From patchwork Wed Jan 14 13:00:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78689 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01499D2A013 for ; Wed, 14 Jan 2026 13:01:15 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9342.1768395669043695348 for ; Wed, 14 Jan 2026 05:01:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SPS8iEB4; spf=pass (domain: gmail.com, ip: 209.85.210.180, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-81df6a302b1so4668244b3a.2 for ; Wed, 14 Jan 2026 05:01:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395668; x=1769000468; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=0oKauuB9B3ug3sr24XeAa7d1wkPLVBu5Z3+3NWR+IiU=; b=SPS8iEB4qURO8DUG05w34DtIZCh78DRGxUet6NiWITTQTTlIJvmAwnksAIAT7QKyhZ 7DoVNy29YdWRT8US2JKWi9ejHEDwT63pzEkZr7x1YYlZtqdJacX73PKvizge3lH0x/w3 K4Dr4wPhAQyaRzepbNGRdfanmwcW+MWnOHLAmqc/PuN7raop7qMglEMRIt5iyW/zX7MT 3myYUujJVmb5JVpYaDcGj/FVm7ymI2JEpEhg8riTJ6U1dR0eH4AjpoXYb5CqsUjtCAkZ xlJEo+smDig7/s72sNLYeF2fOpgf2c6ucXqaKJ0zJoxCijf9zy37Ge3LWUhfKsJ3NV1x DnOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395668; x=1769000468; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0oKauuB9B3ug3sr24XeAa7d1wkPLVBu5Z3+3NWR+IiU=; b=G6jlJf4a11l5JJtTr3ew1Ed5uBe6clBnKoPAAVYMra429gnxMdsHD5z6P1KjqAtD/w l0spG/bjRNsfNVQuz6x81zdJNw65X3MXM3l63FwJBwqkVqCLNqA2OBaYzCxw1wFJ9ul9 8QyTNcfblB5fX1UduIV7L42gs6i7HIT36naQyWpuEFCguLr3h3r1wi57XjQerj6aht0c AfVc50botWMlXrexzkcLsvfPh+ecfOGRHoXD8Ii9tpVM5nh7JXsbffVF0eQVXSrupE5j ioaKbghKIUQuHnjhaoGTlt2ijGaYFW6Ky79UWrLjsZ32iHF30iYZjEyhCQgWQRfJq6y8 lZ7Q== X-Gm-Message-State: AOJu0YynDjIgYewzZCvr6tTch5kZjtsDBg0iP7Y8MeGRtCMGZJuzXo6i g8fV3MnJae5pgxHwL5OAnTge8W2B1YP/4hlQ5rC67OYS93LVLr963jFiNlhb0A== X-Gm-Gg: AY/fxX4vWgZDeSJnXCL98ZCNOs2Gkj8Pi6UUw7USPEezbBGjDLvX82bwRtypZkP0Qaq G9EjjMe9kgaOs5V1I4RXtfDSxQuiFVVVilGPGlRi1lZJEVfMXggyWEP/v7EQPeE9VG4AwCbKHjm BH3dUalL1AfZcbWKZtyJyYolrpvRskVKLkffHfVSYVDMb6SoinaAe+EaICG8YX/lEZFy3CQ7gT5 j4YwRefxI+q61OSYTxfVRDiPdP+YjpYwKkM/MXHCrUHEfosyowZffIPsLHU8tlvrt1sVB8LgZ31 zjgJlLIe8DZwpqhZU8W1MRv7yQe23zSoQq0V4YUTw6+FqP9A6nlqC2vWADY1oON2+pTz1W76nXA dUoF53ZH6Ffrc9u4r2fUMzSWft/msD0V2TJ9LMs9Zsq8x2Xt4YSfQNz4OnGX+MJsetTh2rnmPdn G5WknCWrX3h30dBeNcxUvh9hw= X-Received: by 2002:a05:6a00:8c13:b0:81a:7be3:9e6a with SMTP id d2e1a72fcca58-81f81ce1f01mr2334849b3a.7.1768395666998; Wed, 14 Jan 2026 05:01:06 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:06 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 01/20] python3-aiohttp: upgrade 3.9.4 -> 3.9.5 Date: Thu, 15 Jan 2026 02:00:38 +1300 Message-ID: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123454 From: Ankur Tyagi Bug fixes - Fixed "Unclosed client session" when initialization of :py:class:~aiohttp.ClientSession fails. - Fixed regression (from :pr:8280) with adding Content-Disposition to the form-data part after appending to writer. - Added default Content-Disposition in multipart/form-data responses to avoid broken form-data responses. https://github.com/aio-libs/aiohttp/releases/tag/v3.9.5 Signed-off-by: Ankur Tyagi --- .../{python3-aiohttp_3.9.4.bb => python3-aiohttp_3.9.5.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-aiohttp_3.9.4.bb => python3-aiohttp_3.9.5.bb} (86%) diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.4.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb similarity index 86% rename from meta-python/recipes-devtools/python/python3-aiohttp_3.9.4.bb rename to meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb index 1cfed0d7a4..57adb1eeba 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.4.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/aio-libs/aiohttp" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41" -SRC_URI[sha256sum] = "6ff71ede6d9a5a58cfb7b6fffc83ab5d4a63138276c771ac91ceaaddf5459644" +SRC_URI[sha256sum] = "edea7d15772ceeb29db4aff55e482d4bcfb6ae160ce144f2682de02f6d693551" PYPI_PACKAGE = "aiohttp" inherit python_setuptools_build_meta pypi From patchwork Wed Jan 14 13:00:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78690 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0254BD2A00F for ; Wed, 14 Jan 2026 13:01:15 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9428.1768395672286058417 for ; Wed, 14 Jan 2026 05:01:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Hnz4pKsD; spf=pass (domain: gmail.com, ip: 209.85.210.175, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-7f89d0b37f0so480157b3a.0 for ; Wed, 14 Jan 2026 05:01:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395671; x=1769000471; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bI2CACZw8ExvQjhtWCjhWa5E5wGaQzQn1J1Bby0/prQ=; b=Hnz4pKsDDQVY4v5qUPSfuRlNsBM30XoZS/KDj2Bl3mFrWfu+kk4PE7xNxpg+GTWnRY 5xJfSzyXZiLR95iFntBlpaTL7G1DEexbIVhDOMlBGT5t7DLSi4NKAnH28+DDj/1P7nAZ zS/2zJZ552Hkdco2jhjBQsCe9lCz+m/rbCW8S0nAjLcMyL7FaiVC/YZycwfDoYP7MeOp j6/daAC53h3qm20W7cUIans+tJEKjAew+phZNCViKWOle+dT2dR4Cev6a64BRQrriKQp dYkoQdejcO2esZKGEkAGa7q0+6z+n+TRHaX4VmWErjfnxszDlkRMhyUA3A6i6FYnRgSb 9G4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395671; x=1769000471; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=bI2CACZw8ExvQjhtWCjhWa5E5wGaQzQn1J1Bby0/prQ=; b=jFRwBV/OUU2imVGUTk1sa0zeolV6WT4KUj+suXZBGe5pCTyEYUFrooyNP5p45K9tda U+B8XHOZ9i+nTsLzwPk4c47SYm01IypmL8e4HodPWvf/W+w+eyNFVR+HIBFJTw2Os0In 69+RbjRmJDdpPudDPH3+iR+8pv8so4FpjCUFky0NJ418FL7dKgwwZFWjHnW1YMPc27yB CGceHYTb7xELoyO7BAbGLEAoOGKb1LRS35iOTDc+wQ3/x+sIz4SAOhG1o8PvpFzhV4Ty 8+LQ62CYeR490/2m8AuMHFByHidD5q58WRSvBPbLRSXyFgfZ6KzU88634E7yyCb3BDi9 Idtg== X-Gm-Message-State: AOJu0YxT4hY8Kpn71+6ROpIg2YquAYNsXWUu9odcblndD4YHUAzTErPf F+M9QjXEmxwuARRJB/E4HbpF4nlIawq3JV1T7w3Y+jJJ1IxtEEfIctUdrAa7wQ== X-Gm-Gg: AY/fxX7CK5lpSCo1DwsOm5qM4/yvWRUPPImqtlt5m3xbORlMyc9OHSUROhM2VTDV/JU CcpNq2i+J9FSicyzVYfRbQhnRBzbukBa+V+/KwbQE0lJfhTHI5i3OAt6yQBPG3D+7HMWTNpNlvX c8Xt7avoQkY+siAcCy2DLTz9vduEdO02X6svKfhOR5+P3hkitnMwEKS540GCNgfVb7ymFIf6tjZ hqA6KomObB9OOqQU+8PhKmtwOFo5eRwLrmLyIEavmeCY8OL9KLB03w8fHohHrEMcNrQHJswlguw 4NZKgj9xU4MjS4J6IFOaONhmaCjgWnfu3qIzFxNEUaPHQdqiEf8VnSxBqczTAOWp7mJVe1wVOWy KmdQsEXdVGmXXSWY9WWDIoxJP2xIcN5+4uQjrJuICMW9VVs/80x/qtU6OZSOI4W7IaSyrfna/xp qEFghIPfDK7DNYYIfzlCUKVex+W4zA5idGYg== X-Received: by 2002:a05:6a20:9392:b0:366:14b0:4b15 with SMTP id adf61e73a8af0-38bed3b409dmr2615496637.32.1768395669311; Wed, 14 Jan 2026 05:01:09 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:09 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 02/20] python3-aiohttp: patch CVE-2024-52304 Date: Thu, 15 Jan 2026 02:00:39 +1300 Message-ID: <20260114130100.1016416-2-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123455 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2024-52304 Signed-off-by: Ankur Tyagi --- .../python3-aiohttp/CVE-2024-52304.patch | 124 ++++++++++++++++++ .../python/python3-aiohttp_3.9.5.bb | 2 + 2 files changed, 126 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch new file mode 100644 index 0000000000..2ddd94a4be --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch @@ -0,0 +1,124 @@ +From ca0218ea87242c6031887d138183a9b05c256514 Mon Sep 17 00:00:00 2001 +From: "J. Nick Koston" +Date: Wed, 13 Nov 2024 08:50:36 -0600 +Subject: [PATCH] [PR #9851/541d86d backport][3.10] Fix incorrect parsing of + chunk extensions with the pure Python parser (#9853) + +CVE: CVE-2024-52304 +Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71] +Signed-off-by: Ankur Tyagi +--- + aiohttp/http_parser.py | 7 ++++ + tests/test_http_parser.py | 74 ++++++++++++++++++++++++++++++++++++++- + 2 files changed, 80 insertions(+), 1 deletion(-) + +diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py +index 013511917..7a552458e 100644 +--- a/aiohttp/http_parser.py ++++ b/aiohttp/http_parser.py +@@ -848,6 +848,13 @@ class HttpPayloadParser: + i = chunk.find(CHUNK_EXT, 0, pos) + if i >= 0: + size_b = chunk[:i] # strip chunk-extensions ++ # Verify no LF in the chunk-extension ++ if b"\n" in (ext := chunk[i:pos]): ++ exc = BadHttpMessage( ++ f"Unexpected LF in chunk-extension: {ext!r}" ++ ) ++ set_exception(self.payload, exc) ++ raise exc + else: + size_b = chunk[:pos] + +diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py +index ee7dc4aab..2f34f0bc0 100644 +--- a/tests/test_http_parser.py ++++ b/tests/test_http_parser.py +@@ -13,6 +13,7 @@ from yarl import URL + + import aiohttp + from aiohttp import http_exceptions, streams ++from aiohttp.base_protocol import BaseProtocol + from aiohttp.http_parser import ( + NO_EXTENSIONS, + DeflateBuffer, +@@ -1369,7 +1370,78 @@ def test_parse_chunked_payload_empty_body_than_another_chunked( + assert b"second" == b"".join(d for d in payload._buffer) + + +-def test_partial_url(parser: Any) -> None: ++async def test_parse_chunked_payload_split_chunks(response: Any) -> None: ++ network_chunks = ( ++ b"HTTP/1.1 200 OK\r\nTransfer-Encoding: chunked\r\n\r\n", ++ b"5\r\nfi", ++ b"rst", ++ # This simulates a bug in lax mode caused when the \r\n separator, before the ++ # next HTTP chunk, appears at the start of the next network chunk. ++ b"\r\n", ++ b"6", ++ b"\r", ++ b"\n", ++ b"second\r", ++ b"\n0\r\n\r\n", ++ ) ++ reader = response.feed_data(network_chunks[0])[0][0][1] ++ for c in network_chunks[1:]: ++ response.feed_data(c) ++ ++ assert response.feed_eof() is None ++ assert reader.is_eof() ++ assert await reader.read() == b"firstsecond" ++ ++ ++@pytest.mark.skipif(NO_EXTENSIONS, reason="Only tests C parser.") ++async def test_parse_chunked_payload_with_lf_in_extensions_c_parser( ++ loop: asyncio.AbstractEventLoop, protocol: BaseProtocol ++) -> None: ++ """Test the C-parser with a chunked payload that has a LF in the chunk extensions.""" ++ # The C parser will raise a BadHttpMessage from feed_data ++ parser = HttpRequestParserC( ++ protocol, ++ loop, ++ 2**16, ++ max_line_size=8190, ++ max_field_size=8190, ++ ) ++ payload = ( ++ b"GET / HTTP/1.1\r\nHost: localhost:5001\r\n" ++ b"Transfer-Encoding: chunked\r\n\r\n2;\nxx\r\n4c\r\n0\r\n\r\n" ++ b"GET /admin HTTP/1.1\r\nHost: localhost:5001\r\n" ++ b"Transfer-Encoding: chunked\r\n\r\n0\r\n\r\n" ++ ) ++ with pytest.raises(http_exceptions.BadHttpMessage, match="\\\\nxx"): ++ parser.feed_data(payload) ++ ++ ++async def test_parse_chunked_payload_with_lf_in_extensions_py_parser( ++ loop: asyncio.AbstractEventLoop, protocol: BaseProtocol ++) -> None: ++ """Test the py-parser with a chunked payload that has a LF in the chunk extensions.""" ++ # The py parser will not raise the BadHttpMessage directly, but instead ++ # it will set the exception on the StreamReader. ++ parser = HttpRequestParserPy( ++ protocol, ++ loop, ++ 2**16, ++ max_line_size=8190, ++ max_field_size=8190, ++ ) ++ payload = ( ++ b"GET / HTTP/1.1\r\nHost: localhost:5001\r\n" ++ b"Transfer-Encoding: chunked\r\n\r\n2;\nxx\r\n4c\r\n0\r\n\r\n" ++ b"GET /admin HTTP/1.1\r\nHost: localhost:5001\r\n" ++ b"Transfer-Encoding: chunked\r\n\r\n0\r\n\r\n" ++ ) ++ messages, _, _ = parser.feed_data(payload) ++ reader = messages[0][1] ++ assert isinstance(reader.exception(), http_exceptions.BadHttpMessage) ++ assert "\\nxx" in str(reader.exception()) ++ ++ ++def test_partial_url(parser: HttpRequestParser) -> None: + messages, upgrade, tail = parser.feed_data(b"GET /te") + assert len(messages) == 0 + messages, upgrade, tail = parser.feed_data(b"st HTTP/1.1\r\n\r\n") diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb index 57adb1eeba..ea117576bc 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb @@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41" SRC_URI[sha256sum] = "edea7d15772ceeb29db4aff55e482d4bcfb6ae160ce144f2682de02f6d693551" +SRC_URI += "file://CVE-2024-52304.patch" + PYPI_PACKAGE = "aiohttp" inherit python_setuptools_build_meta pypi From patchwork Wed Jan 14 13:00:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78691 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03A2AD2A018 for ; Wed, 14 Jan 2026 13:01:15 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9346.1768395672842189354 for ; Wed, 14 Jan 2026 05:01:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=B9hA+MWP; spf=pass (domain: gmail.com, ip: 209.85.210.178, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-81ecbdfdcebso2716957b3a.1 for ; Wed, 14 Jan 2026 05:01:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395672; x=1769000472; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=790QPs9U1iHURTHzEPpF09g/NOTd/Ysws1CpkLnA30s=; b=B9hA+MWPKyPdoNqzj1hZIcqzimiAJbL/x/3/3SHr7GUYr+/FJCOzPlZWvVGuz1kEfb pbeti+y6WB3soqh7PjVV4ydKzZ2k7jBJ0Ujv8nJnb5YFgRwTcNv7zQJ1THF78+w3BRrd AcVpqjTPoflAUfcD5eueVEbS+sOFEXJTrzEZwI0PH18Hj5SJvBD8VVTqapg3hRnIzK0u UD54UFZVXUcUFv5leV+bKAeHVWwBvsAytvwnCuulFmSX+2DYTctQyd78IRS20jcxtppY vPWqAvbQK4l1lmCD9pfUfK/tUAlGlGecwA4isZ689H9ocnGAIin7iUrjrTLzjvBtg/K4 HXgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395672; x=1769000472; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=790QPs9U1iHURTHzEPpF09g/NOTd/Ysws1CpkLnA30s=; b=GiZDd7+cEJIADznRiI2/rb4fu+4YCFGA3ByE49cIR1yFmrpbUTZ5NJydOGPQAPKzZB 6ft6k4ZCZwAemgqH/PA/y++qNjaxggLggmSoIGJWwNN2+KyP4TgZWASeXBvTka+7oG9B mxufwiJ8yPCwgazLqo0qoBfxh8X4OuTfj37BP8dOvwwxumfLLVy52jcwacKaZGDZk72y lZJyqD7eyg6TxBSRgp+KnyYkwcm/opZNle0rf6jsJeTUfCi+c1kk7CtJ5Mg8d+J0aEGP jZLYVYE0jiAEzfTYDrHqDzl7+cKUuBglpSxfabRu+ISvxJUW6Pgxb3Jp7bG15Xw8DGNi UZwg== X-Gm-Message-State: AOJu0YzO9PlkaIdb8lG9ed5P8i7lDT9lTh8ubXIEKXnYZuu9MhnFFWKo V6P5N+4C20k4BLcGCDDXfNg5Ec2Z4IL3WINSR6uXfNNPKPmnETGSKt9xvyOTeg== X-Gm-Gg: AY/fxX5cXmUnqKDp2JutB6m3AJTK0ZXvtWAkNr91oxhMEFYqcl1wH/WFWsgCR/Q6n4Z KO4IIqyTbXSB6RO3+oOeLQ7mQk2SnZ+xry21ssDwqRemKGp4TyIbrWqhX1jV8kmc3GIyXv9QYIh Nvp9xGke6kWaTxo29bLcArOc899jhuvsy7jf7xWELIVnU7nePHvhd4hR+e4cLKXmi2+DMnrDYMR tdmdrrWg2/++4FYJk7sDT/urs9xhvDjwpZQJ7moJadWq8IFtQbAPBMie4OFEvLTG7ej2O74qcbM R5pEx0b9RSjpDyOhv5fcZvgaOX2SPqotq8pUY4nBfq37AJ302hJ0yZ6z9+7FBSvOXYYP4iguw10 a/Eg2+w/+O4YopDwLERHmmWKOwN03WukxS/P/o2hHdqAIvNcB/Ne5fdzXNyRg1+hpolEJfESUS8 I8hOrXaVLsvgwi1V5o5IfOFik= X-Received: by 2002:a05:6a00:440c:b0:81e:cbb0:db14 with SMTP id d2e1a72fcca58-81f81d2c44amr2306022b3a.21.1768395671499; Wed, 14 Jan 2026 05:01:11 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:11 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 03/20] python3-aiohttp: patch CVE-2025-53643 Date: Thu, 15 Jan 2026 02:00:40 +1300 Message-ID: <20260114130100.1016416-3-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123456 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-53643 Signed-off-by: Ankur Tyagi --- .../python3-aiohttp/CVE-2025-53643.patch | 189 ++++++++++++++++++ .../python/python3-aiohttp_3.9.5.bb | 4 +- 2 files changed, 192 insertions(+), 1 deletion(-) create mode 100644 meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch new file mode 100644 index 0000000000..99ed1ca395 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch @@ -0,0 +1,189 @@ +From 2b45c0cc5f94a4aab25e80580db73c5da1152030 Mon Sep 17 00:00:00 2001 +From: Sam Bull +Date: Wed, 9 Jul 2025 19:55:22 +0100 +Subject: [PATCH] Add trailer parsing logic (#11269) (#11287) + +CVE: CVE-2025-53643 +Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a] +Signed-off-by: Ankur Tyagi +--- + aiohttp/http_parser.py | 70 ++++++++++++++++++++++-------------------- + aiohttp/multipart.py | 2 +- + 2 files changed, 38 insertions(+), 34 deletions(-) + +diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py +index 7a552458e..0a80c5c6d 100644 +--- a/aiohttp/http_parser.py ++++ b/aiohttp/http_parser.py +@@ -142,8 +142,8 @@ class HeadersParser: + # note: "raw" does not mean inclusion of OWS before/after the field value + raw_headers = [] + +- lines_idx = 1 +- line = lines[1] ++ lines_idx = 0 ++ line = lines[lines_idx] + line_count = len(lines) + + while line: +@@ -397,6 +397,7 @@ class HttpParser(abc.ABC, Generic[_MsgT]): + response_with_body=self.response_with_body, + auto_decompress=self._auto_decompress, + lax=self.lax, ++ headers_parser=self._headers_parser, + ) + if not payload_parser.done: + self._payload_parser = payload_parser +@@ -416,6 +417,7 @@ class HttpParser(abc.ABC, Generic[_MsgT]): + readall=True, + auto_decompress=self._auto_decompress, + lax=self.lax, ++ headers_parser=self._headers_parser, + ) + elif not empty_body and length is None and self.read_until_eof: + payload = StreamReader( +@@ -435,6 +437,7 @@ class HttpParser(abc.ABC, Generic[_MsgT]): + response_with_body=self.response_with_body, + auto_decompress=self._auto_decompress, + lax=self.lax, ++ headers_parser=self._headers_parser, + ) + if not payload_parser.done: + self._payload_parser = payload_parser +@@ -471,6 +474,10 @@ class HttpParser(abc.ABC, Generic[_MsgT]): + + eof = True + data = b"" ++ if isinstance( ++ underlying_exc, (InvalidHeader, TransferEncodingError) ++ ): ++ raise + + if eof: + start_pos = 0 +@@ -635,7 +642,7 @@ class HttpRequestParser(HttpParser[RawRequestMessage]): + compression, + upgrade, + chunked, +- ) = self.parse_headers(lines) ++ ) = self.parse_headers(lines[1:]) + + if close is None: # then the headers weren't set in the request + if version_o <= HttpVersion10: # HTTP 1.0 must asks to not close +@@ -715,7 +722,7 @@ class HttpResponseParser(HttpParser[RawResponseMessage]): + compression, + upgrade, + chunked, +- ) = self.parse_headers(lines) ++ ) = self.parse_headers(lines[1:]) + + if close is None: + if version_o <= HttpVersion10: +@@ -755,6 +762,8 @@ class HttpPayloadParser: + response_with_body: bool = True, + auto_decompress: bool = True, + lax: bool = False, ++ *, ++ headers_parser: HeadersParser, + ) -> None: + self._length = 0 + self._type = ParseState.PARSE_NONE +@@ -763,6 +772,8 @@ class HttpPayloadParser: + self._chunk_tail = b"" + self._auto_decompress = auto_decompress + self._lax = lax ++ self._headers_parser = headers_parser ++ self._trailer_lines: list[bytes] = [] + self.done = False + + # payload decompression wrapper +@@ -850,7 +861,7 @@ class HttpPayloadParser: + size_b = chunk[:i] # strip chunk-extensions + # Verify no LF in the chunk-extension + if b"\n" in (ext := chunk[i:pos]): +- exc = BadHttpMessage( ++ exc = TransferEncodingError( + f"Unexpected LF in chunk-extension: {ext!r}" + ) + set_exception(self.payload, exc) +@@ -871,7 +882,7 @@ class HttpPayloadParser: + + chunk = chunk[pos + len(SEP) :] + if size == 0: # eof marker +- self._chunk = ChunkState.PARSE_MAYBE_TRAILERS ++ self._chunk = ChunkState.PARSE_TRAILERS + if self._lax and chunk.startswith(b"\r"): + chunk = chunk[1:] + else: +@@ -909,38 +920,31 @@ class HttpPayloadParser: + self._chunk_tail = chunk + return False, b"" + +- # if stream does not contain trailer, after 0\r\n +- # we should get another \r\n otherwise +- # trailers needs to be skipped until \r\n\r\n +- if self._chunk == ChunkState.PARSE_MAYBE_TRAILERS: +- head = chunk[: len(SEP)] +- if head == SEP: +- # end of stream +- self.payload.feed_eof() +- return True, chunk[len(SEP) :] +- # Both CR and LF, or only LF may not be received yet. It is +- # expected that CRLF or LF will be shown at the very first +- # byte next time, otherwise trailers should come. The last +- # CRLF which marks the end of response might not be +- # contained in the same TCP segment which delivered the +- # size indicator. +- if not head: +- return False, b"" +- if head == SEP[:1]: +- self._chunk_tail = head +- return False, b"" +- self._chunk = ChunkState.PARSE_TRAILERS +- +- # read and discard trailer up to the CRLF terminator + if self._chunk == ChunkState.PARSE_TRAILERS: + pos = chunk.find(SEP) +- if pos >= 0: +- chunk = chunk[pos + len(SEP) :] +- self._chunk = ChunkState.PARSE_MAYBE_TRAILERS +- else: ++ if pos < 0: # No line found + self._chunk_tail = chunk + return False, b"" + ++ line = chunk[:pos] ++ chunk = chunk[pos + len(SEP) :] ++ if SEP == b"\n": # For lax response parsing ++ line = line.rstrip(b"\r") ++ self._trailer_lines.append(line) ++ ++ # \r\n\r\n found, end of stream ++ if self._trailer_lines[-1] == b"": ++ # Headers and trailers are defined the same way, ++ # so we reuse the HeadersParser here. ++ try: ++ trailers, raw_trailers = self._headers_parser.parse_headers( ++ self._trailer_lines ++ ) ++ finally: ++ self._trailer_lines.clear() ++ self.payload.feed_eof() ++ return True, chunk ++ + # Read all bytes until eof + elif self._type == ParseState.PARSE_UNTIL_EOF: + self.payload.feed_data(chunk, len(chunk)) +diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py +index 71fc2654a..520ee539e 100644 +--- a/aiohttp/multipart.py ++++ b/aiohttp/multipart.py +@@ -723,7 +723,7 @@ class MultipartReader: + raise ValueError(f"Invalid boundary {chunk!r}, expected {self._boundary!r}") + + async def _read_headers(self) -> "CIMultiDictProxy[str]": +- lines = [b""] ++ lines = [] + while True: + chunk = await self._content.readline() + chunk = chunk.strip() diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb index ea117576bc..d3782f2d48 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.9.5.bb @@ -6,7 +6,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41" SRC_URI[sha256sum] = "edea7d15772ceeb29db4aff55e482d4bcfb6ae160ce144f2682de02f6d693551" -SRC_URI += "file://CVE-2024-52304.patch" +SRC_URI += "file://CVE-2024-52304.patch \ + file://CVE-2025-53643.patch \ +" PYPI_PACKAGE = "aiohttp" inherit python_setuptools_build_meta pypi From patchwork Wed Jan 14 13:00:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78692 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3DA9D2A015 for ; Wed, 14 Jan 2026 13:01:24 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9430.1768395676070391817 for ; Wed, 14 Jan 2026 05:01:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=V27svs7M; spf=pass (domain: gmail.com, ip: 209.85.210.172, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-81f42a49437so1792001b3a.0 for ; Wed, 14 Jan 2026 05:01:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395675; x=1769000475; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kxMNWvtbKDuvoqhKOp0Do8Vgy1AHiQLF+BmMvzbTSGA=; b=V27svs7MsRwHiPPMk6Yiu8N3pw05H1ulGB9Buc95w9Pie8Z/KtW6IWuxM5GVtNOgmi SLtXxMl8rh4iEgFIYpP5EA8NGUACoOUHpbWhUvkT4fglenq33goxJxG0uLDYQoUBDU7X Iw/TTsEl0DxcF2q02KmOdMQQpnV5DibT1duKxWYDd99NyrUJMVBdrjUHJs6/UZy+vSP4 YwXeQl2PsGZQ7ErfjAUW6D/dbt8kGG+eOW97QCa5L6ayl3iiloqbT8fAK1gTaO3CVCr9 Wbz3mNa3OPkPsk28NM3AlBXebuugsJb/Gom0dlQ6SZ1TN6YJxW25/1GpPXGLIP2KYEmW KZQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395675; x=1769000475; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=kxMNWvtbKDuvoqhKOp0Do8Vgy1AHiQLF+BmMvzbTSGA=; b=ST+iDy5EKRJMdx8a76wZqe4ThLlSrUU+sTz54gkqdhBKuopq+fRNBwhtlR+VYufKj1 gQ2zgfDnnrmuozQ/jRZqL7+1CH8tEX5GoP58PJNhpglhaL8EQTqPu6AyDSfM9Uj0Gu7p cJrTU5EYGehuvv87V+nG6OvQYcDFU4TrxOrffpVT0u4nqiaoUU7u/vVh5UNls8//JGpE 3Gl9w9lACBKt9crX7fMSz3xLNtq2ivKVCCtS+H+gKoC4m1jAFSUQhsMkH/JaEOOKFNvX DYpfetBn1aW32FJm2XvDQwJt7So0SGk39jIisv6YZ2h0TcvBtACLWN9KsSkSW5BQmuPr k5+g== X-Gm-Message-State: AOJu0YzZE/7mevXanbjjpyzZdk4GqfHppMr3pwK2LPaBfMlUUxqx/f0w p07sOFEhTo7uQHRLbs74MinQehyOy5Ast86hexP9JYJ/EaTPWdsm1PX7B2edAQ== X-Gm-Gg: AY/fxX4S57SZZGxzfXkZshJy9hU6bgmbBuV12sIREE9DFie4CgJKMBZf68QnpquKUlP 5N53IE62MmoWeFZpIak1UVuNkfDUsDAY2Kv4ByvuZdwHa5N0bLgSmAZVykiorw4YxwsZKAjnth7 E/Dq0HdDhF0PXdj9TAsvx2+UklSinHEPLJEYrxQAc9Pc53MrAbGbo8YRelS29IAiGpDYp0tpRg8 v6tZsBMsDbJpa1IZgZGRPKnVkXMquxPUK+S6QBFsCmmGtR6srkm/rG1cYcd0kcQs50HKQ98RDu3 14zP1FcEnSdG293BiIuBioG4hVrTAvtBxOEo3dLfGOIGsJFwl7c41pIpHxWrISfWz5NtqUCwUmC hD6GaaC1fOV278aGXkwsLFbgx7Uy0nrTK8uGi3SLqArEF0Qy4vKmpjXedzSILO0PuQLJ2ZDj8Zr 9csezdRpDyIcu0uwo6U4Y3Ahc= X-Received: by 2002:a05:6a20:7f83:b0:35e:11ff:45c1 with SMTP id adf61e73a8af0-38bed0d8a1dmr2683857637.18.1768395673655; Wed, 14 Jan 2026 05:01:13 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:13 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 04/20] python3-cob2: upgrade 5.6.3 -> 5.6.4 Date: Thu, 15 Jan 2026 02:00:41 +1300 Message-ID: <20260114130100.1016416-4-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123457 From: Ankur Tyagi - Fixed compilation of C extension failing on GCC 14 - Fixed compiler warnings when building C extension https://github.com/agronholm/cbor2/releases/tag/5.6.4 Signed-off-by: Ankur Tyagi --- .../python/{python3-cbor2_5.6.3.bb => python3-cbor2_5.6.4.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-cbor2_5.6.3.bb => python3-cbor2_5.6.4.bb} (88%) diff --git a/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb b/meta-python/recipes-devtools/python/python3-cbor2_5.6.4.bb similarity index 88% rename from meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb rename to meta-python/recipes-devtools/python/python3-cbor2_5.6.4.bb index 69573064bc..f0c2964f34 100644 --- a/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb +++ b/meta-python/recipes-devtools/python/python3-cbor2_5.6.4.bb @@ -4,7 +4,7 @@ DEPENDS +="python3-setuptools-scm-native" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a79e64179819c7ce293372c059f1dbd8" -SRC_URI[sha256sum] = "e6f0ae2751c2d333a960e0807c0611494eb1245631a167965acbc100509455d3" +SRC_URI[sha256sum] = "1c533c50dde86bef1c6950602054a0ffa3c376e8b0e20c7b8f5b108793f6983e" inherit pypi python_setuptools_build_meta ptest From patchwork Wed Jan 14 13:00:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78693 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEFAED2A013 for ; Wed, 14 Jan 2026 13:01:24 +0000 (UTC) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9347.1768395677317829108 for ; Wed, 14 Jan 2026 05:01:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ajxsx+y3; spf=pass (domain: gmail.com, ip: 209.85.210.174, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-81f3fba4a11so3816764b3a.1 for ; Wed, 14 Jan 2026 05:01:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395676; x=1769000476; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FZYDFTVWGkUk64GieIWMbyyKtJpY24OPPl4aGc3F8w4=; b=ajxsx+y39iPhIXS7F97cgEPd2IOk3Uhfnw9t2HA9G3WZuQJTMpb/zq9v/XAab4hhOF fnydaUVqQDTxvoSlD62qawuI+rBYweD6wt5F0vRbyQC8gYBGgtHZmRV9cQNqW3N5H1HV GF62qW8ZSoOmYTVRoy/JRL9VuBhcmU7EtX+e1I/kgcuqn3iaaRISb7F28bK/7WzAHd0r J6jM7+iohwpEyN48bTMk50aGLaZb+VxZv76U/wf4XE36URm+GR2nJgFIyPnREZHD5Iyg FpehN43YpRbrwF7ubBVAbCnGrldCXvXY8r69ef3tCBaBaC1Ybbaz7SVjiJfRHiYLtauC 7Z1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395676; x=1769000476; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=FZYDFTVWGkUk64GieIWMbyyKtJpY24OPPl4aGc3F8w4=; b=r/xvxtnMeoRLVJxmFrcnbj3x8vy+UINhZaFXdayqx5TIbqc/Gl682x40XHMtKpRKnB 9rltU6ctjpUwFFar4EDnqx0LcLpBO4xZ8TbDLSFmKpCgQ3bmSlNf7umhlXtzS9mdzPnA qMP+tcaj2UVf/dtZudllVp5SzDgSwBaeVFCr6O4CX2kREO8MSZTAQnDboE52IhxcudJh e9q/NJt6hIdsj+vzTRE2r1vgWSznde29hUuDSOigNoVZjYMHroVXjJGBZt/lufDwpkHD qUEBCJwRWXEFA5gd0pzW5qNID+emhok2T54BWow+X9gZFyP+BmiOfnI5yNioHwEtCk4U ZqZw== X-Gm-Message-State: AOJu0YwKCYydufRmoXzUwaRmDdRzuoKBg/SjUGDe26ZMMkDFSr0hSFQE Nxyc/X75XvmHxbU9ScZZx2RKnNcja755vvFw/TjuE7i1k8GnDKLHd82qVWs8PA== X-Gm-Gg: AY/fxX75mgXgjkGb/de17yiOOGjrsCtrUlFDTcWP4PgIGsct5dEfZLM7wkVWPsrSb05 NV2pe99l+zCFdNHM1MXJCw7Lav4dhEAXdY7N9dU1monIiZeXOuXYsTXBI7inKW1M90288DMmcJp 