From patchwork Thu Jan 8 07:46:13 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78250 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CDC4D148BF for ; Thu, 8 Jan 2026 07:46:29 +0000 (UTC) Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1638.1767858381190948696 for ; Wed, 07 Jan 2026 23:46:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Ch0pm2Kh; spf=pass (domain: gmail.com, ip: 209.85.221.43, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-42fbc3056afso1521089f8f.2 for ; Wed, 07 Jan 2026 23:46:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767858379; x=1768463179; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=D0EDuBPGXyouZ8HXrrDK8bjVUiwGSbz8oCjSOMmQIN4=; b=Ch0pm2Khy2I1CwhNR13wyhp0Z1n2yL3Z8GayHYNMbyNbdana5yolmND/XwwYJOGRQi ZpwKnDcBLkQ6ofIqhSO76kGWCr2ybQmAFSWBnap9u4aX0iGhY8Tyu2vr4+W733qQq9Sk KOaP+/oPPkCfJTU7y8b5xS4RdY8SYgXpc2VkPelq2tGSTLaGmyUVlonmN8F10yczdhEf a3Xv/AQcpibnoZWMXBWv6kGFHvR7KL+4hq5isPIyqnvxM0Da1NXHw+iTDVhF6zGBTO/R fo28+DwdZCSKI9AqrFkVZU9cpE/xDDCojGFLJO1GuEjmEmGyT2+qRYX4BKh9Si9XBg1e tAiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767858379; x=1768463179; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=D0EDuBPGXyouZ8HXrrDK8bjVUiwGSbz8oCjSOMmQIN4=; b=lERFqkJxd4lyFX5ag9unHLtx9CdqdCT2Fpj9HYEbc+Wlp7py1gVPb/bqB2lv0JoEU7 SexWDPQObScRpEXVOHlaX2NSr/H22O8WNWsArbBsxhlJri0WU94dwLK8SGkj4Earofvi lwKL9Hg03mfaFekr0cc3uDqwYLae4HhurWnCgX0l/F6Dmd23HnXNKTvCkN1JTqez8AJP Btwb8rh6nhxNO4M28PQaeSUp42/oxCxysxeURnaHdRZehZW41+OOEDc6dW38c2u66JbZ N2+LGjbcUrEBy2wXvZOImhFGwdiPyUXA/xPWkKQQmh9YhvkvuoQivv+eMW836TargvCP NM7w== X-Gm-Message-State: AOJu0Yy+Sw5YIVOOIvr2WAKsaZdQucVr8VsRoHu0mGUDHDHUrzy5hCrT wniqoLLJPV8QlKJfTH3MPmOuxtQoeXe5TwwYTLME1P2dSwiWttJligirJWUg9Q== X-Gm-Gg: AY/fxX5ge4avb485pnOSvq0g19mB+cWmnk1Nwm6r8e/Yf2DQjTRIvQTKj+FL05didGH WEKBbesRqJcHxv2M3l4YFHVQ6sfwPJ1CngeDCT1GItsPD4rVzt66FaX5VlVVimLDsPsb7ZHy1qc o0wwEIt4oyKciT3lmgH90f/lQc+t7sOOZsFNLPupJsdFQQZlng992lko6XFak3aital8mPwFXx1 n/K9fFVt2cPaXDOX2KK5OWI+3HogRb6yCyhvSii9qC6v8xJ/6hnbuxN6lCC9CwSCPIvH0Z8ElPz qOGl36XROmWq1JwGVr37Jvgw7NjvIYtbglWJ2Bh5PE7ibjqIihq9WwaxdjqS6t96D0kwN0Fx+Tl tf7EqQ9r4a1PTvvqGx4GOj7fpR2C+q5XvfYlWmpCQV8ogVj1hJJpsgrqXtzfM0eU6iTa6HRNu19 WXnK8eEaGH X-Google-Smtp-Source: AGHT+IFL9NcAtlH6ZSlp5zrCeFu+5QL8iYKB9DX8pMFjy37FBs6fFIjiaRmkwgmycSp0HqmlDsX2pw== X-Received: by 2002:a5d:53d2:0:b0:430:ff41:5c91 with SMTP id ffacd0b85a97d-432c3765641mr5439952f8f.52.1767858379359; Wed, 07 Jan 2026 23:46:19 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd0e16f4sm15200292f8f.11.2026.01.07.23.46.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 23:46:18 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/5] php: ignore CVE-2024-3566 Date: Thu, 8 Jan 2026 08:46:13 +0100 Message-ID: <20260108074618.2782232-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 08 Jan 2026 07:46:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123248 From: Jeroen Hofstee CVE-2024-3566 only effects Microsoft Windows. Signed-off-by: Jeroen Hofstee Signed-off-by: Khem Raj (cherry picked from commit d68c56e1ed2adc8246a18424ed5d9ede5e8254a0) Adapted to Kirkstone. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-devtools/php/php_8.1.34.