new file mode 100644
@@ -0,0 +1,48 @@
+From ff1a6be09b6856b34b30b00542a06819402094c6 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Mon, 13 Apr 2026 17:16:43 +0200
+Subject: [PATCH] fix test parameterization
+
+The patch for CVE-2025-68131 backported the tests in a way
+that inserted a new, not-parameterized test between another
+parameterized test and this test's parameters. Due to this
+the parameters were associated with the incorrect test, failing
+the execution.
+
+Fix that.
+
+Upstream-Status: Backport [https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ tests/test_decoder.py | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/tests/test_decoder.py b/tests/test_decoder.py
+index cc3af11..f9b7a11 100644
+--- a/tests/test_decoder.py
++++ b/tests/test_decoder.py
+@@ -709,11 +709,6 @@ def test_reserved_special_tags(impl, data, expected):
+ assert exc_info.value.args[0] == "Undefined Reserved major type 7 subtype 0x" + expected
+
+
+-@pytest.mark.parametrize('data, expected', [
+- ('c400', '4'), ('c500', '5')
+- ],
+-)
+-
+ class TestDecoderReuse:
+ """
+ Tests for correct behavior when reusing CBORDecoder instances.
+@@ -775,6 +770,12 @@ class TestDecoderReuse:
+ assert result == ["hello", "hello"]
+ assert result[0] is result[1] # Same object reference
+
++
++@pytest.mark.parametrize('data, expected', [
++ ('c400', '4'), ('c500', '5')
++ ],
++)
++
+ def test_decimal_payload_unpacking(impl, data, expected):
+ with pytest.raises(impl.CBORDecodeValueError) as exc_info:
+ impl.loads(unhexlify(data))
@@ -411,7 +411,7 @@ index d03e288..cc3af11 100644
+ decoder.decode_from_bytes(msg2)
+
+ def test_shared_refs_within_single_decode(self, impl):
-+ """
++ """
+ Shared references must work correctly within a single decode operation.
+
+ Note: This tests non-cyclic sibling references [shareable(x), sharedref(0)],
@@ -420,7 +420,7 @@ index d03e288..cc3af11 100644
+ """
+ # [shareable("hello"), sharedref(0)] -> ["hello", "hello"]
+ data = unhexlify(
-+ "82" # array(2)
++ "82" # array(2)
+ "d81c" # tag(28) shareable
+ "65" # text(5)
+ "68656c6c6f" # "hello"
@@ -475,7 +475,7 @@ index 8c40000..c76d5e0 100644
+ encode_to_bytes should also reset shared container tracking between calls.
+ """
+ fp = BytesIO()
-+ encoder = impl.CBOREncoder(fp, value_sharing=True)
++ encoder = impl.CBOREncoder(fp, value_sharing=True)
+ shared_obj = ["hello"]
+
+ # First encode
@@ -483,7 +483,7 @@ index 8c40000..c76d5e0 100644
+
+ # Second encode should produce valid standalone CBOR
+ result_bytes = encoder.encode_to_bytes(shared_obj)
-+ result = impl.loads(result_bytes)
++ result = impl.loads(result_bytes)
+ assert result == ["hello"]
+
+ def test_encoder_hook_does_not_reset_state(self, impl):
@@ -11,6 +11,7 @@ inherit pypi python_setuptools_build_meta ptest
SRC_URI += " \
file://run-ptest \
file://CVE-2025-68131.patch \
+ file://0001-fix-test-parameterization.patch \
"
# not vulnerable yet, vulnerability was introduced in v5.6.0
Similar to a previous patch, the CVE-2025-68131 patch contained some more indentation errors, in the tests. Also, the backported tests were inserted between an existing test and its parameters - a new patch corrects that. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../0001-fix-test-parameterization.patch | 48 +++++++++++++++++++ .../python/python3-cbor2/CVE-2025-68131.patch | 8 ++-- .../python/python3-cbor2_5.4.2.bb | 1 + 3 files changed, 53 insertions(+), 4 deletions(-) create mode 100644 meta-python/recipes-devtools/python/python3-cbor2/0001-fix-test-parameterization.patch