Similar to a previous patch, the CVE-2025-68131 patch
contained some more indentation errors, in the tests.
Also, the backported tests were inserted between an
existing test and its parameters - a new patch corrects
that.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The patch for CVE-2025-68131 does not actually match https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0
Specifically, the indenting in decode_from_bytes
This is causing an error in trusted-firmware-m of
| Traceback (most recent call last):
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/tfm/bl2/ext/mcuboot/scripts/wrapper/wrapper.py", line 21, in <module>
| import imgtool.main
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/main.py", line 25, in <module>
| from imgtool import image, imgtool_version
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/image.py", line 24, in <module>
| from .boot_record import create_sw_component_data
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/boot_record.py", line 21, in <module>
| from cbor2 import dumps
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/__init__.py", line 1, in <module>
| from .decoder import load, loads, CBORDecoder # noqa
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/decoder.py", line 215
| with BytesIO(buf) as fp:
| ^
| IndentationError: expected an indented block after 'with' statement on line 214
Indenting to match the original patch fixes this.
Also, because this version of cbor2 is older, it doesn't include commit
53e21063ed1d72ac8f911044dd598a7f9ef72406, which adds 'Any' to encode.py
Because that is missing, we see the following error:
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/__init__.py", line 2, in <module>
| from .encoder import dump, dumps, CBOREncoder, shareable_encoder # noqa
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/encoder.py", line 68, in <module>
| class CBOREncoder:
| File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/encoder.py", line 266, in CBOREncoder
| def _encode_value(self, obj: Any) -> None:
To get around this issue, remove the "Any" from the encoder.py. The
logic behind this (instead of importing typing) is that this is the only
instance, and since this is not something that will be updated
frequently with patches from upstream.
Signed-off-by: Jon Mason <jon.mason@arm.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Gyorgy Sarvari
Jon Mason
Hitendra Prajapati