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-devtools/php/php_8.1.34.bb b/meta-oe/recipes-devtools/php/php_8.1.34.bb index a734c2458a..86b59a909c 100644 --- a/meta-oe/recipes-devtools/php/php_8.1.34.bb +++ b/meta-oe/recipes-devtools/php/php_8.1.34.bb @@ -39,6 +39,7 @@ CVE_CHECK_IGNORE += "\ CVE-2007-2728 \ CVE-2007-3205 \ CVE-2007-4596 \ + CVE-2024-3566 \ " inherit autotools pkgconfig python3native gettext multilib_header multilib_script systemd From patchwork Thu Jan 8 07:46:14 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78249 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C814CF6C15 for ; Thu, 8 Jan 2026 07:46:29 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1672.1767858381932956430 for ; Wed, 07 Jan 2026 23:46:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ir1628r8; spf=pass (domain: gmail.com, ip: 209.85.221.41, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-43246af170aso894376f8f.0 for ; Wed, 07 Jan 2026 23:46:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767858380; x=1768463180; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Lw0flcEI00Max1uecu2Q/X8wqBCuVnjBQuzlSwPKsnM=; b=ir1628r8nDwpb8AQmDhAVmAWiqeRu0Z+aTw16SEzuTD9Ggc/fSkLDY/4QMCAmV7OV9 4pXWhozcXGVxTlfq94fr67OuFyR2Mdz8yI+Ci+gFewAX+1Ul8FnRSBiG4b5GV8Q+/7sY 0C3svz4R2mK1hni9NfTTQpzzFPwX1Vq6qChuvDDf6N6DDc1Bt83ZjyHg00tW9UhdGc/2 Xj19GcMLxsjrHnqOPoL71l6+zwByqHCaQPtIa1MLdvexL5wPnRVEvd1bCrZDdLjthCFg t6Rlz+UbZGiFdxZgc5XI9kDeU995J+c44yHogV3yz+yrHMNgN4Z3UvK30iAM9OR1q4ZV TGiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767858380; x=1768463180; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Lw0flcEI00Max1uecu2Q/X8wqBCuVnjBQuzlSwPKsnM=; b=JYvkdzWWX9g2iIGZ2Uaci1yHNPRBRE8ltapRKY5ZyYpRfFkyTXlKl2uMaNycFn0yIX L7Bu6i0GQN+HMk/ZB3FlHl5qGdD2ifVI4WEIFz+eO5V/HDWx3nO/IQrgHkptW8MsD2kY npXsGr3p82ehURmFK36N/rUxAlntfBEpNkoo0+OjCSJLyP5ItlF2cas+cOBQA5v6ATyq l74zNo3LEK7kyIyBWzW0O2OdQHTicZQqYWlaGZnXblb8ev/Db6u2R83pbQ42e5b+fsa9 2CUaERkdHNU9mbvbyeilrd1lhMI0E+VcozBxvCqB8JAwBrRiaUAT2xAqabj9jspqRLP2 wQAA== X-Gm-Message-State: AOJu0Yx/dye+1DA5rO1t3DQAPynSKDn2vGs+7mCXtGLklqYZU0cuq0y2 ASMEWcj+6dalwmOhoT+5KKoYPW9ocddxUMAgdSTOFGwG5JHRE502DTn268lUtA== X-Gm-Gg: AY/fxX5sCY3kNfjOIR+B3i6FOtPuEqgv0+6l0rtbpvqDQmkg05bysq84zQQYV44DliX v4HtYPRRtGSjl1Hj+n3mBU1cjELy3MzSpyj1tFCyrvVG8n2Ch7DLwKPHJXmYvmx+EtLJUZdlbvK 6gBo6vAJmqJIAJw5HdmEpKUnGtxrVRKp5nwlSIgn6SdMtLSIvCNm9DnpXwWO0zoKyrTmHMwgYFk 4qEpSStPS+kd5gZyfOhiocYBBcArJe2Zjv7CTa9PhVbaHBQW5k8jwjqLz0YRvI34TtMX1J+O7f8 eNoK5wzDl5FpKg2ugY2WG6QWzjrT1wtbUkLNJMB+1ufdASONhw0L0xEorKGGmbVtdL1BawjgsdQ RIFtG0s8/ExCBpi6U9RL7OIFq0SzpFpaoqFvFjLnfUDRNHOWPUXc25/cwzQJO16kKA2pdqXGz4x LhfuBAxUuB X-Google-Smtp-Source: AGHT+IFHdBGPfmDEAr7dkxgAI5AEsn0rTyHI4A3hzM09goVJkHSEaTocwB8OEay6YwwM0f9B1V2Y3g== X-Received: by 2002:a05:6000:2207:b0:430:fb00:108a with SMTP id ffacd0b85a97d-432c362bf62mr7573842f8f.2.1767858380085; Wed, 07 Jan 2026 23:46:20 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd0e16f4sm15200292f8f.11.2026.01.07.23.46.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 23:46:19 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][kirkstone][PATCH 2/5] openflow: don't overwrite CVE_CHECK_IGNORE Date: Thu, 8 Jan 2026 08:46:14 +0100 Message-ID: <20260108074618.2782232-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260108074618.2782232-1-skandigraun@gmail.com> References: <20260108074618.2782232-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 08 Jan 2026 07:46:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123249 The recipe contains two CVE_CHECK_IGNORE declarations, and the second one overwrites the first one - however the first one is also important. Instead of overwriting it, just append them to each other. Also, move the operations closer to each other, so it's easier to see what's going on. Signed-off-by: Gyorgy Sarvari --- meta-networking/recipes-protocols/openflow/openflow.inc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc index 3c29a5c8cf..2134b57713 100644 --- a/meta-networking/recipes-protocols/openflow/openflow.inc +++ b/meta-networking/recipes-protocols/openflow/openflow.inc @@ -18,6 +18,10 @@ CVE_CHECK_IGNORE = "\ CVE-2015-1612 \ " +# This CVE is not for this product but cve-check assumes it is +# because two CPE collides when checking the NVD database +CVE_CHECK_IGNORE += "CVE-2018-1078" + DEPENDS = "virtual/libc" PACKAGECONFIG ??