7J3KAaQ+V7yQc1tM7kaezCRiEo1KPGZ/qvkYCk1KGoWvYwNivBOjfU80TVONhAjDC2v7OW3ziM5 iCFZ28dOoJFV76xBt6KDsjYHSzjTOOhsKy2VKn+wd14I1RjWd8Z78Bdliks1U0mtYlrfHejivy3 fFgi0mzfs2TVTXj7PGHlHXzxWC7JtXJQC0GfAkvydESMztWB7E2M+w4atlMLz71OfN7Mm9QljRR 8ImzzkPEOCUBZjBOb7SH95RifKEuruMu+RSPEWANhZwHmf8yoMIyhllugUw2zxKbSr7oqr5p92g Vu2ztkIoCC8b70gH+anZA3KLA= X-Received: by 2002:a05:6a00:4006:b0:81f:521c:b640 with SMTP id d2e1a72fcca58-81f81fec797mr2237104b3a.55.1768395676107; Wed, 14 Jan 2026 05:01:16 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:15 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 05/20] python3-cbor2: patch CVE-2025-68131 Date: Thu, 15 Jan 2026 02:00:42 +1300 Message-ID: <20260114130100.1016416-5-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123458 From: Ankur Tyagi Backport the patch[1] which fixes this vulnerability as mentioned in the comment[2]. Details: https://nvd.nist.gov/vuln/detail/CVE-2025-68131 [1] https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0 [2] https://github.com/agronholm/cbor2/pull/268#issuecomment-3719179000 Signed-off-by: Ankur Tyagi --- .../python/python3-cbor2/CVE-2025-68131.patch | 514 ++++++++++++++++++ .../python/python3-cbor2_5.6.4.bb | 1 + 2 files changed, 515 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch diff --git a/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch b/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch new file mode 100644 index 0000000000..dd1131f0d1 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cbor2/CVE-2025-68131.patch @@ -0,0 +1,514 @@ +From 7be0ee8272a541e291f13ed67d69b951ae42a9da Mon Sep 17 00:00:00 2001 +From: Andreas Eriksen +Date: Thu, 18 Dec 2025 16:48:26 +0100 +Subject: [PATCH] Merge commit from fork + +* track depth of recursive encode/decode, clear shared refs on start + +* test that shared refs are cleared on start + +* add fix-shared-state-reset to version history + +* clear shared state _after_ encode/decode + +* use PY_SSIZE_T_MAX to clear shareables list + +* use context manager for python decoder depth tracking + +* use context manager for python encoder depth tracking + +CVE: CVE-2025-68131 +Upstream-Status: Backport [https://github.com/agronholm/cbor2/commit/f1d701cd2c411ee40bb1fe383afe7f365f35abf0] +Signed-off-by: Ankur Tyagi +--- + cbor2/_decoder.py | 38 ++++++++++++++++++----- + cbor2/_encoder.py | 44 ++++++++++++++++++++++----- + source/decoder.c | 28 ++++++++++++++++- + source/decoder.h | 1 + + source/encoder.c | 23 ++++++++++++-- + source/encoder.h | 1 + + tests/test_decoder.py | 61 +++++++++++++++++++++++++++++++++++++ + tests/test_encoder.py | 70 +++++++++++++++++++++++++++++++++++++++++++ + 8 files changed, 249 insertions(+), 17 deletions(-) + +diff --git a/cbor2/_decoder.py b/cbor2/_decoder.py +index c8f1a8f..4aeadcf 100644 +--- a/cbor2/_decoder.py ++++ b/cbor2/_decoder.py +@@ -5,6 +5,7 @@ import struct + import sys + from codecs import getincrementaldecoder + from collections.abc import Callable, Mapping, Sequence ++from contextlib import contextmanager + from datetime import date, datetime, timedelta, timezone + from io import BytesIO + from typing import IO, TYPE_CHECKING, Any, TypeVar, cast, overload +@@ -59,6 +60,7 @@ class CBORDecoder: + "_immutable", + "_str_errors", + "_stringref_namespace", ++ "_decode_depth", + ) + + _fp: IO[bytes] +@@ -100,6 +102,7 @@ class CBORDecoder: + self._shareables: list[object] = [] + self._stringref_namespace: list[str | bytes] | None = None + self._immutable = False ++ self._decode_depth = 0 + + @property + def immutable(self) -> bool: +@@ -225,13 +228,33 @@ class CBORDecoder: + if unshared: + self._share_index = old_index + ++ @contextmanager ++ def _decoding_context(self): ++ """ ++ Context manager for tracking decode depth and clearing shared state. ++ ++ Shared state is cleared at the end of each top-level decode to prevent ++ shared references from leaking between independent decode operations. ++ Nested calls (from hooks) must preserve the state. ++ """ ++ self._decode_depth += 1 ++ try: ++ yield ++ finally: ++ self._decode_depth -= 1 ++ assert self._decode_depth >= 0 ++ if self._decode_depth == 0: ++ self._shareables.clear() ++ self._share_index = None ++ + def decode(self) -> object: + """ + Decode the next value from the stream. + + :raises CBORDecodeError: if there is any problem decoding the stream + """ +- return self._decode() ++ with self._decoding_context(): ++ return self._decode() + + def decode_from_bytes(self, buf: bytes) -> object: + """ +@@ -242,12 +265,13 @@ class CBORDecoder: + object needs to be decoded separately from the rest but while still + taking advantage of the shared value registry. + """ +- with BytesIO(buf) as fp: +- old_fp = self.fp +- self.fp = fp +- retval = self._decode() +- self.fp = old_fp +- return retval ++ with self._decoding_context(): ++ with BytesIO(buf) as fp: ++ old_fp = self.fp ++ self.fp = fp ++ retval = self._decode() ++ self.fp = old_fp ++ return retval + + @overload + def _decode_length(self, subtype: int) -> int: ... +diff --git a/cbor2/_encoder.py b/cbor2/_encoder.py +index 699c656..a653026 100644 +--- a/cbor2/_encoder.py ++++ b/cbor2/_encoder.py +@@ -123,6 +123,7 @@ class CBOREncoder: + "string_referencing", + "string_namespacing", + "_string_references", ++ "_encode_depth", + ) + + _fp: IO[bytes] +@@ -183,6 +184,7 @@ class CBOREncoder: + int, tuple[object, int | None] + ] = {} # indexes used for value sharing + self._string_references: dict[str | bytes, int] = {} # indexes used for string references ++ self._encode_depth = 0 + self._encoders = default_encoders.copy() + if canonical: + self._encoders.update(canonical_encoders) +@@ -298,6 +300,24 @@ class CBOREncoder: + """ + self._fp_write(data) + ++ @contextmanager ++ def _encoding_context(self): ++ """ ++ Context manager for tracking encode depth and clearing shared state. ++ ++ Shared state is cleared at the end of each top-level encode to prevent ++ shared references from leaking between independent encode operations. ++ Nested calls (from hooks) must preserve the state. ++ """ ++ self._encode_depth += 1 ++ try: ++ yield ++ finally: ++ self._encode_depth -= 1 ++ if self._encode_depth == 0: ++ self._shared_containers.clear() ++ self._string_references.clear() ++ + def encode(self, obj: Any) -> None: + """ + Encode the given object using CBOR. +@@ -305,6 +325,16 @@ class CBOREncoder: + :param obj: + the object to encode + """ ++ with self._encoding_context(): ++ self._encode_value(obj) ++ ++ def _encode_value(self, obj: Any) -> None: ++ """ ++ Internal fast path for encoding - used by built-in encoders. ++ ++ External code should use encode() instead, which properly manages ++ shared state between independent encode operations. ++ """ + obj_type = obj.__class__ + encoder = self._encoders.get(obj_type) or self._find_encoder(obj_type) or self._default + if not encoder: +@@ -448,14 +478,14 @@ class CBOREncoder: + def encode_array(self, value: Sequence[Any]) -> None: + self.encode_length(4, len(value)) + for item in value: +- self.encode(item) ++ self._encode_value(item) + + @container_encoder + def encode_map(self, value: Mapping[Any, Any]) -> None: + self.encode_length(5, len(value)) + for key, val in value.items(): +- self.encode(key) +- self.encode(val) ++ self._encode_value(key) ++ self._encode_value(val) + + def encode_sortable_key(self, value: Any) -> tuple[int, bytes]: + """ +@@ -477,10 +507,10 @@ class CBOREncoder: + # String referencing requires that the order encoded is + # the same as the order emitted so string references are + # generated after an order is determined +- self.encode(realkey) ++ self._encode_value(realkey) + else: + self._fp_write(sortkey[1]) +- self.encode(value) ++ self._encode_value(value) + + def encode_semantic(self, value: CBORTag) -> None: + # Nested string reference domains are distinct +@@ -491,7 +521,7 @@ class CBOREncoder: + self._string_references = {} + + self.encode_length(6, value.tag) +- self.encode(value.value) ++ self._encode_value(value.value) + + self.string_referencing = old_string_referencing + self._string_references = old_string_references +@@ -554,7 +584,7 @@ class CBOREncoder: + def encode_stringref(self, value: str | bytes) -> None: + # Semantic tag 25 + if not self._stringref(value): +- self.encode(value) ++ self._encode_value(value) + + def encode_rational(self, value: Fraction) -> None: + # Semantic tag 30 +diff --git a/source/decoder.c b/source/decoder.c +index fd4d70c..033b73f 100644 +--- a/source/decoder.c ++++ b/source/decoder.c +@@ -142,6 +142,7 @@ CBORDecoder_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + self->str_errors = PyBytes_FromString("strict"); + self->immutable = false; + self->shared_index = -1; ++ self->decode_depth = 0; + } + return (PyObject *) self; + error: +@@ -2052,11 +2053,30 @@ decode(CBORDecoderObject *self, DecodeOptions options) + } + + ++// Reset shared state at the end of each top-level decode to prevent ++// shared references from leaking between independent decode operations. ++// Nested calls (from hooks) must preserve the state. ++static inline void ++clear_shareable_state(CBORDecoderObject *self) ++{ ++ PyList_SetSlice(self->shareables, 0, PY_SSIZE_T_MAX, NULL); ++ self->shared_index = -1; ++} ++ ++ + // CBORDecoder.decode(self) -> obj + PyObject * + CBORDecoder_decode(CBORDecoderObject *self) + { +- return decode(self, DECODE_NORMAL); ++ PyObject *ret; ++ self->decode_depth++; ++ ret = decode(self, DECODE_NORMAL); ++ self->decode_depth--; ++ assert(self->decode_depth >= 0); ++ if (self->decode_depth == 0) { ++ clear_shareable_state(self); ++ } ++ return ret; + } + + +@@ -2069,6 +2089,7 @@ CBORDecoder_decode_from_bytes(CBORDecoderObject *self, PyObject *data) + if (!_CBOR2_BytesIO && _CBOR2_init_BytesIO() == -1) + return NULL; + ++ self->decode_depth++; + save_read = self->read; + buf = PyObject_CallFunctionObjArgs(_CBOR2_BytesIO, data, NULL); + if (buf) { +@@ -2080,6 +2101,11 @@ CBORDecoder_decode_from_bytes(CBORDecoderObject *self, PyObject *data) + Py_DECREF(buf); + } + self->read = save_read; ++ self->decode_depth--; ++ assert(self->decode_depth >= 0); ++ if (self->decode_depth == 0) { ++ clear_shareable_state(self); ++ } + return ret; + } + +diff --git a/source/decoder.h b/source/decoder.h +index 6bb6d52..a2f1bcb 100644 +--- a/source/decoder.h ++++ b/source/decoder.h +@@ -13,6 +13,7 @@ typedef struct { + PyObject *str_errors; + bool immutable; + Py_ssize_t shared_index; ++ Py_ssize_t decode_depth; + } CBORDecoderObject; + + extern PyTypeObject CBORDecoderType; +diff --git a/source/encoder.c b/source/encoder.c +index a0670aa..a7738a0 100644 +--- a/source/encoder.c ++++ b/source/encoder.c +@@ -113,6 +113,7 @@ CBOREncoder_new(PyTypeObject *type, PyObject *args, PyObject *kwargs) + self->shared_handler = NULL; + self->string_referencing = false; + self->string_namespacing = false; ++ self->encode_depth = 0; + } + return (PyObject *) self; + } +@@ -2027,17 +2028,35 @@ encode(CBOREncoderObject *self, PyObject *value) + } + + ++// Reset shared state at the end of each top-level encode to prevent ++// shared references from leaking between independent encode operations. ++// Nested calls (from hooks or recursive encoding) must preserve the state. ++static inline void ++clear_shared_state(CBOREncoderObject *self) ++{ ++ PyDict_Clear(self->shared); ++ PyDict_Clear(self->string_references); ++} ++ ++ + // CBOREncoder.encode(self, value) + PyObject * + CBOREncoder_encode(CBOREncoderObject *self, PyObject *value) + { + PyObject *ret; + +- // TODO reset shared dict? +- if (Py_EnterRecursiveCall(" in CBOREncoder.encode")) ++ self->encode_depth++; ++ if (Py_EnterRecursiveCall(" in CBOREncoder.encode")) { ++ self->encode_depth--; + return NULL; ++ } + ret = encode(self, value); + Py_LeaveRecursiveCall(); ++ self->encode_depth--; ++ assert(self->encode_depth >= 0); ++ if (self->encode_depth == 0) { ++ clear_shared_state(self); ++ } + return ret; + } + +diff --git a/source/encoder.h b/source/encoder.h +index 8b2d696..0dcc46d 100644 +--- a/source/encoder.h ++++ b/source/encoder.h +@@ -24,6 +24,7 @@ typedef struct { + bool value_sharing; + bool string_referencing; + bool string_namespacing; ++ Py_ssize_t encode_depth; + } CBOREncoderObject; + + extern PyTypeObject CBOREncoderType; +diff --git a/tests/test_decoder.py b/tests/test_decoder.py +index 485c604..253d079 100644 +--- a/tests/test_decoder.py ++++ b/tests/test_decoder.py +@@ -961,3 +961,64 @@ def test_oversized_read(impl, payload: bytes, tmp_path: Path) -> None: + dummy_path.write_bytes(payload) + with dummy_path.open("rb") as f: + impl.load(f) ++ ++class TestDecoderReuse: ++ """ ++ Tests for correct behavior when reusing CBORDecoder instances. ++ """ ++ ++ def test_decoder_reuse_resets_shared_refs(self, impl): ++ """ ++ Shared references should be scoped to a single decode operation, ++ not persist across multiple decodes on the same decoder instance. ++ """ ++ # Message with shareable tag (28) ++ msg1 = impl.dumps(impl.CBORTag(28, "first_value")) ++ ++ # Message with sharedref tag (29) referencing index 0 ++ msg2 = impl.dumps(impl.CBORTag(29, 0)) ++ ++ # Reuse decoder across messages ++ decoder = impl.CBORDecoder(BytesIO(msg1)) ++ result1 = decoder.decode() ++ assert result1 == "first_value" ++ ++ # Second decode should fail - sharedref(0) doesn't exist in this context ++ decoder.fp = BytesIO(msg2) ++ with pytest.raises(impl.CBORDecodeValueError, match="shared reference"): ++ decoder.decode() ++ ++ def test_decode_from_bytes_resets_shared_refs(self, impl): ++ """ ++ decode_from_bytes should also reset shared references between calls. ++ """ ++ msg1 = impl.dumps(impl.CBORTag(28, "value")) ++ msg2 = impl.dumps(impl.CBORTag(29, 0)) ++ ++ decoder = impl.CBORDecoder(BytesIO(b"")) ++ decoder.decode_from_bytes(msg1) ++ ++ with pytest.raises(impl.CBORDecodeValueError, match="shared reference"): ++ decoder.decode_from_bytes(msg2) ++ ++ def test_shared_refs_within_single_decode(self, impl): ++ """ ++ Shared references must work correctly within a single decode operation. ++ ++ Note: This tests non-cyclic sibling references [shareable(x), sharedref(0)], ++ which is a different pattern from test_cyclic_array/test_cyclic_map that ++ test self-referencing structures like shareable([sharedref(0)]). ++ """ ++ # [shareable("hello"), sharedref(0)] -> ["hello", "hello"] ++ data = unhexlify( ++ "82" # array(2) ++ "d81c" # tag(28) shareable ++ "65" # text(5) ++ "68656c6c6f" # "hello" ++ "d81d" # tag(29) sharedref ++ "00" # unsigned(0) ++ ) ++ ++ result = impl.loads(data) ++ assert result == ["hello", "hello"] ++ assert result[0] is result[1] # Same object reference +\ No newline at end of file +diff --git a/tests/test_encoder.py b/tests/test_encoder.py +index f2ef248..3ca6a95 100644 +--- a/tests/test_encoder.py ++++ b/tests/test_encoder.py +@@ -654,3 +654,73 @@ def test_invariant_encode_decode(impl, val): + undergoing an encode and decode) + """ + assert impl.loads(impl.dumps(val)) == val ++ ++ ++class TestEncoderReuse: ++ """ ++ Tests for correct behavior when reusing CBOREncoder instances. ++ """ ++ ++ def test_encoder_reuse_resets_shared_containers(self, impl): ++ """ ++ Shared container tracking should be scoped to a single encode operation, ++ not persist across multiple encodes on the same encoder instance. ++ """ ++ fp = BytesIO() ++ encoder = impl.CBOREncoder(fp, value_sharing=True) ++ shared_obj = ["hello"] ++ ++ # First encode: object is tracked in shared containers ++ encoder.encode([shared_obj, shared_obj]) ++ ++ # Second encode on new fp: should produce valid standalone CBOR ++ # (not a sharedref pointing to stale first-encode data) ++ encoder.fp = BytesIO() ++ encoder.encode(shared_obj) ++ second_output = encoder.fp.getvalue() ++ ++ # The second output must be decodable on its own ++ result = impl.loads(second_output) ++ assert result == ["hello"] ++ ++ def test_encode_to_bytes_resets_shared_containers(self, impl): ++ """ ++ encode_to_bytes should also reset shared container tracking between calls. ++ """ ++ fp = BytesIO() ++ encoder = impl.CBOREncoder(fp, value_sharing=True) ++ shared_obj = ["hello"] ++ ++ # First encode ++ encoder.encode_to_bytes([shared_obj, shared_obj]) ++ ++ # Second encode should produce valid standalone CBOR ++ result_bytes = encoder.encode_to_bytes(shared_obj) ++ result = impl.loads(result_bytes) ++ assert result == ["hello"] ++ ++ def test_encoder_hook_does_not_reset_state(self, impl): ++ """ ++ When a custom encoder hook calls encode(), the shared container ++ tracking should be preserved (not reset mid-operation). ++ """ ++ ++ class Custom: ++ def __init__(self, value): ++ self.value = value ++ ++ def custom_encoder(encoder, obj): ++ # Hook encodes the wrapped value ++ encoder.encode(obj.value) ++ ++ # Encode a Custom wrapping a list ++ data = impl.dumps(Custom(["a", "b"]), default=custom_encoder) ++ ++ # Verify the output decodes correctly ++ result = impl.loads(data) ++ assert result == ["a", "b"] ++ ++ # Test nested Custom objects - hook should work recursively ++ data2 = impl.dumps(Custom(Custom(["x"])), default=custom_encoder) ++ result2 = impl.loads(data2) ++ assert result2 == ["x"] +\ No newline at end of file diff --git a/meta-python/recipes-devtools/python/python3-cbor2_5.6.4.bb b/meta-python/recipes-devtools/python/python3-cbor2_5.6.4.bb index f0c2964f34..0c2a4588ef 100644 --- a/meta-python/recipes-devtools/python/python3-cbor2_5.6.4.bb +++ b/meta-python/recipes-devtools/python/python3-cbor2_5.6.4.bb @@ -12,6 +12,7 @@ DEPENDS += "python3-setuptools-scm-native" SRC_URI += " \ file://run-ptest \ + file://CVE-2025-68131.patch \ " RDEPENDS:${PN}-ptest += " \ From patchwork Wed Jan 14 13:00:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEFDFD2A01C for ; Wed, 14 Jan 2026 13:01:24 +0000 (UTC) Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9348.1768395679476381511 for ; Wed, 14 Jan 2026 05:01:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=UQaVQfX9; spf=pass (domain: gmail.com, ip: 209.85.210.171, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-81f4f4d4822so1601823b3a.3 for ; Wed, 14 Jan 2026 05:01:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395679; x=1769000479; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6Cj/5ItRAF0+iPmS0aHIRx9XOxKJJ5ZbXk2WFbri2TE=; b=UQaVQfX9+iTj0W3j/Y1jf/VnZuQ4TOlPIoiZc3mbcnrZfH/c19ZSvhiqzSVF/8XyE1 OO7nEEMhIfM6jbdTW0MmHNeMWm8reiahvASVKeVR82WieH8zguLW5ksjb9ZvtyUJYTZi UwUGoBHy5dRuH2u04oH+1VAqyz101WsbYk7z7P6zL0p46EcAaT5ZrJU5C6ys6fC5Y51T psKZb13mMQsRAZPnfP99mU0LJMGWeDeHsK7SIdUKn3CqKULORSYn2yg68yfObSaJFtvL 8+AxurtH9XZif5wyG55zDhgjpdTolxNhLTwKU4vYjn5pavcDs5BCPo3cKj5P7DN9wwpI vizA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395679; x=1769000479; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=6Cj/5ItRAF0+iPmS0aHIRx9XOxKJJ5ZbXk2WFbri2TE=; b=AmK7OXGMU9PmVjMaIy2Jee5dV7aXJFdJpwZc7VLtwXkqd/fY6HeBa6UzHV/F6N7Ypr 9R2JvxLtRoYRiZQ7UWZPKcDDiAPFDGmYkR+UtkM74H8+9cuvN60/ea2y93N2MZh6bO7R Ea6hOYNvQAmQIe5vBQ7X/7UD804oFpFlPJm1xWJRt2jDuOAWk7P9ru/BDSIAMBVwFVlt YbJ1iN0inZBHbaatEgmRgo/b1GpySprTrXQAuCjCLaErfZXSesnJpQ/CRtuDUArf25VE LXPFfk3qfTnHoUQ1VxPD67wGsnpuR2aKQo4TQqMvGqOVW6Z43PiqCyh2us918n2Z8H1n K+Ew== X-Gm-Message-State: AOJu0YwDYfrvhlHupaoXNf8Bj757gthx+z6VlRSo6f6spBk2KvJM/295 sRJrO0+uPphwG8WteOeZUjymCbedCd6mlrsKhywU3NLw23OTTTgvUrIXeDL+yw== X-Gm-Gg: AY/fxX4M5b2iXwkGD1CKtOUPmArrBEhtxybMvA16gYhxh1LInR7xH37d1QO4r6kXMXm 1hkdS7Bqygs3s9Oeonlz4s3mNij+2WMr1OdfbXjLbBrCLFwyREfVl/kAbjkuZajVcex5kWAEdHf O2FVgch7a9A/e30YhhmjGsie8a9D5zo0qhJVGZJPSLCQBtylX7bAoH/CuulAe2gkLHIU5xJSK1k H6R9ZL6OBld3cCcZiqWOtqN5RlXzI5wrk/rxDuSG3ExLlvsoxqM4xUQ2Rzm/RPLQEmTDi/UIg0Y KGgj2SU31ngF7eBsm+pdmuY0bCban8O3oPO4BCw2JgIktjWs9NLfmUjIMGFNFmq2+dG4eoLIziF irGQrJNVN+ejo2ZbY4IwyvqN/y6zTylQaEBy9A4RxIJurz9zcfP0FxfI6vtLQmwE+dOjoqMvLR1 1uFoB5H1y/InaJ9zNb/WFReb8= X-Received: by 2002:a05:6a00:3496:b0:81f:2b84:6f01 with SMTP id d2e1a72fcca58-81f8200e1a2mr2006003b3a.66.1768395678354; Wed, 14 Jan 2026 05:01:18 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:18 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 06/20] python3-configobj: patch CVE-2023-26112 Date: Thu, 15 Jan 2026 02:00:43 +1300 Message-ID: <20260114130100.1016416-6-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123459 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2023-26112 Signed-off-by: Ankur Tyagi --- .../python3-configobj/CVE-2023-26112.patch | 25 +++++++++++++++++++ .../python/python3-configobj_5.0.8.bb | 2 ++ 2 files changed, 27 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch diff --git a/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch b/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch new file mode 100644 index 0000000000..f9bdcd31b0 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-configobj/CVE-2023-26112.patch @@ -0,0 +1,25 @@ +From dd9cf3579d90d1f8c6d06f293cd0958be5ca5518 Mon Sep 17 00:00:00 2001 +From: cdcadman +Date: Wed, 17 May 2023 03:57:08 -0700 +Subject: [PATCH] Address CVE-2023-26112 ReDoS + +CVE: CVE-2023-26112 +Upstream-Status: Backport [https://github.com/DiffSK/configobj/commit/a82ea8fb0338f2bd46cf627c4b763094448e6bd7] +Signed-off-by: Ankur Tyagi +--- + src/configobj/validate.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/configobj/validate.py b/src/configobj/validate.py +index 9267a3f..98d879f 100644 +--- a/src/configobj/validate.py ++++ b/src/configobj/validate.py +@@ -541,7 +541,7 @@ class Validator(object): + """ + + # this regex does the initial parsing of the checks +- _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL) ++ _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL) + + # this regex takes apart keyword arguments + _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$', re.DOTALL) diff --git a/meta-python/recipes-devtools/python/python3-configobj_5.0.8.bb b/meta-python/recipes-devtools/python/python3-configobj_5.0.8.bb index 8dc706fdfd..2f0d1e7203 100644 --- a/meta-python/recipes-devtools/python/python3-configobj_5.0.8.bb +++ b/meta-python/recipes-devtools/python/python3-configobj_5.0.8.bb @@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3d6f99b84d9a94610c62e48fa2e59e72" PYPI_PACKAGE = "configobj" SRC_URI[sha256sum] = "6f704434a07dc4f4dc7c9a745172c1cad449feb548febd9f7fe362629c627a97" +SRC_URI += "file://CVE-2023-26112.patch" + inherit pypi setuptools3 RDEPENDS:${PN} += " \ From patchwork Wed Jan 14 13:00:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78694 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC895D2A01E for ; Wed, 14 Jan 2026 13:01:24 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9432.1768395683031172283 for ; Wed, 14 Jan 2026 05:01:23 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Ao+ZKGD5; spf=pass (domain: gmail.com, ip: 209.85.210.172, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-81e98a1f55eso2495982b3a.3 for ; Wed, 14 Jan 2026 05:01:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395682; x=1769000482; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=m91cFtlZeWmoe9cf6fmEzVxtY0HGYpJsWmxwoyidTBs=; b=Ao+ZKGD5gX4o26EPxBMQn//5LiAEopyrgVgAErA0dMAEqfA3nB2jYeyEcnJNJN7fdM wYWr0H24hCtTWU9mFSFZMfK6G2Whijrhnq6myPMAM2Uz3F1DTIBFYBsnX4a5SgB99Bmn iouvSsn32R0tKvjqyotlRw3GyLPnnDuSWoXiNnvQrzBdPP5FFOTT35m750d5Urm+9w83 jJL1xyTNVujhv+Anm2IA8R7wmrND5iIjxvW9Ts/Axbe5+10sKtzJ+EAodj5GJsuVOAom FSszeFyYMxhnf6Ab8ZgNWmoA2Qu8hCjBgNhYz/Mq/A6VFaskWIqSBgdodAfCtwS97WSo yl3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395682; x=1769000482; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=m91cFtlZeWmoe9cf6fmEzVxtY0HGYpJsWmxwoyidTBs=; b=doQtPq29CkMsVvbCchGdMBRp61hDvRP5BIeWlrXYj5Pq3hBj8O1stghqBuJ9a3A/SG Kyl/uCjPpAA4fgz+UmQFyXrnUzsltj4eMAyz8/Fm/ufSZG5TmcCqV8tlRLzhMpUO1xCr 0mO1XvXFLJQpq6Q3EKHAeGEREICBnnVPuyh9Z7rC9wzdxZRYImjxMzJ0AeMATjHPdvLt isUGXSxycSfxzF2dPLuwVn+oZbFi03cxXOf8/4ZyH68vAqKwybRqwnDY6eQ/g7399qIE TpI8kgDbBR5PiPjQ/rKbbvDfBchJ8iHdGxCym0TrKyAjjNmMogU65/yLYjKAfLtJAZeG 9fKQ== X-Gm-Message-State: AOJu0YwzgYmm4YYDOImk2gyE446YWF/BTCGxg0Yk/ti0V5WqUnfX41kn fmhcQbJgmvnFaPLJo/Quw8+wQJ6DSxJ/TTpws1CEdXxTpC65I+u+h2oL6i7oBw== X-Gm-Gg: AY/fxX56CQOmxkCpqijmgC5VpEukhVIlKhmmDusItaXnFiJjSkkRpdLByvHNY1JT32/ sg4JWpdlzVx/jpABvwGwgrzM6BiFuWdOxpZE/MzReQ6gCdexu8xMQ86Wvso7Y03IFtTmuHWzpRg bXDVnMxLfTPK2BVTjYNg/3LyNhVuyC9oyfx2sv5L3DLPoo13BmuSM7dU66AXglY5S9TyzOXeeOt t4xB4H0nrXwpDLVkckVfs6IG+RJ8JIjjBd4YWI/LEhjSLXMaPhd5+bXD7vc8TPTdS3utjrWPySt BYSjxsUfGloHz6kk2YM6nZll0OYnSoM2A9ip3AnJ+pQfJgeY70vbCcRGx5xHs7LOCVGSb3Se/Po pFOnpLcpG8cwRQOiYYPQ7IqXM5NG1XRfMcjy1BhvRe9IPJ3K9+aZ0YEsCCBFEVP/E+sHKeVIzWx 2IhknOG/bXgXT67IIIavY7NwM= X-Received: by 2002:a05:6a00:8011:b0:81f:7c24:724b with SMTP id d2e1a72fcca58-81f81cf0297mr2392959b3a.21.1768395680372; Wed, 14 Jan 2026 05:01:20 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:20 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 07/20] python3-eventlet: patch CVE-2025-58068 Date: Thu, 15 Jan 2026 02:00:44 +1300 Message-ID: <20260114130100.1016416-7-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123460 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-58068 Signed-off-by: Ankur Tyagi --- .../python3-eventlet/CVE-2025-58068.patch | 42 +++++++++++++++++++ .../python/python3-eventlet_0.36.1.bb | 2 + 2 files changed, 44 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch diff --git a/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch b/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch new file mode 100644 index 0000000000..45dda012b6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-eventlet/CVE-2025-58068.patch @@ -0,0 +1,42 @@ +From 2353500dc28eab63b47930851c75e9268a69ef1e Mon Sep 17 00:00:00 2001 +From: sebsrt +Date: Mon, 11 Aug 2025 11:46:28 +0200 +Subject: [PATCH] [SECURITY] Fix request smuggling vulnerability by discarding + trailers (#1062) + +The WSGI parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. This patch fix that by discarding trailers. + +CVE: CVE-2025-58068 +Upstream-Status: Backport [https://github.com/eventlet/eventlet/commit/0bfebd1117d392559e25b4bfbfcc941754de88fb] +(cherry picked from commit 0bfebd1117d392559e25b4bfbfcc941754de88fb) +Signed-off-by: Ankur Tyagi +--- + eventlet/wsgi.py | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/eventlet/wsgi.py b/eventlet/wsgi.py +index 3b530b18..28ad2666 100644 +--- a/eventlet/wsgi.py ++++ b/eventlet/wsgi.py +@@ -153,6 +153,12 @@ class Input: + read = b'' + self.position += len(read) + return read ++ ++ def _discard_trailers(self, rfile): ++ while True: ++ line = rfile.readline() ++ if not line or line in (b'\r\n', b'\n', b''): ++ break + + def _chunked_read(self, rfile, length=None, use_readline=False): + if self.should_send_hundred_continue: +@@ -203,7 +209,7 @@ class Input: + raise ChunkReadError(err) + self.position = 0 + if self.chunk_length == 0: +- rfile.readline() ++ self._discard_trailers(rfile) + except greenio.SSL.ZeroReturnError: + pass + return b''.join(response) diff --git a/meta-python/recipes-devtools/python/python3-eventlet_0.36.1.bb b/meta-python/recipes-devtools/python/python3-eventlet_0.36.1.bb index f70099ab94..72032c756c 100644 --- a/meta-python/recipes-devtools/python/python3-eventlet_0.36.1.bb +++ b/meta-python/recipes-devtools/python/python3-eventlet_0.36.1.bb @@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=56472ad6de4caf50e05332a34b66e778" SRC_URI[sha256sum] = "d227fe76a63d9e6a6cef53beb8ad0b2dc40a5e7737c801f4b474cfae1db07bc5" +SRC_URI += "file://CVE-2025-58068.patch" + inherit pypi setuptools3 RDEPENDS:${PN} += " \ From patchwork Wed Jan 14 13:00:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78696 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7153D2A01E for ; Wed, 14 Jan 2026 13:01:34 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9435.1768395685180954730 for ; Wed, 14 Jan 2026 05:01:25 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=a2IIbotl; spf=pass (domain: gmail.com, ip: 209.85.210.170, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-81f4a1a3181so1642694b3a.3 for ; Wed, 14 Jan 2026 05:01:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395684; x=1769000484; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M1VYO7akak8KjYTxCSvWHshUw4cj2PYUkaRYxD1QlL4=; b=a2IIbotlv0wm3T/uKMUC7lPXm34ypHyjuUtd3ahNyECqEJ4zAU86JxCexl7sPTjpw5 ojLi7M1kcQppa01niaSnJBWx/Yz7YzsZv0rVFBiDccSfhN+AHFShLpd8p6wR72hcrglX NGA2FTvAWQhewnUcyyixAip66lMMbAcE1SS7SzSO1oE1WrySAwtV0JPNyYBsvgVwctgE /5TpH2gyf/EdKCSTnNpXuThV8bgcZm+HCT+ZTFwGK7VE09SjL7/oXQZrggF+L3JIo3Vw fQzTL01ZaHQMsLCpVBIPnu75zL2BxkWiftIuyIszfaC5P66w70znhMG2g0oWgRidR8AO OXUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395684; x=1769000484; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=M1VYO7akak8KjYTxCSvWHshUw4cj2PYUkaRYxD1QlL4=; b=YinVSnv4NOydZa7MnbWjAadQLLfrYG0o6x1Lc9Y3HT62B0Wz+52m2GL5CdLUOvcRj+ DRgLzFmMXmO7vZ+IaBIYInfAD7e3yjGN9PRNzV3L92FIYq/y+3qW/a0BltuafaXKF9OS I8ZDRbbA05uagTfLES5YWtUIPD/kbiuWGIae1bUHDk3H8xUHdQfgC6FtCWEDNYkWBrDv cDcsrMJIggE7bNsYhBZVUQBuIFc/x93uXWL6Hy+e42M6VrKwiaugr/zwF3DFnP1Cq+S4 4bUgJSyULFm62XCxBKWNaG7H6v+zzTjFeGSO4iJyXU2DdDdhUq/YZvFH08IIS7RIIssM VOQQ== X-Gm-Message-State: AOJu0YwPEsUZ42IP7B+Lqy3T4cx4ZifB3qXHXsfd/Iy9gQhY5r3DRKK2 XP5SkTDIlq/HEV+PirfuRHFwS9WZnZWlyucTpnUA/uk3yoKleViQg+/WZcxJPg== X-Gm-Gg: AY/fxX5cp99cHc2u4l6fAXNt1Zbiny9SRmeE4tWbJSU1rnP8MiZmOj5+fw7jigVOiir Kfq6aqY9zt2BxKv7ygr/U0pcMZNvOIwfG6fVQEPKugPuuiZ4v4kQmYrALbc/uNMKY1fMx9RiR1U fK1h72ci87PVfDh8HqBgaadJpLjFR35nCnqzYj3nmCCayRI97bMfZJ31+9L7MKoXAeb4fYDCHYA MdREJjMD8VMbvTtTeHMWYJn+WIOHGjzXuhhQlKxCWzMGVqRyT8pDSWZKxAEJRC9N3T910/K/buv R//FLpgN/8OrFIocg1Pe3YGycANf5HWPBly+qbV26D7WERap173BBPPUu50GZ46HHcmP/opQpO6 f/dXpFLpkU8yUNOSL3ZJLDN6GO2EJvCVWzPHkwFTub0PvUO/KySrM68eUegH1zagi7JjQMmp/sG /bwUCJBQ3pt/8LGiGSJu4IPKk= X-Received: by 2002:a05:6a00:410f:b0:81f:3bfa:f0da with SMTP id d2e1a72fcca58-81f81cde3camr2369731b3a.29.1768395684121; Wed, 14 Jan 2026 05:01:24 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:23 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 08/20] python3-ldap: set CVE_PRODUCT Date: Thu, 15 Jan 2026 02:00:45 +1300 Message-ID: <20260114130100.1016416-8-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123461 From: Gyorgy Sarvari The relevant CVEs are tracked with python-ldap:python-ldap CPE, not python:python-ldap. See CVE db query: sqlite> select * from products where PRODUCT like '%python-ldap%'; CVE-2021-46823|python-ldap|python-ldap|||3.4.0|< CVE-2025-61911|python-ldap|python-ldap|||3.4.5|< CVE-2025-61912|python-ldap|python-ldap|||3.4.5|< Set the CVE_PRODUCT accordingly Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit bd77eb699214a27130712c78bd2a0961aa5fc26b) Signed-off-by: Ankur Tyagi --- meta-python/recipes-networking/python/python3-ldap_3.4.4.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-python/recipes-networking/python/python3-ldap_3.4.4.bb b/meta-python/recipes-networking/python/python3-ldap_3.4.4.bb index 6caf5f37ce..57a5b8dbe1 100644 --- a/meta-python/recipes-networking/python/python3-ldap_3.4.4.bb +++ b/meta-python/recipes-networking/python/python3-ldap_3.4.4.bb @@ -28,3 +28,5 @@ RDEPENDS:${PN} = " \ python3-threading \ python3-unittest \ " + +CVE_PRODUCT = "python-ldap" From patchwork Wed Jan 14 13:00:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78697 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E70F7D2A01D for ; Wed, 14 Jan 2026 13:01:34 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9438.1768395689267341766 for ; Wed, 14 Jan 2026 05:01:29 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=d0QxCVn+; spf=pass (domain: gmail.com, ip: 209.85.210.170, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-7b22ffa2a88so4172654b3a.1 for ; Wed, 14 Jan 2026 05:01:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395688; x=1769000488; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bkKRuEZ/EyAtsT4F72NgRdDRae8kV4krNQwDghSHDAQ=; b=d0QxCVn+VbzZZKoImPuWEQEz51OOp4jdDRa/buo5IsEcXtEoxC0hgRiaFuJ+1YiBbv S5f1SSbBW7Kyujtr/MsIG2+9xG4IeduU2sW/Yt3gDwKOJ38uGV3cU8CGagH2R3MZ3W5+ FU42r8scxmjVa8ptGQA418AvOY9kiT7tzsvwHa4vHTYPW4PVNxYDZa27+fXkO0hpz6nY TxSsSJiIMNuPKNGD7dQ10rVXzXIWoJIIify9hPT56D0Nm0W1HAnIqVnzWIjDkiLpRi+p b2N753EByo0MBNJYqsJ/ov05d/a4t4IEjnXFBgd5MbH8Yq4aTZAvpCnXntrvJ2e5TFi0 IOPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395688; x=1769000488; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=bkKRuEZ/EyAtsT4F72NgRdDRae8kV4krNQwDghSHDAQ=; b=ZAp/+3YX6RpbxV3ontM1hfvPHA+JhDpYFTAHWwUXb9cEnwbKempEBmE7Bh/DUhYwu7 L7geQECrR0+O8fBddg6tJE2104ak6664019CucxVrsCUiqCneswZXzqzn3nGgTLs7vYi vNMu0Qi/eFhZjNYNjF8K8lD7lTB781cxS5m1JOeF9KLa9BwfEpSByxURJR50NY5sx9TR 4/J9CJYIprrXdNSC1MCmZwGb1TuIaSucZxnL7nQbFNZecMMepmLom9Hfd5baRffOSsre ZHaHO9x2yBHqahZlo2hAcj8WQaFKSUC26vLeAufVZb4ddwdJozYpq59vTdLk7P/V6Zg7 d6DQ== X-Gm-Message-State: AOJu0YykyOUX8fM9Ulw052zGbPMDQutu2s05qFoDypLV1ezinlZAcsKd FI8gMDMe/6gdAxvL62hnTpewjN+lTPc4ucxfDN1jcu7DruFcLET8O9MbO6AGTQ== X-Gm-Gg: AY/fxX5UZbtisa1iiKrIWImjCIJ7eWn9szZ550wULMEqWwRae7eaKWfETs4xJDV69k5 RDV42EqKMPbIOIrPc95IpE+++BNjbfcz56okdR7G2KRcUPxVTKlRVkqfD2BgqjJz5PfCbpLmMOd D5a+sWmhohijJsRO3F73swH/5Ba7TfIoHi4P8SavlqVao56/1n1iAKUSThzSjj/fUcMYOQogJrx prypEpHCilsnumBzDegz5oJhAui1gzrhTrzNuZ8dlIwoaFb6oBmfPZnffUyrKiP47J8I62ZykS0 ug3KAV4FXuqB8syEgXwnHM0bp8j7HDy9JLOV2tZCCJodD83B/s5mWltPdspgiZx+6/pyYeyov41 BT94upynpg+XJbl4icqjaOmr2dfexscxEibcukyZL2mu1+gBHk0tTdAjcTjyUDbNRnGkMUQ6yXF QJONxngWO9OscEv6XOv2NdjPA= X-Received: by 2002:a05:6a00:3497:b0:81f:5a3a:c91a with SMTP id d2e1a72fcca58-81f81f9553fmr1909525b3a.46.1768395686848; Wed, 14 Jan 2026 05:01:26 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:26 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Gyorgy Sarvari , Khem Raj , Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 09/20] python3-ldap: upgrade 3.4.4 -> 3.4.5 Date: Thu, 15 Jan 2026 02:00:46 +1300 Message-ID: <20260114130100.1016416-9-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123462 From: Gyorgy Sarvari Contains fixes for CVE-2025-61911 and CVE-2025-61912 Changelog: Security fixes: - CVE-2025-61911 (GHSA-r7r6-cc7p-4v5m): Enforce str input in ldap.filter.escape_filter_chars with escape_mode=1; ensure proper escaping. - CVE-2025-61912 (GHSA-p34h-wq7j-h5v6): Correct NUL escaping in ldap.dn.escape_dn_chars to \00 per RFC 4514. Fixes: - ReconnectLDAPObject now properly reconnects on UNAVAILABLE, CONNECT_ERROR and TIMEOUT exceptions (previously only SERVER_DOWN), fixing reconnection issues especially during server restarts - Fixed syncrepl.py to use named constants instead of raw decimal values for result types - Fixed error handling in SearchNoOpMixIn to prevent a undefined variable error Tests: - Added comprehensive reconnection test cases including concurrent operation handling and server restart scenarios Doc: - Updated installation docs and fixed various documentation typos - Added ReadTheDocs configuration file Infrastructure: - Add testing and document support for Python 3.13 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj (cherry picked from commit 9eabbca90565e4ae790bedeef9a91df1878c6f93) Signed-off-by: Ankur Tyagi --- .../{python3-ldap_3.4.4.bb => python3-ldap_3.4.5.bb} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename meta-python/recipes-networking/python/{python3-ldap_3.4.4.bb => python3-ldap_3.4.5.bb} (77%) diff --git a/meta-python/recipes-networking/python/python3-ldap_3.4.4.bb b/meta-python/recipes-networking/python/python3-ldap_3.4.5.bb similarity index 77% rename from meta-python/recipes-networking/python/python3-ldap_3.4.4.bb rename to meta-python/recipes-networking/python/python3-ldap_3.4.5.bb index 57a5b8dbe1..bbec490c23 100644 --- a/meta-python/recipes-networking/python/python3-ldap_3.4.4.bb +++ b/meta-python/recipes-networking/python/python3-ldap_3.4.5.bb @@ -7,13 +7,13 @@ HOMEPAGE = "http://www.python-ldap.org/" LICENSE = "PSF-2.0" LIC_FILES_CHKSUM = "file://LICENCE;md5=36ce9d726d0321b73c1521704d07db1b" -DEPENDS = "python3 openldap cyrus-sasl" +DEPENDS = "python3 openldap cyrus-sasl python3-setuptools-scm-native" -PYPI_PACKAGE = "python-ldap" +PYPI_PACKAGE = "python_ldap" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta -SRC_URI[sha256sum] = "7edb0accec4e037797705f3a05cbf36a9fde50d08c8f67f2aef99a2628fab828" +SRC_URI[sha256sum] = "b2f6ef1c37fe2c6a5a85212efe71311ee21847766a7d45fcb711f3b270a5f79a" do_configure:prepend() { sed -i -e 's:^library_dirs =.*::' \ From patchwork Wed Jan 14 13:00:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78699 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 007DDD2A01F for ; Wed, 14 Jan 2026 13:01:35 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9354.1768395690279493738 for ; Wed, 14 Jan 2026 05:01:30 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WxhAhnw6; spf=pass (domain: gmail.com, ip: 209.85.210.181, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-81e8a9d521dso2767877b3a.2 for ; Wed, 14 Jan 2026 05:01:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395689; x=1769000489; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TTkH+MnqmYa3zd2DGQdpKHSmKqcbF1PUL0GsezUwnys=; b=WxhAhnw6MhBuTUpLd+npvtoOe5w5XIKnz5HqjAsCuuZruZiLpyc24tyl7zbpUtsz8Y F/vifEryfHsEUlMcadQ2Ot98fSB/yme1dYpATWB36pPoFOUVTL5t65Qmd/AvUq01Wuc2 xzxCuWEubPuJQB+mnJxHeYID6nH+rNNvoFtsakOaOj40LreZdQehh+fY4YR6yTLgkG2o mogufJs9nJD7qw3ZjGWqBWSqIYBEBcJFY5BH6KaNMBk8/YnIvJZa3eMUc3/N+R3ww4CW yBGn+fYwMZ5a18ZzRFF9n2+5zlupm5l9Y6eq8KRiDVCl88yXDun+S0aipopeCjvEpRiu vn8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395689; x=1769000489; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=TTkH+MnqmYa3zd2DGQdpKHSmKqcbF1PUL0GsezUwnys=; b=NuR9rElGPtBiDv+ekanQTxp5sfyjTB390ndmPglnSAwoo2neN4vQqOmiUdcdlTACX6 Rs6PMGyk8GdIIepz+CcG89Yz7dlwGV2zGyAyXNxhZxhXkjG3S6TTQ51NqigdPTG83Xx+ fPxa3Vv8/vi2Y9YseCqqThSyVoA07hUkHsu1ty0DGangJaC7xsaCQPYnFHt9RhS4TJy+ B+lro36CJu3SMBePGi2RjsJckTUQ+maIH5HcUCk14+iEsYhlCxs9uyGHneT1B5PKKAgn rHvGe2MGdRsrWETBYFd2eACnbNu7t1D2NPfUJ9QtZfik1wuN3Wv6EOFeBCPQJuxBLMki ripw== X-Gm-Message-State: AOJu0YyaEveGqw1uvhbOP1VAziOiXFKXbO4tD6vaHSwpuoi1YGpoHjV0 WwivMllPsm1MYIn8PcGqDa0fsN4VzfKdPvaBq7+2pS+7ubsAd0tufMOI79/eig== X-Gm-Gg: AY/fxX7Tlf6o9Ia3BytJ6PwbF64XIIOSCjEJaKQg6CqMBSjefZmbHrcih8PdW6sChTj e+Ux6+MqlYi6EYMVKKEKb7EX6jKpQ0UXmLVqD5fzXiDYl6DgJQoUMH5fa9ZzIzgg3HNPYuEPh/Y PKmmAQERbIiZN3yJ8qS8eQtuNEa4Hi5ZtTI9VzhrcfYRQytVHi2bf6F5bpMGBbGGwdJmwr+a67L QCY1+GSJwDfYMhZ5Rbz07YB/3Wq18WzoGo4YkNwkxwLOaRdhGZkRWSxempMtPSwb/A2UiqM+yAG Y8278dTK6aTO62NKCbR4N1nAjfo4r23490AUcWP/nhy1qniwVrtxw64r8iKY2flpcL4JVqeWPzy 8oBM4iH4IRukCBFEJ6Rnfgdc0malMPW6dYqKJ9BNwriY3U0PRg+1dmhjvR9z8jftAnPFuPkVtJ6 FTdw6F2uKDtcoeaiwX76Pqt9M= X-Received: by 2002:a05:6a00:27ab:b0:81e:a228:f0d8 with SMTP id d2e1a72fcca58-81f81f7724emr2275294b3a.34.1768395688950; Wed, 14 Jan 2026 05:01:28 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:28 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 10/20] python3-marshmallow: upgrade 3.21.1 -> 3.21.3 Date: Thu, 15 Jan 2026 02:00:47 +1300 Message-ID: <20260114130100.1016416-10-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123463 From: Ankur Tyagi 3.21.3 (2024-06-05) Bug fixes: - Fix memory leak that prevented schema instances from getting GC'd. 3.21.2 (2024-05-01) Bug fixes: - Allow timestamp 0 in fields.DateTime. https://github.com/marshmallow-code/marshmallow/blob/3.21.3/CHANGELOG.rst Signed-off-by: Ankur Tyagi --- ...hon3-marshmallow_3.21.1.bb => python3-marshmallow_3.21.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-marshmallow_3.21.1.bb => python3-marshmallow_3.21.3.bb} (92%) diff --git a/meta-python/recipes-devtools/python/python3-marshmallow_3.21.1.bb b/meta-python/recipes-devtools/python/python3-marshmallow_3.21.3.bb similarity index 92% rename from meta-python/recipes-devtools/python/python3-marshmallow_3.21.1.bb rename to meta-python/recipes-devtools/python/python3-marshmallow_3.21.3.bb index bf1d8dd290..9c29c810d4 100644 --- a/meta-python/recipes-devtools/python/python3-marshmallow_3.21.1.bb +++ b/meta-python/recipes-devtools/python/python3-marshmallow_3.21.3.