, obj): """ Encode the given object using CBOR. -@@ -243,6 +261,14 @@ class CBOREncoder: +@@ -243,6 +261,15 @@ class CBOREncoder: :param obj: the object to encode """ + with self._encoding_context(): + self._encode_value(obj) -+ def _encode_value(self, obj: Any) -> None: ++ ++ def _encode_value(self, obj) -> None: + """ + Internal fast path for encoding - used by built-in encoders. + External code should use encode() instead, which properly manages @@ -162,7 +175,7 @@ index 42526c0..0a5722d 100644 obj_type = obj.__class__ encoder = ( self._encoders.get(obj_type) or -@@ -390,14 +416,14 @@ class CBOREncoder: +@@ -390,14 +417,14 @@ class CBOREncoder: def encode_array(self, value): self.encode_length(4, len(value)) for item in value: @@ -180,7 +193,7 @@ index 42526c0..0a5722d 100644 def encode_sortable_key(self, value): """ -@@ -422,10 +448,10 @@ class CBOREncoder: +@@ -422,10 +449,10 @@ class CBOREncoder: # String referencing requires that the order encoded is # the same as the order emitted so string references are # generated after an order is determined @@ -193,7 +206,7 @@ index 42526c0..0a5722d 100644 def encode_semantic(self, value): # Nested string reference domains are distinct -@@ -436,7 +462,7 @@ class CBOREncoder: +@@ -436,7 +463,7 @@ class CBOREncoder: self._string_references = {} self.encode_length(6, value.tag) @@ -202,7 +215,7 @@ index 42526c0..0a5722d 100644 self.string_referencing = old_string_referencing self._string_references = old_string_references -@@ -489,7 +515,7 @@ class CBOREncoder: +@@ -489,7 +516,7 @@ class CBOREncoder: def encode_stringref(self, value): # Semantic tag 25 if not self._stringref(value):