= "" @@ -58,7 +62,3 @@ do_install:append() { } FILES:${PN} += "${nonarch_libdir}/tmpfiles.d" - -# This CVE is not for this product but cve-check assumes it is -# because two CPE collides when checking the NVD database -CVE_CHECK_IGNORE = "CVE-2018-1078" From patchwork Thu Jan 8 07:46:15 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78251 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A615CF6BE5 for ; Thu, 8 Jan 2026 07:46:29 +0000 (UTC) Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1639.1767858382790861767 for ; Wed, 07 Jan 2026 23:46:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=AwihEJvi; spf=pass (domain: gmail.com, ip: 209.85.221.53, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-42fed090e5fso1495357f8f.1 for ; Wed, 07 Jan 2026 23:46:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767858381; x=1768463181; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=gaQX3tONZtgcLUcRxkz/fcQmeaX5UdMMEZmfXKp0GF8=; b=AwihEJviuKuc8S38QiXwDgjI2qzRDcMGJ9drWzSop4GopbIx/c+h6yZ9vPQeb3uuAP 1kXJY7JPJZdK9SG44k7+V4q80HM5zs6DFfnPracJGxZ2O8uwwaxTu270eM7M2usk9ArQ DOcbpSwuT8js3sz7q1FIp0UpLvgoM2GsNk5YPFJURp6vJSROsZxQGC4zsUyE/orYqtvv cs05yk1+BwAPcB/s/J5Pv7UnWEMJYD68AMzbCasCUJcAgzRAtpKsJPxptcpH9xOQF0rB HuVRfhqWR7GKnlln3CRCfOFFHpMa3JYPV5Iw98E+U2F6O9NjptQamhIf47/+GOVKBam2 fCXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767858381; x=1768463181; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=gaQX3tONZtgcLUcRxkz/fcQmeaX5UdMMEZmfXKp0GF8=; b=XOZZmpRXnvNBLoNLH7rJdCELM5NKjhQRvyFRrRSAUQe1x+iAnvWGS+FmrLS7o7Zve1 13+vq5EhYO8ILY1WOTfMLxt1I0zx09QJR2n5CKqRNcfdW1D/yfnGE6vxauuXTTr8L8PR F9u7UP7zRJgz04HwjjZP49kt9Ohn8AX8tJwKoAU594T9fJq9y2Y1icXl1a7WEaAHhBaV 4EpAGhIuGhl8SBGr8nkcl7mOtrTlh0Cn63tgVM5EB5cOF6ugK3Cbv++8J9UG/vogyaKP ESyHpmbKUsewyWSDLzMEI1DwZk1JzrTpIvysbUGGmqIner8UDx5tXEqaFTsE/4WiEYES YtMQ== X-Gm-Message-State: AOJu0Yw4byN3Q5HAjXSvJHjpWm5XwcQm6T7i79D3DgrVacCaUrAIIjHK ymD2QIAiH2XGw2eFKB3xA32I28lNLvPeZLicGHer4ukmqe0vxpHB3K1NX+23jg== X-Gm-Gg: AY/fxX5zJeuL547El5nUZhdZHZs89RaMp9wFGfceHK3gLD/ttf2on699c7DoNkMk0bB KC+yJAepZmIQrHd1Pnvb0LIydPJpAc0okfo+mKKV2UHAcS6h3cFu72f0GrxYxnrsTVLPybCPCDk c8/OP6j5fsHcZ4TEO/T11qENy2LUDHZsCX/Snjnzt7qKYoJGK6tnCxCUEUPP2g3EoM1PmsYGmfg 8030zDUgUcPccgZEob0NGCrlCVTSDrFRUSoMxHt/wwZQAs+nm+3+aWY5iX3X4SzkMapC0T2Xqvl GJkOCGNKUBZfJh8DZCY/hFX+VNIGogCVzQgmPV1g0JJByM773XBViTzfkiWQ7SdHmHqCPmXvxN8 z6U+taU0ZeksuR4LxwcngBZLUCj8A1A+mHfCEehCOaDUVPQdZdR4DSP+a6Nn9u5oxFsxvdaTiJB W1NPrQQTaJ X-Google-Smtp-Source: AGHT+IFrdlguIxaJdhFcp1X6pg8HhcCfoYHttUlcp8+xncnSTkWllVfufn33W3tfJVerAtjDn76FFQ== X-Received: by 2002:a05:6000:1448:b0:430:fc3a:fbce with SMTP id ffacd0b85a97d-432c36328e7mr7026968f8f.15.1767858380822; Wed, 07 Jan 2026 23:46:20 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd0e16f4sm15200292f8f.11.2026.01.07.23.46.