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "\ file://LICENSE;md5=27586b20700d7544c06933afe56f7df4 \ file://docs/license.rst;md5=13da439ad060419fb7cf364523017cfb" -SRC_URI[sha256sum] = "4e65e9e0d80fc9e609574b9983cf32579f305c718afb30d7233ab818571768c3" +SRC_URI[sha256sum] = "4f57c5e050a54d66361e826f94fba213eb10b67b2fdb02c3e0343ce207ba1662" inherit python_flit_core pypi ptest From patchwork Wed Jan 14 13:00:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78698 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D242D31A38 for ; Wed, 14 Jan 2026 13:01:35 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9440.1768395692683673794 for ; Wed, 14 Jan 2026 05:01:32 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=OEvvlhaA; spf=pass (domain: gmail.com, ip: 209.85.210.180, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-81f4c0e2b42so2331949b3a.1 for ; Wed, 14 Jan 2026 05:01:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395692; x=1769000492; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NAjq1M+KrwXEpB0PqtTlvT4GSdvuQYhv2VWsG15AkNU=; b=OEvvlhaAS8k9tm7N5VkSgPMGzrlc2tfS9BDlA808yE91fiY4fBdTf0BpvwHPPIQhvO CXBv1gfMnqIn7bfTiZLE5T00yO5YNM3huvbFzBDLYv9G3nrmvWSu/u0xKg4x95amm99u 2wmSB9PJ08SeqIRLOyVpKIwYilnpyYYFVLDV0DaDn4izZ/URjVhNEgzlsT0tntj0kE3w WBSBbkoxc2uPpCsDsFAOFNwqpUhZ64iescYJf9eQ8eo3EhcM5oinwONaFDBKhnloeF1+ I/PI/l7bN7HesjCEc82ufrGhXFuwcywNV2/LMThdU9j4iIJUbS6dQt7pYIHsgtNAQWhh dnFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395692; x=1769000492; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=NAjq1M+KrwXEpB0PqtTlvT4GSdvuQYhv2VWsG15AkNU=; b=M0E8JZG7IQeWayaAezOAdXIHCujRmgsoBKZP2ddjtDXXF/05CBy6XJ2i+WWipv+14M +D28bsMBPpRRh8i6bcXjYF6CX8jLM/vwU2KoVA406aOhASn+FqP7UEhQgS0rm7063TWl uAE9c7JydgJQ301c9FTnm+spOd54RzZJko/Xu91A6RANAY2V5Z1RXmz0103anvRkWhof sPk9qwUI+U4Zg1Jpr6pfJtXVx3e18yB3CaCunOo7DvuuQHowvgjBx847j+TqGhQLuCjC Daz8bux5yEa8A2Meqa22MQ7bETrZ2MnCvHvEyDuGXjObea6zmRenksaU3WlC9I2RFXz4 6hlw== X-Gm-Message-State: AOJu0YyCk8QEVYKwUv4AJCvx0pQzjkUACs4zGGA7IQJr9Vr5ygVCF8gL kdwhKbJFWPKXrBLdepB9DDbQbEJwHYBquPwM1S/e/AWURNyjdC9HEJ88YbWqDQ== X-Gm-Gg: AY/fxX6puxPwn1TtLTzGKHrPDNVwWgxDu4gyCIU8Wj+kCKvTNpcJcosT5t53SLbTSBk bovcxGHZwInLki8vYkRaUsMxR9ajl5JW2Tpo/Xrx20iHzz6dDIfqNPn+SImuXWHeEuLslCe3mPv tcan3Xzoz281JqPlJpf2UWSo00Db+d/CfDgo6XLpnORNuLfx0RDaT4RsGWSyV73MS5Ho54B6T8N oaxctqKF713wkukJVMXAdA3mGcUi2OX3voILD33J7Xz3annEhC5Jt+jPDG9nvmzfbZxLE0vbTrK PIl04Jb+tDuCsVNhKkIqx1V2J11ND54rir2UgpmpNlt+FCuErLFZcE033Iykkbiu0Qb1uewU5Bm tE9k02D6N7+1jhI4PXFv9PSD+4jph+bnEdVwc4+DOz3VXIUzcKNS2FqRdo7uN8LbPbkUmsxtpHd QiYT3qt7Oocb45UryTM6wPELI= X-Received: by 2002:a05:6a20:939e:b0:387:9522:b667 with SMTP id adf61e73a8af0-38bed2176a5mr2869713637.78.1768395691197; Wed, 14 Jan 2026 05:01:31 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:30 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 11/20] python3-pymongo: upgrade 4.6.1 -> 4.6.3 Date: Thu, 15 Jan 2026 02:00:48 +1300 Message-ID: <20260114130100.1016416-11-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123464 From: Ankur Tyagi 4.6.3 - Security release to address CVE-2024-5629. 4.6.2 - Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down. Signed-off-by: Ankur Tyagi --- .../{python3-pymongo_4.6.1.bb => python3-pymongo_4.6.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-pymongo_4.6.1.bb => python3-pymongo_4.6.3.bb} (90%) diff --git a/meta-python/recipes-devtools/python/python3-pymongo_4.6.1.bb b/meta-python/recipes-devtools/python/python3-pymongo_4.6.3.bb similarity index 90% rename from meta-python/recipes-devtools/python/python3-pymongo_4.6.1.bb rename to meta-python/recipes-devtools/python/python3-pymongo_4.6.3.bb index 260e134cd2..35a6a81516 100644 --- a/meta-python/recipes-devtools/python/python3-pymongo_4.6.1.bb +++ b/meta-python/recipes-devtools/python/python3-pymongo_4.6.3.bb @@ -8,7 +8,7 @@ HOMEPAGE = "http://github.com/mongodb/mongo-python-driver" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" -SRC_URI[sha256sum] = "31dab1f3e1d0cdd57e8df01b645f52d43cc1b653ed3afd535d2891f4fc4f9712" +SRC_URI[sha256sum] = "400074090b9a631f120b42c61b222fd743490c133a5d2f99c0208cefcccc964e" inherit pypi setuptools3 From patchwork Wed Jan 14 13:00:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78701 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 075D1D30CFE for ; Wed, 14 Jan 2026 13:01:45 +0000 (UTC) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9360.1768395695498392515 for ; Wed, 14 Jan 2026 05:01:35 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Ez7mnuC9; spf=pass (domain: gmail.com, ip: 209.85.210.174, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-81f4e136481so1720395b3a.3 for ; Wed, 14 Jan 2026 05:01:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395695; x=1769000495; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WTR+hl4LQQFdFfzIICc3ePb8o5zig11QpxEms0DsGvc=; b=Ez7mnuC90yzw23QJnA9BWH1QlIzL09JH1O5grNnJMIQ9U9k/BAJUwHsB7X/+QrXlxt OFLiz/NmMYg9lRCm7D+aw+n5Dnv+gs0NsIU1ETXDjhTZ2D8lvF2DX9d2+bJbBjur3ElO RwU5D5XXMaRsW3TJ/JIIUZ9CbLq6kctBXQ1UCraMwLjY/CC1ukt/c52VCPw6l9Qw3u1G PjA5+kHE6pLVoVsN15ABOTvgp1UJnl8EmAbHSy8GuJGTDlln/3bBtSi3cIX6PPuAl49g EmavH43R8N7wdXO8t6Fu5cN1IopMb1K2hhjCIOPJjP3vQ34kUISThwfc5X1GBNdZ7z7s VIGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395695; x=1769000495; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=WTR+hl4LQQFdFfzIICc3ePb8o5zig11QpxEms0DsGvc=; b=PxG5SH9SnuSv0SchVVsXP1Ig3iiBZJNmIn33wH3DnlChyjl66CkyXDODEeWsEP85Pf 0SJH1yMDyLwE+E0egHLcU4MEzvRAW2863wqAswqSlOkUeiRRmkOz7psU7BrO1pl7d4qP YeONMvmgP3y7pNVWrEV5mkbCHAv7F/5BXhMSlwCyuTg8yHTBm5ANdbSMvnj7UN1CGhmQ DiVdLPxsaczRWJI0gIE6gk0UgYL0zmi7ZIWX6Lb0HSgUm16jab0uSZdqyjOPapUMv0Wk Vjx79krKfbJQIdUYgYkTtn+OtDoFYMIZjnpWZ9jPIu6f/cg1FvX3e+tPnuHp9F2PmRjj RRFQ== X-Gm-Message-State: AOJu0YxIChQwDCwGdH8sZfUdP7x/RfOXnRZhscG9ekAgysXTWUZkpjHr hvF1zAIf+tS48rWFJGmO86ddyTWMLN5ijU277R9MQfzQBAfvbsr+2YaQE88/Qg== X-Gm-Gg: AY/fxX681U0EKV6rP4JMEirCXf6gcijS8q/w4zIL375KcsFRl3JLPsk4QJC6i6cXCLh sFMSpO9+i44a3XIU+NDS1LbsqXyfPNROXyAZSl3mhGGuSlxyXGOAuDQLNbKEIqgn+E+a/wB4Tv2 sVLk0lvAHt/LJNgbS4kCxEgFivZPEHP0JwiMFrkwvNtALl1lg2DHJA2VTNyrtpK+nf2COtbignI gNYxyLwdEF68Nz33KS8X8cMd37eHBZLGWdKmahaxXBV03KtD4mgg/aeYtfFRY4+CYU7TJOuzQ3i 8EMVvFlayIKZqVg6Gq7UkM3QjGqBbhcuGq7oDW52hM2Em1uKm159PWqKDxF40hKZtkRVSyZnqIr Qp12Mxdc3DXLFE1mae6jkMbfJHMAl04fBosoTVUvbfvAtoahLW2EmtBAUBk/OnegL+DD9S4s1gC 1rDDaw7nS63ZagBZxvmr9hwdU= X-Received: by 2002:a05:6a20:7f9c:b0:34f:68e9:da94 with SMTP id adf61e73a8af0-38bed10fa94mr2739295637.30.1768395693543; Wed, 14 Jan 2026 05:01:33 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:33 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 12/20] python3-tornado: patch CVE-2025-47287 Date: Thu, 15 Jan 2026 02:00:49 +1300 Message-ID: <20260114130100.1016416-12-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123465 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-47287 Signed-off-by: Ankur Tyagi --- .../python3-tornado/CVE-2025-47287.patch | 232 ++++++++++++++++++ .../python/python3-tornado_6.4.2.bb | 2 + 2 files changed, 234 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-tornado/CVE-2025-47287.patch diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-47287.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-47287.patch new file mode 100644 index 0000000000..02439c43e0 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-47287.patch @@ -0,0 +1,232 @@ +From 85a6a33e774376ec5b286d3a4857c569b8a8c4a8 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Thu, 8 May 2025 13:29:43 -0400 +Subject: [PATCH] httputil: Raise errors instead of logging in + multipart/form-data parsing + +We used to continue after logging an error, which allowed repeated +errors to spam the logs. The error raised here will still be logged, +but only once per request, consistent with other error handling in +Tornado. + +CVE: CVE-2025-47287 +Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/cc61050e8f26697463142d99864b562e8470b41d] +Signed-off-by: Ankur Tyagi +--- + tornado/httputil.py | 30 +++++++++++------------------- + tornado/test/httpserver_test.py | 4 ++-- + tornado/test/httputil_test.py | 13 ++++++++----- + tornado/web.py | 17 +++++++++++++---- + 4 files changed, 34 insertions(+), 30 deletions(-) + +diff --git a/tornado/httputil.py b/tornado/httputil.py +index ebdc8059..090a977d 100644 +--- a/tornado/httputil.py ++++ b/tornado/httputil.py +@@ -34,7 +34,6 @@ import unicodedata + from urllib.parse import urlencode, urlparse, urlunparse, parse_qsl + + from tornado.escape import native_str, parse_qs_bytes, utf8 +-from tornado.log import gen_log + from tornado.util import ObjectDict, unicode_type + + +@@ -762,25 +761,22 @@ def parse_body_arguments( + """ + if content_type.startswith("application/x-www-form-urlencoded"): + if headers and "Content-Encoding" in headers: +- gen_log.warning( +- "Unsupported Content-Encoding: %s", headers["Content-Encoding"] ++ raise HTTPInputError( ++ "Unsupported Content-Encoding: %s" % headers["Content-Encoding"] + ) +- return + try: + # real charset decoding will happen in RequestHandler.decode_argument() + uri_arguments = parse_qs_bytes(body, keep_blank_values=True) + except Exception as e: +- gen_log.warning("Invalid x-www-form-urlencoded body: %s", e) +- uri_arguments = {} ++ raise HTTPInputError("Invalid x-www-form-urlencoded body: %s" % e) from e + for name, values in uri_arguments.items(): + if values: + arguments.setdefault(name, []).extend(values) + elif content_type.startswith("multipart/form-data"): + if headers and "Content-Encoding" in headers: +- gen_log.warning( +- "Unsupported Content-Encoding: %s", headers["Content-Encoding"] ++ raise HTTPInputError( ++ "Unsupported Content-Encoding: %s" % headers["Content-Encoding"] + ) +- return + try: + fields = content_type.split(";") + for field in fields: +@@ -789,9 +785,9 @@ def parse_body_arguments( + parse_multipart_form_data(utf8(v), body, arguments, files) + break + else: +- raise ValueError("multipart boundary not found") ++ raise HTTPInputError("multipart boundary not found") + except Exception as e: +- gen_log.warning("Invalid multipart/form-data: %s", e) ++ raise HTTPInputError("Invalid multipart/form-data: %s" % e) from e + + + def parse_multipart_form_data( +@@ -820,26 +816,22 @@ def parse_multipart_form_data( + boundary = boundary[1:-1] + final_boundary_index = data.rfind(b"--" + boundary + b"--") + if final_boundary_index == -1: +- gen_log.warning("Invalid multipart/form-data: no final boundary") +- return ++ raise HTTPInputError("Invalid multipart/form-data: no final boundary found") + parts = data[:final_boundary_index].split(b"--" + boundary + b"\r\n") + for part in parts: + if not part: + continue + eoh = part.find(b"\r\n\r\n") + if eoh == -1: +- gen_log.warning("multipart/form-data missing headers") +- continue ++ raise HTTPInputError("multipart/form-data missing headers") + headers = HTTPHeaders.parse(part[:eoh].decode("utf-8")) + disp_header = headers.get("Content-Disposition", "") + disposition, disp_params = _parse_header(disp_header) + if disposition != "form-data" or not part.endswith(b"\r\n"): +- gen_log.warning("Invalid multipart/form-data") +- continue ++ raise HTTPInputError("Invalid multipart/form-data") + value = part[eoh + 4 : -2] + if not disp_params.get("name"): +- gen_log.warning("multipart/form-data value missing name") +- continue ++ raise HTTPInputError("multipart/form-data missing name") + name = disp_params["name"] + if disp_params.get("filename"): + ctype = headers.get("Content-Type", "application/unknown") +diff --git a/tornado/test/httpserver_test.py b/tornado/test/httpserver_test.py +index 0b29a39c..5d5fb13a 100644 +--- a/tornado/test/httpserver_test.py ++++ b/tornado/test/httpserver_test.py +@@ -1131,9 +1131,9 @@ class GzipUnsupportedTest(GzipBaseTest, AsyncHTTPTestCase): + # Gzip support is opt-in; without it the server fails to parse + # the body (but parsing form bodies is currently just a log message, + # not a fatal error). +- with ExpectLog(gen_log, "Unsupported Content-Encoding"): ++ with ExpectLog(gen_log, ".*Unsupported Content-Encoding"): + response = self.post_gzip("foo=bar") +- self.assertEqual(json_decode(response.body), {}) ++ self.assertEqual(response.code, 400) + + + class StreamingChunkSizeTest(AsyncHTTPTestCase): +diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py +index 975900aa..9494d0c1 100644 +--- a/tornado/test/httputil_test.py ++++ b/tornado/test/httputil_test.py +@@ -12,7 +12,6 @@ from tornado.httputil import ( + ) + from tornado.escape import utf8, native_str + from tornado.log import gen_log +-from tornado.testing import ExpectLog + from tornado.test.util import ignore_deprecation + + import copy +@@ -195,7 +194,9 @@ Foo + b"\n", b"\r\n" + ) + args, files = form_data_args() +- with ExpectLog(gen_log, "multipart/form-data missing headers"): ++ with self.assertRaises( ++ HTTPInputError, msg="multipart/form-data missing headers" ++ ): + parse_multipart_form_data(b"1234", data, args, files) + self.assertEqual(files, {}) + +@@ -209,7 +210,7 @@ Foo + b"\n", b"\r\n" + ) + args, files = form_data_args() +- with ExpectLog(gen_log, "Invalid multipart/form-data"): ++ with self.assertRaises(HTTPInputError, msg="Invalid multipart/form-data"): + parse_multipart_form_data(b"1234", data, args, files) + self.assertEqual(files, {}) + +@@ -222,7 +223,7 @@ Foo--1234--""".replace( + b"\n", b"\r\n" + ) + args, files = form_data_args() +- with ExpectLog(gen_log, "Invalid multipart/form-data"): ++ with self.assertRaises(HTTPInputError, msg="Invalid multipart/form-data"): + parse_multipart_form_data(b"1234", data, args, files) + self.assertEqual(files, {}) + +@@ -236,7 +237,9 @@ Foo + b"\n", b"\r\n" + ) + args, files = form_data_args() +- with ExpectLog(gen_log, "multipart/form-data value missing name"): ++ with self.assertRaises( ++ HTTPInputError, msg="multipart/form-data value missing name" ++ ): + parse_multipart_form_data(b"1234", data, args, files) + self.assertEqual(files, {}) + +diff --git a/tornado/web.py b/tornado/web.py +index 03939647..8ec5601b 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -1751,6 +1751,14 @@ class RequestHandler(object): + try: + if self.request.method not in self.SUPPORTED_METHODS: + raise HTTPError(405) ++ ++ # If we're not in stream_request_body mode, this is the place where we parse the body. ++ if not _has_stream_request_body(self.