diff --git a/meta-python/recipes-devtools/python/python3-cbor2/0001-fix-test-parameterization.patch b/meta-python/recipes-devtools/python/python3-cbor2/0001-fix-test-parameterization.patch new file mode 100644 index 0000000000..db5f4c6250 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cbor2/0001-fix-test-parameterization.patch @@ -0,0 +1,48 @@ +From ff1a6be09b6856b34b30b00542a06819402094c6 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Mon, 13 Apr 2026 17:16:43 +0200 +Subject: [PATCH] fix test parameterization + +The patch for CVE-2025-68131 backported the tests in a way +that inserted a new, not-parameterized test between another +parameterized test and this test's parameters. Due to this +the parameters were associated with the incorrect test, failing +the execution. + +Fix that. + +Upstream-Status: Backport [https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0] +Signed-off-by: Gyorgy Sarvari +--- + tests/test_decoder.py | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/tests/test_decoder.py b/tests/test_decoder.py +index cc3af11..f9b7a11 100644 +--- a/tests/test_decoder.py ++++ b/tests/test_decoder.py +@@ -709,11 +709,6 @@ def test_reserved_special_tags(impl, data, expected): + assert exc_info.value.args[0] == "Undefined Reserved major type 7 subtype 0x" + expected + + +-@pytest.mark.parametrize('data, expected', [ +- ('c400', '4'), ('c500', '5') +- ], +-) +- + class TestDecoderReuse: + """ + Tests for correct behavior when reusing CBORDecoder instances. +@@ -775,6 +770,12 @@ class TestDecoderReuse: + assert result == ["hello", "hello"] + assert result[0] is result[1] # Same object reference + ++ ++@pytest.mark.parametrize('data, expected', [ ++ ('c400', '4'), ('c500', '5') ++ ], ++) ++ + def test_decimal_payload_unpacking(impl, data, expected): + with pytest.raises(impl.CBORDecodeValueError) as exc_info: + impl.loads(unhexlify(data)) diff --git a/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch b/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch index 8556c5bdbc..a87d901727 100644 --- a/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch +++ b/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch @@ -411,7 +411,7 @@ index d03e288..cc3af11 100644 + decoder.decode_from_bytes(msg2) + + def test_shared_refs_within_single_decode(self, impl): -+ """ ++ """ + Shared references must work correctly within a single decode operation. + + Note: This tests non-cyclic sibling references [shareable(x), sharedref(0)], @@ -420,7 +420,7 @@ index d03e288..cc3af11 100644 + """ + # [shareable("hello"), sharedref(0)] -> ["hello", "hello"] + data = unhexlify( -+ "82" # array(2) ++ "82" # array(2) + "d81c" # tag(28) shareable + "65" # text(5) + "68656c6c6f" # "hello" @@ -475,7 +475,7 @@ index 8c40000..c76d5e0 100644 + encode_to_bytes should also reset shared container tracking between calls. + """ + fp = BytesIO() -+ encoder = impl.CBOREncoder(fp, value_sharing=True) ++ encoder = impl.CBOREncoder(fp, value_sharing=True) + shared_obj = ["hello"] + + # First encode @@ -483,7 +483,7 @@ index 8c40000..c76d5e0 100644 + + # Second encode should produce valid standalone CBOR + result_bytes = encoder.encode_to_bytes(shared_obj) -+ result = impl.loads(result_bytes) ++ result = impl.loads(result_bytes) + assert result == ["hello"] + + def test_encoder_hook_does_not_reset_state(self, impl): diff --git a/meta-python/recipes-devtools/python/python3-cbor2_5.4.2.bb b/meta-python/recipes-devtools/python/python3-cbor2_5.4.2.bb index 5aeb82b992..9a3218607d 100644 --- a/meta-python/recipes-devtools/python/python3-cbor2_5.4.2.bb +++ b/meta-python/recipes-devtools/python/python3-cbor2_5.4.2.bb @@ -11,6 +11,7 @@ inherit pypi python_setuptools_build_meta ptest SRC_URI += " \ file://run-ptest \ file://CVE-2025-68131.patch \ + file://0001-fix-test-parameterization.patch \ " # not vulnerable yet, vulnerability was introduced in v5.6.0