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 23:46:20 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 3/5] python3-tornado: patch CVE-2023-28370 Date: Thu, 8 Jan 2026 08:46:15 +0100 Message-ID: <20260108074618.2782232-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260108074618.2782232-1-skandigraun@gmail.com> References: <20260108074618.2782232-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 08 Jan 2026 07:46:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123250 Details: https://nvd.nist.gov/vuln/detail/CVE-2023-28370 The NVD advisory mentions that the vulnerability was fixed in v6.3.2. I checked the commits in that tag, and picked the only one that's commit message described the same vulnerability as the NVD report. Signed-off-by: Gyorgy Sarvari --- .../python3-tornado/CVE-2023-28370.patch | 39 +++++++++++++++++++ .../python/python3-tornado_6.1.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch new file mode 100644 index 0000000000..b8b6029753 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2023-28370.patch @@ -0,0 +1,39 @@ +From c5674de64189ac407e6ace51bed08899f267ae44 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Sat, 13 May 2023 20:58:52 -0400 +Subject: [PATCH] web: Fix an open redirect in StaticFileHandler + +Under some configurations the default_filename redirect could be exploited +to redirect to an attacker-controlled site. This change refuses to redirect +to URLs that could be misinterpreted. + +A test case for the specific vulnerable configuration will follow after the +patch has been available. + +CVE: CVE-2023-28370 +Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f] +Signed-off-by: Gyorgy Sarvari +--- + tornado/web.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/tornado/web.py b/tornado/web.py +index 546e6ec..8410880 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -2771,6 +2771,15 @@ class StaticFileHandler(RequestHandler): + # but there is some prefix to the path that was already + # trimmed by the routing + if not self.request.path.endswith("/"): ++ if self.request.path.startswith("//"): ++ # A redirect with two initial slashes is a "protocol-relative" URL. ++ # This means the next path segment is treated as a hostname instead ++ # of a part of the path, making this effectively an open redirect. ++ # Reject paths starting with two slashes to prevent this. ++ # This is only reachable under certain configurations. ++ raise HTTPError( ++ 403, "cannot redirect path with two initial slashes" ++ ) + self.redirect(self.request.path + "/", permanent=True) + return None + absolute_path = os.path.join(absolute_path, self.default_filename) diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb index 1dedc51029..d4cb58febc 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb @@ -6,6 +6,7 @@ HOMEPAGE = "http://www.tornadoweb.org/en/stable/" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" +SRC_URI += "file://CVE-2023-28370.patch" SRC_URI[md5sum] = "f324f5e7607798552359d6ab054c4321" SRC_URI[sha256sum] = "33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791" From patchwork Thu Jan 8 07:46:16 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78252 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A68FCF6BE6 for ; Thu, 8 Jan 2026 07:46:29 +0000 (UTC) Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.1673.1767858383781600927 for ; Wed, 07 Jan 2026 23:46:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=U3yDU4CC; spf=pass (domain: gmail.com, ip: 209.85.128.43, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f43.google.com with SMTP id 5b1f17b1804b1-47bdbc90dcaso20794985e9.1 for ; Wed, 07 Jan 2026 