__class__): ++ try: ++ self.request._parse_body() ++ except httputil.HTTPInputError as e: ++ raise HTTPError(400, "Invalid body: %s" % e) from e ++ + self.path_args = [self.decode_argument(arg) for arg in args] + self.path_kwargs = dict( + (k, self.decode_argument(v, name=k)) for (k, v) in kwargs.items() +@@ -1941,7 +1949,7 @@ def _has_stream_request_body(cls: Type[RequestHandler]) -> bool: + + + def removeslash( +- method: Callable[..., Optional[Awaitable[None]]] ++ method: Callable[..., Optional[Awaitable[None]]], + ) -> Callable[..., Optional[Awaitable[None]]]: + """Use this decorator to remove trailing slashes from the request path. + +@@ -1970,7 +1978,7 @@ def removeslash( + + + def addslash( +- method: Callable[..., Optional[Awaitable[None]]] ++ method: Callable[..., Optional[Awaitable[None]]], + ) -> Callable[..., Optional[Awaitable[None]]]: + """Use this decorator to add a missing trailing slash to the request path. + +@@ -2394,8 +2402,9 @@ class _HandlerDelegate(httputil.HTTPMessageDelegate): + if self.stream_request_body: + future_set_result_unless_cancelled(self.request._body_future, None) + else: ++ # Note that the body gets parsed in RequestHandler._execute so it can be in ++ # the right exception handler scope. + self.request.body = b"".join(self.chunks) +- self.request._parse_body() + self.execute() + + def on_connection_close(self) -> None: +@@ -3267,7 +3276,7 @@ class GZipContentEncoding(OutputTransform): + + + def authenticated( +- method: Callable[..., Optional[Awaitable[None]]] ++ method: Callable[..., Optional[Awaitable[None]]], + ) -> Callable[..., Optional[Awaitable[None]]]: + """Decorate methods with this to require that the user be logged in. + diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb b/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb index 751f32913a..e24354b54a 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb @@ -8,6 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" SRC_URI[sha256sum] = "92bad5b4746e9879fd7bf1eb21dce4e3fc5128d71601f80005afa39237ad620b" +SRC_URI += "file://CVE-2025-47287.patch" + inherit pypi python_setuptools_build_meta # Requires _compression which is currently located in misc From patchwork Wed Jan 14 13:00:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78704 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C7E0D31A3F for ; Wed, 14 Jan 2026 13:01:45 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9363.1768395698599429962 for ; Wed, 14 Jan 2026 05:01:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=eMXTyTsb; spf=pass (domain: gmail.com, ip: 209.85.210.182, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-81ecbdfdcebso2717252b3a.1 for ; Wed, 14 Jan 2026 05:01:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395698; x=1769000498; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=unpG5niYztAhWwQVm3iaMuhgg4HmbL1WiJHujDsFmYk=; b=eMXTyTsbrEJTGidUhGMGrxyNIEtJF3XEfMLh9/avO7t8eUgiKt/5FHctaEvBhan3q7 9yaLpLyyjxyb8pKrGZfq5OONr09UGRaL/+5guKXoLpPJb2uiYp+vckFx/bwwlHxZ49sf S6Wg+J7r4OuJ/f9/mvLZri30ewR6Yp7fmQ6xCS83MgMu8vAWgedbrrloiTPYzKCzO0/J WUknIG6/H/o2YuFUkwpuky3kY7z5DTt8DM21sn5vvLtvi8iIGX12auasMjYyEf9oHiOf lVZ+RsjJtQYVZGqfzmuLTyrfVWnH1G64hi7DKCts+DlzRRrN3ns3mPnT54fgPgkGMhrf IDJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395698; x=1769000498; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=unpG5niYztAhWwQVm3iaMuhgg4HmbL1WiJHujDsFmYk=; b=XoIuUZ7gf4mt/5nvEX5KqzftQFDWUb0qb+1Kjr07B38RHIBzqvI7gdlE2tCUz/N+sC s2Xd5Ow8/AtCaPVJj6x9kSlImnS+OE9l6+TtxkkLUOkDQS+JKkhPuT58pbcB2l/soTEJ BRY05y+felJysDQ5rS3bldJgw+yCdXySns+f1R7EY6d54TyM6ChG8tU1Djl4urX05v1O oMsvXlP75MI2iVqbzeKQR+BQkkLMKyCp8qJh54HBq0dLQmo/XIMZ2lMWiSIb+321sWFB TBPuRyuSB9/rOQC/0zrmK6cwBFJk4jP8EOUeeNVnba8ZrX6HvCtrILXbYL71gX2LY+o8 EMfw== X-Gm-Message-State: AOJu0Yzl1LJV5XYBbQ6SUepLig/iz6g8oVhzvmLbryKWYNDtDiiVl68l OExWhpcJGfyuPaj/v2IBCpVLJG04GBBsTH4XIyDzpsPVorD6S3K39DiQD+TqwQ== X-Gm-Gg: AY/fxX7gv46mHhEfuvUQGrJtFEtUoKeWXUX7OY43ezy45Ah9E3BL7+YFgFyx6u3XJF5 ZFyg8IunkA3QuhpvJu+Oj1kz5yPXBOzNVEaTedSoSGXDTsVufeXhhUDoDQKyf/ounV8OXdv3Btu vwt8SQ6KbVVHUXCbLZM8gjYSa0XMuVYyq9BAeWM5Vsa7naMtmfl5a/jHMMQ4BWci2thwN3tcwoj gKvkepjdK7bfwXnA16KAnkJ2S7xPdyaEw0LSQv1/02EM0MPK/vz4o6HLiAAfPmjNfQRaRmITXg+ vhyT7ta2AxOurwpYD44QR559KmNaLKdOB5mbvE4M6K4dqJeBssOxW/2Y9LAmu0MeeNM627yGW/+ y3wTvgr60LfmBQpGnrmnM9Yqd4h9fkuHjnsiKN2iSwe4oTQoeKLIUEZvNwoCdxjPTS688S3Zc/2 DfWXFXWvHb6ZkuksqD8LdDUvw= X-Received: by 2002:a05:6a00:8017:b0:81f:4e2b:4943 with SMTP id d2e1a72fcca58-81f81d48123mr2242586b3a.27.1768395695996; Wed, 14 Jan 2026 05:01:35 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:35 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 13/20] python3-tornado: patch CVE-2025-67724 Date: Thu, 15 Jan 2026 02:00:50 +1300 Message-ID: <20260114130100.1016416-13-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123466 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67724 Signed-off-by: Ankur Tyagi --- .../python3-tornado/CVE-2025-67724.patch | 118 ++++++++++++++++++ .../python/python3-tornado_6.4.2.bb | 4 +- 2 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67724.patch diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67724.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67724.patch new file mode 100644 index 0000000000..78cdae9666 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67724.patch @@ -0,0 +1,118 @@ +From 990054627cef3966a626162138164a77580d33ad Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Wed, 10 Dec 2025 15:15:25 -0500 +Subject: [PATCH] web: Harden against invalid HTTP reason phrases + +We allow applications to set custom reason phrases for the HTTP status +line (to support custom status codes), but if this were exposed to +untrusted data it could be exploited in various ways. This commit +guards against invalid reason phrases in both HTTP headers and in +error pages. + +CVE: CVE-2025-67724 +Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421] +(cherry picked from commit 9c163aebeaad9e6e7d28bac1f33580eb00b0e421) +Signed-off-by: Ankur Tyagi +--- + tornado/test/web_test.py | 15 ++++++++++++++- + tornado/web.py | 25 +++++++++++++++++++------ + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py +index fec66f39..801a80ed 100644 +--- a/tornado/test/web_test.py ++++ b/tornado/test/web_test.py +@@ -1712,7 +1712,7 @@ class StatusReasonTest(SimpleHandlerTestCase): + class Handler(RequestHandler): + def get(self): + reason = self.request.arguments.get("reason", []) +- self.set_status( ++ raise HTTPError( + int(self.get_argument("code")), + reason=to_unicode(reason[0]) if reason else None, + ) +@@ -1735,6 +1735,19 @@ class StatusReasonTest(SimpleHandlerTestCase): + self.assertEqual(response.code, 682) + self.assertEqual(response.reason, "Unknown") + ++ def test_header_injection(self): ++ response = self.fetch("/?code=200&reason=OK%0D%0AX-Injection:injected") ++ self.assertEqual(response.code, 200) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn("X-Injection", response.headers) ++ ++ def test_reason_xss(self): ++ response = self.fetch("/?code=400&reason=") ++ self.assertEqual(response.code, 400) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn(b"script", response.body) ++ self.assertIn(b"Unknown", response.body) ++ + + class DateHeaderTest(SimpleHandlerTestCase): + class Handler(RequestHandler): +diff --git a/tornado/web.py b/tornado/web.py +index 8ec5601b..8a740504 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -350,8 +350,10 @@ class RequestHandler(object): + + :arg int status_code: Response status code. + :arg str reason: Human-readable reason phrase describing the status +- code. If ``None``, it will be filled in from +- `http.client.responses` or "Unknown". ++ code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``). ++ Normally determined automatically from `http.client.responses`; this ++ argument should only be used if you need to use a non-standard ++ status code. + + .. versionchanged:: 5.0 + +@@ -360,6 +362,14 @@ class RequestHandler(object): + """ + self._status_code = status_code + if reason is not None: ++ if "<" in reason or not httputil._ABNF.reason_phrase.fullmatch(reason): ++ # Logically this would be better as an exception, but this method ++ # is called on error-handling paths that would need some refactoring ++ # to tolerate internal errors cleanly. ++ # ++ # The check for "<" is a defense-in-depth against XSS attacks (we also ++ # escape the reason when rendering error pages). ++ reason = "Unknown" + self._reason = escape.native_str(reason) + else: + self._reason = httputil.responses.get(status_code, "Unknown") +@@ -1295,7 +1305,8 @@ class RequestHandler(object): + reason = exception.reason + self.set_status(status_code, reason=reason) + try: +- self.write_error(status_code, **kwargs) ++ if status_code != 304: ++ self.write_error(status_code, **kwargs) + except Exception: + app_log.error("Uncaught exception in write_error", exc_info=True) + if not self._finished: +@@ -1323,7 +1334,7 @@ class RequestHandler(object): + self.finish( + "%(code)d: %(message)s" + "%(code)d: %(message)s" +- % {"code": status_code, "message": self._reason} ++ % {"code": status_code, "message": escape.xhtml_escape(self._reason)} + ) + + @property +@@ -2469,9 +2480,11 @@ class HTTPError(Exception): + mode). May contain ``%s``-style placeholders, which will be filled + in with remaining positional parameters. + :arg str reason: Keyword-only argument. The HTTP "reason" phrase +- to pass in the status line along with ``status_code``. Normally ++ to pass in the status line along with ``status_code`` (for example, ++ the "Not Found" in ``HTTP/1.1 404 Not Found``). Normally + determined automatically from ``status_code``, but can be used +- to use a non-standard numeric code. ++ to use a non-standard numeric code. This is not a general-purpose ++ error message. + """ + + def __init__( diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb b/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb index e24354b54a..ce53ef75ad 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb @@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" SRC_URI[sha256sum] = "92bad5b4746e9879fd7bf1eb21dce4e3fc5128d71601f80005afa39237ad620b" -SRC_URI += "file://CVE-2025-47287.patch" +SRC_URI += "file://CVE-2025-47287.patch \ + file://CVE-2025-67724.patch \ +" inherit pypi python_setuptools_build_meta From patchwork Wed Jan 14 13:00:51 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78700 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C856D37E20 for ; Wed, 14 Jan 2026 13:01:45 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9364.1768395699168150588 for ; Wed, 14 Jan 2026 05:01:39 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mhCID3Ab; spf=pass (domain: gmail.com, ip: 209.85.210.179, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-81f47610542so1810385b3a.0 for ; Wed, 14 Jan 2026 05:01:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395698; x=1769000498; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tFLFIL7+TI+9K9uDzLIHpjX31lXdcO4fumQ//+n1YRE=; b=mhCID3AbypWyH3dtM7wmWqYSqAFm2v2zSFRTVBQX7fC5XVFYtMfiDgPLUmYmZzQruH dbBlKYHYI+1W31TRNBx0WOnkvsSwjYKaryjtdDmgokY8tf1ThQcGq4f5LCeGTQGpKkFj ANgJoqaLsZJwqmUcTCIIrnADfi5dl/ztHVifnau1l2syhwrZWta72SLBOOgnmAGIyDIJ OHlsKCMeEQRcGkL7fHJOlLwHuVX0hRG1pUcjKAf1YBTolhkZX8crnGIQJ3e5vAjLflS1 hIevMjNmVa8fFa9tmqRjt1+HHwSLwKr+jSHtoYCEl2253gGCK+4m9jzyiLLvNvL/+fEO mWGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395698; x=1769000498; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=tFLFIL7+TI+9K9uDzLIHpjX31lXdcO4fumQ//+n1YRE=; b=KBzYf5CjaoporRdeuEymKQmi4qCV9KViNTXp9PRF6n/eOiyGArs0IBEDNP/ZGEwLJA y1CiKL20KMw5+SLNLMQ/CQpGY+qwSHHARSig4nXQxzjC3MgzukdpiFIrZ0YGUTCeoTMx FJ8a9S+yLSRCix9ZJ9d2xI9rrHLqyxKhK2zPAZhqqV2e6FfvZImto4HeYB8e/EEmp9VP j9EECAtAtjy98AY/GtcminmqqHxopPFwDzN/dGjbTOjieTqebS3Vncr23UDIFs0ZwqPU w4mwuP0eMKB5x5q5AIllh+Br/oJZi6NjAoa9a9D7HLloveKsFafFDIVNIG3iL8fuoZ0v l94A== X-Gm-Message-State: AOJu0YxoWjyoEOC9JjrUg+mxez2FWNsg/6IbVBS8h9MIy4qv4ZKe8Mgf ayjdT7SgdfNwdRS7V9Y8sVNGT90nXWUcbYBHFnS6ic3dFc/eR8enKpfevdaXLg== X-Gm-Gg: AY/fxX5rnydLxyj9Sx6GhmP2Qv4euLUY1HAEk6X+KpmBB5/P4bOEA5dsPI6SBqXIn88 T+Jz+V4696t8iLiAr+c+Eou2iREsfh/wRy71SPpPe8dylZH9UHpfsrhmRWjY6xHvnWZ4GRzH2B4 nNt/jgCKpzwwpEmH4757DzXmKTwggV9F8KcZXhTkrGn/xcjDFABWUKK4JU1Bg/WuF+DxPXc1zwt 9B5WxoDeri0K+XGERGIDd2nN6nWoOykFId33KbUYHfE03ITHVmz2fz9PdxTwLJkcWmPEN+PTTyt Xy2vJKE/nHulBTXoCL+iYqrs/VPH0bripFw45FssmdNWu1bwQwWwmVz7LnjZds3VGnSrEKPDNVr 5qX4nyJQ+n06DNsxx96fowr94ZQGY7o/AKfqyYWGf08lLvvMiWvvEd1Gzt/HdAYhTlNplnqSM7K HlSVTILizSRvfZlU1nuOScEj8= X-Received: by 2002:a05:6a00:2906:b0:81f:8084:7ea0 with SMTP id d2e1a72fcca58-81f81c7b7b5mr2110372b3a.7.1768395698080; Wed, 14 Jan 2026 05:01:38 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:37 