mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
Files
66bb701b2e3fcc261a21c00051721fd99380c1ed
meta-openembedded/meta-python/recipes-devtools
T
History
Jon Mason 66bb701b2e python3-cbor2: Fix CVE-2025-68131 CVE patch error 
The patch for CVE-2025-68131 does not actually match https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0
Specifically, the indenting in decode_from_bytes

This is causing an error in trusted-firmware-m of
| Traceback (most recent call last):
|   File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/tfm/bl2/ext/mcuboot/scripts/wrapper/wrapper.py", line 21, in <module>
|     import imgtool.main
|   File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/main.py", line 25, in <module>
|     from imgtool import image, imgtool_version
|   File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/image.py", line 24, in <module>
|     from .boot_record import create_sw_component_data
|   File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/git/mcuboot/scripts/imgtool/boot_record.py", line 21, in <module>
|     from cbor2 import dumps
|   File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/__init__.py", line 1, in <module>
|     from .decoder import load, loads, CBORDecoder  # noqa
|   File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/decoder.py", line 215
|     with BytesIO(buf) as fp:
|     ^
| IndentationError: expected an indented block after 'with' statement on line 214

Indenting to match the original patch fixes this.

Also, because this version of cbor2 is older, it doesn't include commit
53e21063ed1d72ac8f911044dd598a7f9ef72406, which adds 'Any' to encode.py
Because that is  missing, we see the following error:
 |   File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/__init__.py", line 2, in <module>
 |     from .encoder import dump, dumps, CBOREncoder, shareable_encoder  # noqa
 |   File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/encoder.py", line 68, in <module>
 |     class CBOREncoder:
 |   File "/builder/meta-arm/build/tmp/work/corstone1000_fvp-poky-linux-musl/trusted-firmware-m/1.5.0+gitAUTOINC+f8c7e5361b-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cbor2/encoder.py", line 266, in CBOREncoder
 |     def _encode_value(self, obj: Any) -> None:

To get around this issue, remove the "Any" from the encoder.py.  The
logic behind this (instead of importing typing) is that this is the only
instance, and since this is not something that will be updated
frequently with patches from upstream.

Signed-off-by: Jon Mason <jon.mason@arm.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-04-13 16:30:11 +02:00
..
gyp
gyp: fix for compatibility with Python 3.10 (part 2)
2022-03-03 08:50:19 -08:00
python
python3-cbor2: Fix CVE-2025-68131 CVE patch error
2026-04-13 16:30:11 +02:00
python3-wxgtk4
python3-wxgtk4: backport patch to fix svg issue
2022-05-30 13:04:18 -07:00
python-jsonref