diff --git a/meta/recipes-devtools/python/python3-ply/CVE-2025-56005.patch b/meta/recipes-devtools/python/python3-ply/CVE-2025-56005.patch new file mode 100644 index 0000000000..3f1e62b766 --- /dev/null +++ b/meta/recipes-devtools/python/python3-ply/CVE-2025-56005.patch @@ -0,0 +1,125 @@ +From bfaebcc33a5af77f2701581638aa31a1bf918302 Mon Sep 17 00:00:00 2001 +From: Libo Chen +Date: Tue, 27 Jan 2026 13:58:57 +0800 +Subject: [PATCH] python3-ply: fix CVE-2025-56005 + +Deprecate and disable the unsafe picklefile parameter and related +pickle serialization/deserialization functions to prevent RCE attacks. + +The picklefile parameter in yacc() now issues a DeprecationWarning +and is ignored. The read_pickle() and pickle_table() methods are +stubbed out to issue warnings and raise NotImplementedError, following +Python's standard practice for security-deprecated APIs. + +CVE: CVE-2025-56005 + +Upstream-Status: Inactive-Upstream + +Signed-off-by: Libo Chen +--- + ply/yacc.py | 72 +++++++++++++++++++++-------------------------------- + 1 file changed, 28 insertions(+), 44 deletions(-) + +diff --git a/ply/yacc.py b/ply/yacc.py +index 88188a1..5103566 100644 +--- a/ply/yacc.py ++++ b/ply/yacc.py +@@ -1998,31 +1998,15 @@ class LRTable(object): + return parsetab._lr_signature + + def read_pickle(self, filename): +- try: +- import cPickle as pickle +- except ImportError: +- import pickle +- +- if not os.path.exists(filename): +- raise ImportError +- +- in_f = open(filename, 'rb') +- +- tabversion = pickle.load(in_f) +- if tabversion != __tabversion__: +- raise VersionError('yacc table file version is out of date') +- self.lr_method = pickle.load(in_f) +- signature = pickle.load(in_f) +- self.lr_action = pickle.load(in_f) +- self.lr_goto = pickle.load(in_f) +- productions = pickle.load(in_f) +- +- self.lr_productions = [] +- for p in productions: +- self.lr_productions.append(MiniProduction(*p)) +- +- in_f.close() +- return signature ++ import warnings ++ warnings.warn( ++ "read_pickle() is deprecated and disabled due to security vulnerability CVE-2025-56005. " ++ "Pickle deserialization can lead to arbitrary code execution. " ++ "This function is no longer supported.", ++ DeprecationWarning, ++ stacklevel=2 ++ ) ++ raise NotImplementedError("read_pickle() is disabled for security reasons (CVE-2025-56005)") + + # Bind all production function names to callable objects in pdict + def bind_callables(self, pdict): +@@ -2845,27 +2829,19 @@ del _lr_goto_items + # pickle_table() + # + # This function pickles the LR parsing tables to a supplied file object ++ # DEPRECATED: Disabled due to CVE-2025-56005 + # ----------------------------------------------------------------------------- + + def pickle_table(self, filename, signature=''): +- try: +- import cPickle as pickle +- except ImportError: +- import pickle +- with open(filename, 'wb') as outf: +- pickle.dump(__tabversion__, outf, pickle_protocol) +- pickle.dump(self.lr_method, outf, pickle_protocol) +- pickle.dump(signature, outf, pickle_protocol) +- pickle.dump(self.lr_action, outf, pickle_protocol) +- pickle.dump(self.lr_goto, outf, pickle_protocol) +- +- outp = [] +- for p in self.lr_productions: +- if p.func: +- outp.append((p.str, p.name, p.len, p.func, os.path.basename(p.file), p.line)) +- else: +- outp.append((str(p), p.name, p.len, None, None, None)) +- pickle.dump(outp, outf, pickle_protocol) ++ import warnings ++ warnings.warn( ++ "pickle_table() is deprecated and disabled due to security vulnerability CVE-2025-56005. " ++ "Pickle serialization can lead to arbitrary code execution when deserialized. " ++ "This function is no longer supported.", ++ DeprecationWarning, ++ stacklevel=2 ++ ) ++ raise NotImplementedError("pickle_table() is disabled for security reasons (CVE-2025-56005)") + + # ----------------------------------------------------------------------------- + # === INTROSPECTION === +@@ -3225,7 +3201,15 @@ def yacc(method='LALR', debug=yaccdebug, module=None, tabmodule=tab_module, star + + # If pickling is enabled, table files are not created + if picklefile: +- write_tables = 0 ++ import warnings ++ warnings.warn( ++ "The 'picklefile' parameter is deprecated and disabled due to security vulnerability CVE-2025-56005. " ++ "Pickle deserialization can lead to arbitrary code execution. " ++ "The parameter will be ignored and standard table files will be used instead.", ++ DeprecationWarning, ++ stacklevel=2 ++ ) ++ picklefile = None + + if errorlog is None: + errorlog = PlyLogger(sys.stderr) +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-ply_3.11.bb b/meta/recipes-devtools/python/python3-ply_3.11.bb index a05bd6702d..41bcac2be8 100644 --- a/meta/recipes-devtools/python/python3-ply_3.11.bb +++ b/meta/recipes-devtools/python/python3-ply_3.11.bb @@ -8,6 +8,10 @@ LIC_FILES_CHKSUM = "file://README.md;beginline=5;endline=32;md5=f5ee5c355c0e6719 SRC_URI[md5sum] = "6465f602e656455affcd7c5734c638f8" SRC_URI[sha256sum] = "00c7c1aaa88358b9c765b6d3000c6eec0ba42abca5351b095321aef446081da3" +SRC_URI += " \ + file://CVE-2025-56005.patch \ +" + inherit pypi setuptools3 RDEPENDS:${PN}:class-target += "\