23:46:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767858382; x=1768463182; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=aFwna7vBWeO+Oi4EeruL27s1vBTXfY2ay4Y+KEXx95M=; b=U3yDU4CCxGI0S30oOwc9N1zLrfOxCMFy6+/DHXBLYCGv2qGAuG3hibS71avJiGGCax 7JQrSxzyJDQBIgo+XWgGTKis+2+vfIRh54l+8k+LTpkWtCt3Vy2FtWWondkFg55fGodH TzEyBofxy3jWsUklc6irsbMBGPkYPe2zeh1cl9OdH89lCpiXEpWv5e4gUqUZL4KRqLgz fLZTl4R6V55LkQluGfYW6Hcda5YI8PKWQ4nyqKecCn2OrgD9RZdMzzaFzcAv+04Kk8rp OLTsHoHw3LliaYMT81m/VF/h7GklttjVPmUiBWYr7ENohl609Hj97tQC696jKsQytecx IZLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767858382; x=1768463182; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=aFwna7vBWeO+Oi4EeruL27s1vBTXfY2ay4Y+KEXx95M=; b=DdfVhG8FHqoGB/bpZKbWWZxaRpz8/2iXsws8anOrF9sZConC/bIV0Mq2+Nz1bqcP+A gdN/fRXbJ2n2kcG5Tbux43vSEWzoOtJ0EPCSnINUjBGfiQCDW8ALfeRHXha6PjAcReTv jp2Yy8hTl5aeCDjYF3uVCy3S6tzBjJYZ3dHAxFES50R/IMD36ghTtZj8jfz3gs8IBE8q hkbzXglNZRlslV0xxCC5u3pDyusoOW/Q2NPWeHS6TuafB76k3jT1OQl3ftgtYNKd5moB rICLkJ1S0Qmf7Q1s1f7/NnjGj0M7QRgdtr60UjgRs74ojjn7kY+33Sr41XN5sAic8WK4 FMdw== X-Gm-Message-State: AOJu0Yzk5HFcgRORNZ0LyHIJ5HLYtSyGiXsD3tI6mYjXd1nkMqdUh5BK UcfSuT3dxZTjSZ4FivVvuh1TkbchaAzivai9rRKubUnhqozhG2kP2mCYHRyWkQ== X-Gm-Gg: AY/fxX7NSrhmxfP/oi5bgddhIE6my4LMrjjJP1ZF9qHXQruOXvKjo74w1mW1RbmNDcl 10bQLglxWV2fHFIqJZvsjCB5i+TL8D7LYjdZRjjcxmyK1A+G9916i8t5WsEjbnfIMxsat8rV2XA OyE8UJP16HYlvBUus97HX3TEYwRUP8rMVONvqBY7u4DlwcZWVz6q037iDzOSkSE5v0ufOHV5aD4 YNUMF+IXcdM51wPsMtLMOqbCjvTIXQPAUWzmWVAiXWqb+ouyhH6aziEQcabjhPzhNLekJFka4xJ L7Zb3FFvG+FaI14CoK/b0Y17hq9FDVb/RpG1Qi2+pN1BSpfntnu2TooylETyK9U2Oi7T+hwtynU Lf7EHdH/4JlxA1OgtM6u79xzw6Gs1DBS0RCgnYTMJT+USZC/IKttdj8Uoyaz/oaOaUr9X+QoJl0 BUeVMCohLU X-Google-Smtp-Source: AGHT+IE/vu6td9htvFKdpxwBBVXHCVe+CYk7j0mDyzqBR+SY9xDJlh+7gUZffhPbm039stSQ0XMevA== X-Received: by 2002:a05:600c:4ed3:b0:477:afc5:fb02 with SMTP id 5b1f17b1804b1-47d84b34785mr71954645e9.21.1767858381894; Wed, 07 Jan 2026 23:46:21 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd0e16f4sm15200292f8f.11.2026.01.07.23.46.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 23:46:21 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 4/5] python3-tornado: patch CVE-2024-52804 Date: Thu, 8 Jan 2026 08:46:16 +0100 Message-ID: <20260108074618.2782232-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260108074618.2782232-1-skandigraun@gmail.com> References: <20260108074618.2782232-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 08 Jan 2026 07:46:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123251 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-52804 Pick the patch mentioned by the NVD advisory. Signed-off-by: Gyorgy Sarvari --- .../python3-tornado/CVE-2024-52804.patch | 142 ++++++++++++++++++ .../python/python3-tornado_6.1.bb | 4 +- 2 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 meta-python/recipes-devtools/python/python3-tornado/CVE-2024-52804.patch diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2024-52804.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2024-52804.patch new file mode 100644 index 0000000000..0279c6859c --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2024-52804.patch @@ -0,0 +1,142 @@ +From b4918d1e62a3f53cdba19d1b1af5938c7b6b1720 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Thu, 21 Nov 2024 14:48:05 -0500 +Subject: [PATCH] httputil: Fix quadratic performance of cookie parsing + +Maliciously-crafted cookies can cause Tornado to +spend an unreasonable amount of CPU time and block +the event loop. + +This change replaces the quadratic algorithm with +a more efficient one. The implementation is copied +from the Python 3.13 standard library (the +previous