python3-cbor2: Fix CVE-2025-68131 CVE patch error

The patch for CVE-2025-68131 does not actually match https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0 Specifically, the indenting in decode_from_bytes This is causing an error in trusted-firmware-m of | Traceback (most recent call last): | File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/tfm/bl2/ext/mcuboot/scripts/wrapper/wrapper.py", line 21, in <module> | import imgtool.main | File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/main.py", line 25, in <module> | from imgtool import image, imgtool_version | File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/image.py", line 24, in <module> | from .boot_record import create_sw_component_data | File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/boot_record.py", line 21, in <module> | from cbor2 import dumps | File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/__init__.py", line 1, in <module> | from .decoder import load, loads, CBORDecoder # noqa | File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/decoder.py", line 215 | with BytesIO(buf) as fp: | ^ | IndentationError: expected an indented block after 'with' statement on line 214 Indenting to match the original patch fixes this. Also, because this version of cbor2 is older, it doesn't include commit 53e21063ed1d72ac8f911044dd598a7f9ef72406, which adds 'Any' to encode.py Because that is missing, we see the following error: | File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/__init__.py", line 2, in <module> | from .encoder import dump, dumps, CBOREncoder, shareable_encoder # noqa | File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/encoder.py", line 68, in <module> | class CBOREncoder: | File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/encoder.py", line 266, in CBOREncoder | def _encode_value(self, obj: Any) -> None: To get around this issue, remove the "Any" from the encoder.py. The logic behind this (instead of importing typing) is that this is the only instance, and since this is not something that will be updated frequently with patches from upstream. Signed-off-by: Jon Mason <jon.mason@arm.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-06-14 05:49:57 +00:00 · 2026-04-13 10:23:41 -04:00
parent b11accc51b
commit 66bb701b2e
1 changed files with 28 additions and 15 deletions
@@ -21,18 +21,18 @@ CVE: CVE-2025-68131
 Upstream-Status: Backport [https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0]
 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
 ---
- cbor2/decoder.py      | 26 ++++++++++++++--
- cbor2/encoder.py      | 42 +++++++++++++++++++++-----
+ cbor2/decoder.py      | 38 +++++++++++++++++++-----
+ cbor2/encoder.py      | 43 ++++++++++++++++++++++-----
 source/decoder.c      | 28 +++++++++++++++++-
 source/decoder.h      |  1 +
 source/encoder.c      | 23 +++++++++++++--
 source/encoder.h      |  1 +
 tests/test_decoder.py | 62 ++++++++++++++++++++++++++++++++++++++
 tests/test_encoder.py | 69 +++++++++++++++++++++++++++++++++++++++++++
- 8 files changed, 239 insertions(+), 13 deletions(-)
+ 8 files changed, 246 insertions(+), 19 deletions(-)

 diff --git a/cbor2/decoder.py b/cbor2/decoder.py
-index be7198b..f2d818c 100644
+index be7198b..6cdd752 100644
 --- a/cbor2/decoder.py
 +++ b/cbor2/decoder.py
@@ -2,6 +2,7 @@ import re
@@ -94,16 +94,28 @@ index be7198b..f2d818c 100644
 
     def decode_from_bytes(self, buf):
         """
-@@ -190,6 +211,7 @@ class CBORDecoder:
+@@ -190,12 +211,13 @@ class CBORDecoder:
         object needs to be decoded separately from the rest but while still
         taking advantage of the shared value registry.
         """
+-        with BytesIO(buf) as fp:
+-            old_fp = self.fp
+-            self.fp = fp
+-            retval = self._decode()
+-            self.fp = old_fp
+-            return retval
 +        with self._decoding_context():
-         with BytesIO(buf) as fp:
-             old_fp = self.fp
-             self.fp = fp
+            with BytesIO(buf) as fp:
+                old_fp = self.fp
+                self.fp = fp
+                retval = self._decode()
+                self.fp = old_fp
+                return retval
+ 
+     def _decode_length(self, subtype, allow_indefinite=False):
+         if subtype < 24:
 diff --git a/cbor2/encoder.py b/cbor2/encoder.py
-index 42526c0..0a5722d 100644
+index 42526c0..fc22458 100644
 --- a/cbor2/encoder.py
 +++ b/cbor2/encoder.py
@@ -109,7 +109,7 @@ class CBOREncoder:
@@ -147,13 +159,14 @@ index 42526c0..0a5722d 100644
     def encode(self, obj):
         """
         Encode the given object using CBOR.
-@@ -243,6 +261,14 @@ class CBOREncoder:
+@@ -243,6 +261,15 @@ class CBOREncoder:
         :param obj:
             the object to encode
         """
 +        with self._encoding_context():
 +            self._encode_value(obj)
-+    def _encode_value(self, obj: Any) -> None:
+
+    def _encode_value(self, obj) -> None:
 +        """
 +        Internal fast path for encoding - used by built-in encoders.
 +        External code should use encode() instead, which properly manages
@@ -162,7 +175,7 @@ index 42526c0..0a5722d 100644
         obj_type = obj.__class__
         encoder = (
             self._encoders.get(obj_type) or
-@@ -390,14 +416,14 @@ class CBOREncoder:
+@@ -390,14 +417,14 @@ class CBOREncoder:
     def encode_array(self, value):
         self.encode_length(4, len(value))
         for item in value:
@@ -180,7 +193,7 @@ index 42526c0..0a5722d 100644
 
     def encode_sortable_key(self, value):
         """
-@@ -422,10 +448,10 @@ class CBOREncoder:
+@@ -422,10 +449,10 @@ class CBOREncoder:
                 # String referencing requires that the order encoded is
                 # the same as the order emitted so string references are
                 # generated after an order is determined
@@ -193,7 +206,7 @@ index 42526c0..0a5722d 100644
 
     def encode_semantic(self, value):
         # Nested string reference domains are distinct
-@@ -436,7 +462,7 @@ class CBOREncoder:
+@@ -436,7 +463,7 @@ class CBOREncoder:
             self._string_references = {}
 
         self.encode_length(6, value.tag)
@@ -202,7 +215,7 @@ index 42526c0..0a5722d 100644
 
         self.string_referencing = old_string_referencing
         self._string_references = old_string_references
-@@ -489,7 +515,7 @@ class CBOREncoder:
+@@ -489,7 +516,7 @@ class CBOREncoder:
     def encode_stringref(self, value):
         # Semantic tag 25
         if not self._stringref(value):