one was from Python 3.5). + +Fixes CVE-2024-52804 +See CVE-2024-7592 for a similar vulnerability in cpython. + +Thanks to github.com/kexinoh for the report. + +CVE: CVE-2024-52804 +Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533] +Signed-off-by: Gyorgy Sarvari +--- + tornado/httputil.py | 38 ++++++++--------------------- + tornado/test/httputil_test.py | 46 +++++++++++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+), 28 deletions(-) + +diff --git a/tornado/httputil.py b/tornado/httputil.py +index bd32cd0..bb50786 100644 +--- a/tornado/httputil.py ++++ b/tornado/httputil.py +@@ -1052,15 +1052,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr]]) -> Iterable[Tuple[str, AnyStr]]: + yield (k, v) + + +-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]") +-_QuotePatt = re.compile(r"[\\].") +-_nulljoin = "".join ++_unquote_sub = re.compile(r"\\(?:([0-3][0-7][0-7])|(.))").sub ++ ++ ++def _unquote_replace(m: re.Match) -> str: ++ if m[1]: ++ return chr(int(m[1], 8)) ++ else: ++ return m[2] + + + def _unquote_cookie(s: str) -> str: + """Handle double quotes and escaping in cookie values. + +- This method is copied verbatim from the Python 3.5 standard ++ This method is copied verbatim from the Python 3.13 standard + library (http.cookies._unquote) so we don't have to depend on + non-public interfaces. + """ +@@ -1081,30 +1086,7 @@ def _unquote_cookie(s: str) -> str: + # \012 --> \n + # \" --> " + # +- i = 0 +- n = len(s) +- res = [] +- while 0 <= i < n: +- o_match = _OctalPatt.search(s, i) +- q_match = _QuotePatt.search(s, i) +- if not o_match and not q_match: # Neither matched +- res.append(s[i:]) +- break +- # else: +- j = k = -1 +- if o_match: +- j = o_match.start(0) +- if q_match: +- k = q_match.start(0) +- if q_match and (not o_match or k < j): # QuotePatt matched +- res.append(s[i:k]) +- res.append(s[k + 1]) +- i = k + 2 +- else: # OctalPatt matched +- res.append(s[i:j]) +- res.append(chr(int(s[j + 1 : j + 4], 8))) +- i = j + 4 +- return _nulljoin(res) ++ return _unquote_sub(_unquote_replace, s) + + + def parse_cookie(cookie: str) -> Dict[str, str]: +diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py +index 0fad403..25faf66 100644 +--- a/tornado/test/httputil_test.py ++++ b/tornado/test/httputil_test.py +@@ -519,3 +519,49 @@ class ParseCookieTest(unittest.TestCase): + self.assertEqual( + parse_cookie(" = b ; ; = ; c = ; "), {"": "b", "c": ""} + ) ++ ++ def test_unquote(self): ++ # Copied from ++ # https://github.com/python/cpython/blob/dc7a2b6522ec7af41282bc34f405bee9b306d611/Lib/test/test_http_cookies.py#L62 ++ cases = [ ++ (r'a="b=\""', 'b="'), ++ (r'a="b=\\"', "b=\\"), ++ (r'a="b=\="', "b=="), ++ (r'a="b=\n"', "b=n"), ++ (r'a="b=\042"', 'b="'), ++ (r'a="b=\134"', "b=\\"), ++ (r'a="b=\377"', "b=\xff"), ++ (r'a="b=\400"', "b=400"), ++ (r'a="b=\42"', "b=42"), ++ (r'a="b=\\042"', "b=\\042"), ++ (r'a="b=\\134"', "b=\\134"), ++ (r'a="b=\\\""', 'b=\\"'), ++ (r'a="b=\\\042"', 'b=\\"'), ++ (r'a="b=\134\""', 'b=\\"'), ++ (r'a="b=\134\042"', 'b=\\"'), ++ ] ++ for encoded, decoded in cases: ++ with self.subTest(encoded): ++ c = parse_cookie(encoded) ++ self.assertEqual(c["a"], decoded) ++ ++ def test_unquote_large(self): ++ # Adapted from ++ # https://github.com/python/cpython/blob/dc7a2b6522ec7af41282bc34f405bee9b306d611/Lib/test/test_http_cookies.py#L87 ++ # Modified from that test because we handle semicolons differently from the stdlib. ++ # ++ # This is a performance regression test: prior to improvements in Tornado 6.4.2, this test ++ # would take over a minute with n= 100k. Now it runs in tens of milliseconds. ++ n = 100000 ++ for encoded in r"\\", r"\134": ++ with self.subTest(encoded): ++ start = time.time() ++ data = 'a="b=' + encoded * n + '"' ++ value = parse_cookie(data)["a"] ++ end = time.time() ++ self.assertEqual(value[:3], "b=\\") ++ self.assertEqual(value[-3:], "\\\\\\") ++ self.assertEqual(len(value), n + 2) ++ ++ # Very loose performance check to avoid false positives ++ self.assertLess(end - start, 1, "Test took too long") diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb index d4cb58febc..0d96cbd10e 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.1.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.1.bb @@ -6,7 +6,9 @@ HOMEPAGE = "http://www.tornadoweb.org/en/stable/" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI += "file://CVE-2023-28370.patch" +SRC_URI += "file://CVE-2023-28370.patch \ + file://CVE-2024-52804.patch \ +" SRC_URI[md5sum] = "f324f5e7607798552359d6ab054c4321" SRC_URI[sha256sum] = "33c6e81d7bd55b468d2e793517c909b139960b6c790a60b7991b9b6b76fb9791" From patchwork Thu Jan 8 07:46:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 78248 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5BD3DD148BE for ; Thu, 8 Jan 2026 07:46:29 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.1640.1767858384274054361 for ; Wed, 07 Jan 2026 23:46:24 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kzZnVW0W; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-43284ed32a0so1406136f8f.3 for ; Wed, 07 Jan 2026 23:46:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1767858383; x=1768463183; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/z7WNFFvSjPyJgLNPUu99rJXsDMg9AiFUZuMDJnSJZ4=; b=kzZnVW0Wt5jMJEwjHqGyV0QqlIJbupLE1C0PZIwJcGmcfV1BMEolS7gOInVCQuVISc 7wM6QjghCPSMjvQH18+goC562LSeUGoIKWisauxS0vzC5golF4t8TaKb6Iq5cU7SQI2M kvFyZoDtgBU8bg75gH+GXR3d9Jt9lHg1XzHdy/EMJo8I5pFWEqYGvj8sB2Z2QFi8BQ7s Cc9bP6TvI4VQAsVYm6WOybcSga2t4tNZnc6knK/t5On1VMnfz6WOW76HpDELaUXsujCw rjzAvRalKdX9gDCRh9F+pg+FNgnc5K9pzQ+zcVKBFcqhM0u7ZF0u3UOjC73KLrct5N1x c6XA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767858383; x=1768463183; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=/z7WNFFvSjPyJgLNPUu99rJXsDMg9AiFUZuMDJnSJZ4=; b=GrvURr8P1g5vsjMZ1xzKmIRDqLrthUbnOmzKn9eEGlGOOT8SPpd95+9Fpveh/yEzQt PGbnIv8FOieVoCLgNrR2Ir7JXhNnjnmR5yNf/wSazN0igKZqm12HdIeaoZEIo23HQJvG MsHN5imZka87+rh/5pkbgZEHGP/lw+e8d4iO1h/36rtB10ljls7hPVtvEWPArfmGayE8 DzHTAsksbiLKL0RAQs3mxoFJwzqX+fLlzXhk/Z+BPivYfyI1NNqbYZ7zCazD2/sVqXuP IHzRL1qugOrbMwNp+o8yoQNULoGrH3WeXwL5OHjQH1qp5UDUXOhnF/RY9oDOVimAoFkq bh9g== X-Gm-Message-State: AOJu0Yxz7RKoT4afxsof2y6jn/mBzQmXHid5KFquWxYLPqhtSyOdz3gv zFYT4Ns5Wgfo/M02OrKqmsw15ELcAHrnGNdlRRwVoUFDAeChiXDDPp0F0PwTvQ== X-Gm-Gg: AY/fxX46e0d+JpKyvSXuA7mSWDxPpdo50GuU1GvNxxfwEaGHJLwt+9PerkyGfGG9wf2 /o33mZV3bJNe0/ERBdUxzsO5GaEx46U1kWIZp/sUsJCS7G55V7DoLo/Li4nGLuar9LnREG9odxs 6Ei/vu4VNzFUWLCxwmo3vzdw+csfO4hJJvc/rrQ5PAMJbcP/kExWtvhP55ePtCYLQatB/PmF+9+ Eze0dlRjvkWk9lVSsOLic2PICg24YgRoih++JUpsNVMPySEPydFrSwIgok2TG7+n5DUMO4pGClx a4GlkkCCz2VDdCKGHqx4fWG5BCmX6kYHYPrbRiPJlwI4TNzAhszbIwn4I61647btT1vCvdyWwG+ keqDo7hI1Ix1Ca1u+DrrX2jbt5cquexChMnzzGvA+3qmsUY28+BHfoul9CjZTQbFVQBGU48K5Xe upWIhOGffo X-Google-Smtp-Source: AGHT+IFA0yXCObkFU9f59e/ftVCE3JJQ5pU+DYkq1tygqrsJv3vQTae4rmpSbYBPEs6qzbV4jqFqFg== X-Received: by 2002:a05:6000:258a:b0:431:1ae:a3be with SMTP id ffacd0b85a97d-432c36280damr6166209f8f.3.1767858382570; Wed, 07 Jan 2026 23:46:22 -0800 (PST) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-432bd0e16f4sm15200292f8f.11.2026.01.07.23.46.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jan 2026 23:46:22 -0800 (PST) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-python][kirkstone][PATCH 5/5] python3-tqdm: patch CVE-2024-34062 Date: Thu, 8 Jan 2026 08:46:17 +0100 Message-ID: <20260108074618.2782232-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260108074618.2782232-1-skandigraun@gmail.com> References: <20260108074618.2782232-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 08 Jan 2026 07:46:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123252 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-34062 Pick the patch mentioned by the NVD advisory. Signed-off-by: Gyorgy Sarvari --- .../python/python3-tqdm/CVE-2024-34062.patch | 64 +++++++++++++++++++ .../python/python3-tqdm_4.64.0.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch diff --git a/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch b/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch new file mode 100644 index 0000000000..a4aaf6248b --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tqdm/CVE-2024-34062.patch @@ -0,0 +1,64 @@ +From 35f8daf26d28950aa44a763f19a13c6ee133ff6c Mon Sep 17 00:00:00 2001 +From: Casper da Costa-Luis +Date: Wed, 1 May 2024 14:56:01 +0100 +Subject: [PATCH] cli: eval safety + +- fixes GHSA-g7vv-2v7x-gj9p + +CVE: CVE-2024-34062 +Upstream-Status: Backport [https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316] +Signed-off-by: Gyorgy Sarvari +--- + tqdm/cli.py | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/tqdm/cli.py b/tqdm/cli.py +index 3ed25fb..e4f587b 100644 +--- a/tqdm/cli.py ++++ b/tqdm/cli.py +@@ -21,23 +21,34 @@ def cast(val, typ): + return cast(val, t) + except TqdmTypeError: + pass +- raise TqdmTypeError(val + ' : ' + typ) ++ raise TqdmTypeError(f"{val} : {typ}") + + # sys.stderr.write('\ndebug | `val:type`: `' + val + ':' + typ + '`.\n') + if typ == 'bool': + if (val == 'True') or (val == ''): + return True +- elif val == 'False': ++ if val == 'False': + return False +- else: +- raise TqdmTypeError(val + ' : ' + typ) +- try: +- return eval(typ + '("' + val + '")') +- except Exception: +- if typ == 'chr': +- return chr(ord(eval('"' + val + '"'))).encode() +- else: +- raise TqdmTypeError(val + ' : ' + typ) ++ raise TqdmTypeError(val + ' : ' + typ) ++ if typ == 'chr': ++ if len(val) == 1: ++ return val.encode() ++ if re.match(r"^\\\w+$", val): ++ return eval(f'"{val}"').encode() ++ raise TqdmTypeError(f"{val} : {typ}") ++ if typ == 'str': ++ return val ++ if typ == 'int': ++ try: ++ return int(val) ++ except ValueError as exc: ++ raise TqdmTypeError(f"{val} : {typ}") from exc ++ if typ == 'float': ++ try: ++ return float(val) ++ except ValueError as exc: ++ raise TqdmTypeError(f"{val} : {typ}") from exc ++ raise TqdmTypeError(f"{val} : {typ}") + + + def posix_pipe(fin, fout, delim=b'\\n', buf_size=256, diff --git a/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb b/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb index 3cb45f1a6e..5533b34d25 100644 --- a/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb +++ b/meta-python/recipes-devtools/python/python3-tqdm_4.64.0.bb @@ -5,6 +5,7 @@ SECTION = "devel/python" LICENSE = "MIT & MPL-2.0" LIC_FILES_CHKSUM = "file://LICENCE;md5=1672e2674934fd93a31c09cf17f34100" +SRC_URI += "file://CVE-2024-34062.patch" SRC_URI[sha256sum] = "40be55d30e200777a307a7585aee69e4eabb46b4ec6a4b4a5f2d9f11e7d5408d" inherit pypi python_setuptools_build_meta