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 14/20] python3-tornado: patch CVE-2025-67726 Date: Thu, 15 Jan 2026 02:00:51 +1300 Message-ID: <20260114130100.1016416-14-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123467 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2025-67726 Signed-off-by: Ankur Tyagi --- .../python3-tornado/CVE-2025-67726.patch | 99 +++++++++++++++++++ .../python/python3-tornado_6.4.2.bb | 1 + 2 files changed, 100 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67726.patch diff --git a/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67726.patch b/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67726.patch new file mode 100644 index 0000000000..7b210aea42 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-tornado/CVE-2025-67726.patch @@ -0,0 +1,99 @@ +From 4cdca826270483d8b774461a5fdd64f61af62659 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Wed, 10 Dec 2025 10:55:02 -0500 +Subject: [PATCH] httputil: Fix quadratic behavior in _parseparam + +Prior to this change, _parseparam had O(n^2) behavior when parsing +certain inputs, which could be a DoS vector. This change adapts +logic from the equivalent function in the python standard library +in https://github.com/python/cpython/pull/136072/files + +CVE: CVE-2025-67726 +Upstream-Status: Backport [https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd] +(cherry picked from commit 771472cfdaeebc0d89a9cc46e249f8891a6b29cd) +Signed-off-by: Ankur Tyagi +--- + tornado/httputil.py | 29 ++++++++++++++++++++++------- + tornado/test/httputil_test.py | 23 +++++++++++++++++++++++ + 2 files changed, 45 insertions(+), 7 deletions(-) + +diff --git a/tornado/httputil.py b/tornado/httputil.py +index 090a977d..bbacd4a4 100644 +--- a/tornado/httputil.py ++++ b/tornado/httputil.py +@@ -926,19 +926,34 @@ def parse_response_start_line(line: str) -> ResponseStartLine: + # It has also been modified to support valueless parameters as seen in + # websocket extension negotiations, and to support non-ascii values in + # RFC 2231/5987 format. ++# ++# _parseparam has been further modified with the logic from ++# https://github.com/python/cpython/pull/136072/files ++# to avoid quadratic behavior when parsing semicolons in quoted strings. ++# ++# TODO: See if we can switch to email.message.Message for this functionality. ++# This is the suggested replacement for the cgi.py module now that cgi has ++# been removed from recent versions of Python. We need to verify that ++# the email module is consistent with our existing behavior (and all relevant ++# RFCs for multipart/form-data) before making this change. + + + def _parseparam(s: str) -> Generator[str, None, None]: +- while s[:1] == ";": +- s = s[1:] +- end = s.find(";") +- while end > 0 and (s.count('"', 0, end) - s.count('\\"', 0, end)) % 2: +- end = s.find(";", end + 1) ++ start = 0 ++ while s.find(";", start) == start: ++ start += 1 ++ end = s.find(";", start) ++ ind, diff = start, 0 ++ while end > 0: ++ diff += s.count('"', ind, end) - s.count('\\"', ind, end) ++ if diff % 2 == 0: ++ break ++ end, ind = ind, s.find(";", end + 1) + if end < 0: + end = len(s) +- f = s[:end] ++ f = s[start:end] + yield f.strip() +- s = s[end:] ++ start = end + + + def _parse_header(line: str) -> Tuple[str, Dict[str, str]]: +diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py +index 9494d0c1..22b1681b 100644 +--- a/tornado/test/httputil_test.py ++++ b/tornado/test/httputil_test.py +@@ -262,6 +262,29 @@ Foo + self.assertEqual(file["filename"], "ab.txt") + self.assertEqual(file["body"], b"Foo") + ++ def test_disposition_param_linear_performance(self): ++ # This is a regression test for performance of parsing parameters ++ # to the content-disposition header, specifically for semicolons within ++ # quoted strings. ++ def f(n): ++ start = time.time() ++ message = ( ++ b"--1234\r\nContent-Disposition: form-data; " ++ + b'x="' ++ + b";" * n ++ + b'"; ' ++ + b'name="files"; filename="a.txt"\r\n\r\nFoo\r\n--1234--\r\n' ++ ) ++ args: dict[str, list[bytes]] = {} ++ files: dict[str, list[HTTPFile]] = {} ++ parse_multipart_form_data(b"1234", message, args, files) ++ return time.time() - start ++ ++ d1 = f(1_000) ++ d2 = f(10_000) ++ if d2 / d1 > 20: ++ self.fail(f"Disposition param parsing is not linear: {d1=} vs {d2=}") ++ + + class HTTPHeadersTest(unittest.TestCase): + def test_multi_line(self): diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb b/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb index ce53ef75ad..3dabcab38b 100644 --- a/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb +++ b/meta-python/recipes-devtools/python/python3-tornado_6.4.2.bb @@ -10,6 +10,7 @@ SRC_URI[sha256sum] = "92bad5b4746e9879fd7bf1eb21dce4e3fc5128d71601f80005afa39237 SRC_URI += "file://CVE-2025-47287.patch \ file://CVE-2025-67724.patch \ + file://CVE-2025-67726.patch \ " inherit pypi python_setuptools_build_meta From patchwork Wed Jan 14 13:00:52 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78702 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18944D37E21 for ; Wed, 14 Jan 2026 13:01:45 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9366.1768395701584417640 for ; Wed, 14 Jan 2026 05:01:41 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=hHvrL3wP; spf=pass (domain: gmail.com, ip: 209.85.210.178, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-81e8b1bdf0cso2585996b3a.3 for ; Wed, 14 Jan 2026 05:01:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395701; x=1769000501; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MUGf5eZfaHLL2EhpYWJWQfJ9kTIctPQPDveiSfAiyKA=; b=hHvrL3wPwMtiwoM7862GCrgvda4L5/WwF1sN765KPYjMNNMpeJMhgqH1tzof6ZIK/7 lmkuFQe6j9n6Qdj+hEkRoGrWgxKrdf630yo5cFVnMnlcB6nSjeN+cmCPbF/h4dUo4hMr zVxd0vRZ/Iwxh6KMdIy5jZ7flasj2GJR0LDSgQYW8y/zVKXAu35l+gcfIqebl5lu/vNV /meXaTjfXKe66vV72IPgpAUVv+hjDEIqvQwifnx7WWKXhGriA10pHkJuDXNLPPByxZuy /o1dvsD++qzctRyE1TVa8yA0bddWSv6zF0gZcoEYkW/UbpgY1Su0Fxd3NdGVjbYUO+/Y b7Zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395701; x=1769000501; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=MUGf5eZfaHLL2EhpYWJWQfJ9kTIctPQPDveiSfAiyKA=; b=kp5+VmeLUDlqjI6aN/3e+MVHK7ijBVCezh8chZEHqXH5EaMFjhMtV+BvGoap98EaJg ecppAQXM9sgXdmzW81UjgbuaZcaARwRtfdYgHfj4C/OHpeO6IeI8MuHuDA4AwmN7Rc6J o9F0V135OJE7xc25thmOh48C7xF8xuQ8lukJA2GTCbmLUl6DtSU6Jt/Md+NRWKcHZgsy jFOooDE+VxICyKyVUaWU5y1cfdszU5km+YGwJDFnQBwEw92xRsfBmGbRw9COhyczU1Y9 4/rumoejXydKPrvWPTn0nPIg+idQaYOcmNZjwttrwRws/2VhldaR9IOtmCyjMvYQI7WP z4AA== X-Gm-Message-State: AOJu0YyAlHe7ZHgwv6g595FxobmmG5ANijC2xovTcedzZX6M44WuqphU mXdmBC/c7QkZ6841BJ+uAOqeqaBT6NvX1dA8srPD5FGqVVuq2MM92LdGcO2xqA== X-Gm-Gg: AY/fxX6/vd9Fg8x8f87GRn8ykEF2Vq4Wr7Pkwi8zkG0Zy9gZILaj6QhDaHdy3qgQ7Yr Wo22iWueluto69x0s0Rlw6epsx4borHQEc6wFHf3doozPJme6HqrqbkwMbR3Q22puFm0y4XYMM1 xeSP3bko3dO+le4hsLuMqJbDmk/afTF3KCqI1tH4t2hPJfsPypq/ZltIceE3AWDmws6zeVZgWrf SbuP3/pvtzJFjad7BGDVSYl5xpVoUu78LMoBInjNoajnDIDpo+uw87t6uqGOiQLHB0PUvXotOVR OLKSJkvTET1xs1NlOKyIK0oGESwDTXH17k1/Sps+HPBHZXBzUlgBXK+IFo+7bYoOjPr6m8/y7ex WogGM8X/SGYMzZeTUdlVI2cOKbAwxTK6NPpcjIPBzCps/I6a279orV1SbGY4B/ULaMPhXlx6DJW mJo/HwL1+vf5X81160R5FwqYw= X-Received: by 2002:a05:6a00:339a:b0:7e8:4587:e8ca with SMTP id d2e1a72fcca58-81f82042d8fmr2377345b3a.61.1768395700274; Wed, 14 Jan 2026 05:01:40 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:40 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 15/20] python3-tqdm: upgrade 4.66.2 -> 4.66.3 Date: Thu, 15 Jan 2026 02:00:52 +1300 Message-ID: <20260114130100.1016416-15-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123468 From: Ankur Tyagi Changelog: - cli: eval safety (fixes CVE-2024-34062) https://github.com/tqdm/tqdm/releases/tag/v4.66.3 Signed-off-by: Ankur Tyagi --- .../python/{python3-tqdm_4.66.2.bb => python3-tqdm_4.66.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-tqdm_4.66.2.bb => python3-tqdm_4.66.3.bb} (81%) diff --git a/meta-python/recipes-devtools/python/python3-tqdm_4.66.2.bb b/meta-python/recipes-devtools/python/python3-tqdm_4.66.3.bb similarity index 81% rename from meta-python/recipes-devtools/python/python3-tqdm_4.66.2.bb rename to meta-python/recipes-devtools/python/python3-tqdm_4.66.3.bb index 77d26f54b2..0e1b0b33be 100644 --- a/meta-python/recipes-devtools/python/python3-tqdm_4.66.2.bb +++ b/meta-python/recipes-devtools/python/python3-tqdm_4.66.3.bb @@ -5,7 +5,7 @@ SECTION = "devel/python" LICENSE = "MIT & MPL-2.0" LIC_FILES_CHKSUM = "file://LICENCE;md5=42dfa9e8c616dbc295df3f58d756b2a1" -SRC_URI[sha256sum] = "6cd52cdf0fef0e0f543299cfc96fec90d7b8a7e88745f411ec33eb44d5ed3531" +SRC_URI[sha256sum] = "23097a41eba115ba99ecae40d06444c15d1c0c698d527a01c6c8bd1c5d0647e5" inherit pypi python_setuptools_build_meta From patchwork Wed Jan 14 13:00:53 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78703 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18974D37E25 for ; Wed, 14 Jan 2026 13:01:45 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9448.1768395704886291230 for ; Wed, 14 Jan 2026 05:01:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=YG21XSdu; spf=pass (domain: gmail.com, ip: 209.85.210.175, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-81df6a302b1so4668599b3a.2 for ; Wed, 14 Jan 2026 05:01:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395704; x=1769000504; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ob0DqfaYCC3IC3/4Y47C4Bon43v7jtDsj8qMFwPa45c=; b=YG21XSduagEplkdtWDOXCSRKwuzYJgzvfo9Irko/JrqGpVnv97u8Eb55SyzQQdL+2k ggnPqX0yu/juNuXUteEgAJKykdUQ8NSOhjOrTAr4i5tuPWMWFlthIXIucBPoaO/Ha6Gq fBVW2xpZQAdMIq/OC4s9XuRBrn5b9PiJfD1TxXspVVEgnokFOyu/BBuXkWhcuq8i7QT+ DcoBR/rSOVaXUi9i2ctH8OCniDDDq9r3LkqwuHenhC/tCihSEg7mKUDnlClHWBTrHVEk H20MRWmUrHLm2su/84Cm292TCz7TkXa4+jZzkLaIXLF3fR+YrkxJ+yphqiw6grza4JRV uzcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395704; x=1769000504; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ob0DqfaYCC3IC3/4Y47C4Bon43v7jtDsj8qMFwPa45c=; b=Urk2NAZeOTqzA3cJDBEWd40cpD5u2X3jOialOIHn0PGEivH2f77RqTXw920V+RoA0O Tkqu39o+WWHPDBgVmVy5KhvksHISMbioUtHVyzVmwx2txsvaNFZh4dYc+xBYS7kzLraT hjTuMb9NjUNkYICnGWoiTBKJmt4YLwD/vMODkJolmK0s1JKJhaoCRzB9LIuH+nS0mHhu DioUkM1YvIs5ZXXpXfaanycuLaFwWIbhMgCcTVwv5281xkt4pqdU1KwwbOQfosBii+qX vfSXybkHd3JLCxpjz2gA1ZbJIVVL/kz2wVEqeshPsmstnG88NKYxs/khTcllAKURuQCI 3eJA== X-Gm-Message-State: AOJu0YyWk8nU7Soxl6ox1UCW9NDCjyXM9wdKhEAjny27OBbdneRDE/Df dwTDG/qiwPOZVVGg6mHT9AqaNETH1ZP3UXXzeX34rRSeqN2wTh62cZ0sc38OzQ== X-Gm-Gg: AY/fxX4R52P3+tP4JWT2oPGWWlIElCMjXjkDCcBSdYHfR5tSlQW5L4/RlViZJsLW+dx Nqhoj8dM1rDD5q+3gR4Y5LO9YSejiO1cJaSfF+DEjP0z5mWXSe0JGrDcc0YB5g9LGpY+BTXgofw Vca0afLQ8+MLYF0cwfZyBsNwFEWISKb7muDARsh7sL7f221Pern3LFrQ6YTCe2a6zjBK7p1NRJC VVPA+wxoL3lY8VDjGfkX3IYzK3MjgwBbXRX5gHSPjePcpuJwq/iVFuADPQHW4GQoD3ltUbfduDh VX44PN4fs8U5oW9DlbiVClSibv8FEaoiy4iH77zXOkiBuum27mt1ylMvZFPx3hwQmz6Y2KQ85XM c339W/kE9q0QavlIrtZaMo1bq+liDXulu5K3zyynER6LOTqnpei8hn5+OvPjUBUoSeLa0sM+v3E GprjhANnITGjM2XjM0hNwMWK4= X-Received: by 2002:a05:6a00:4144:b0:81e:6d2d:90cc with SMTP id d2e1a72fcca58-81f81fffd7dmr2428522b3a.61.1768395702371; Wed, 14 Jan 2026 05:01:42 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:42 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 16/20] python3-twisted: patch CVE-2024-41810 Date: Thu, 15 Jan 2026 02:00:53 +1300 Message-ID: <20260114130100.1016416-16-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123469 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2024-41810 Signed-off-by: Ankur Tyagi --- .../python3-twisted/CVE-2024-41810.patch | 33 +++++++++++++++++++ .../python/python3-twisted_24.3.0.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch new file mode 100644 index 0000000000..0c195be23a --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41810.patch @@ -0,0 +1,33 @@ +From 50ddc840e1518edacbd8b26d246f15255bb5498e Mon Sep 17 00:00:00 2001 +From: Adi Roiban +Date: Mon, 29 Jul 2024 14:28:03 +0100 +Subject: [PATCH] Merge commit from fork + +Added HTML output encoding the "URL" parameter of the "redirectTo" function + +CVE: CVE-2024-41810 +Upstream-Status: Backport [https://github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33] +(cherry picked from commit 046a164f89a0f08d3239ecebd750360f8914df33) +Signed-off-by: Ankur Tyagi +--- + src/twisted/web/newsfragments/12263.bugfix | 1 + + src/twisted/web/newsfragments/9839.bugfix | 1 + + 2 files changed, 2 insertions(+) + create mode 100644 src/twisted/web/newsfragments/12263.bugfix + create mode 100644 src/twisted/web/newsfragments/9839.bugfix + +diff --git a/src/twisted/web/newsfragments/12263.bugfix b/src/twisted/web/newsfragments/12263.bugfix +new file mode 100644 +index 0000000000..b3982ca0fb +--- /dev/null ++++ b/src/twisted/web/newsfragments/12263.bugfix +@@ -0,0 +1 @@ ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810. +\ No newline at end of file +diff --git a/src/twisted/web/newsfragments/9839.bugfix b/src/twisted/web/newsfragments/9839.bugfix +new file mode 100644 +index 0000000000..1e2e7f7298 +--- /dev/null ++++ b/src/twisted/web/newsfragments/9839.bugfix +@@ -0,0 +1 @@ ++twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810). diff --git a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb index 272aecb8b0..d90bdb227f 100644 --- a/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb +++ b/meta-python/recipes-devtools/python/python3-twisted_24.3.0.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c1c5d2c2493b848f83864bdedd67bbf5" SRC_URI += " \ file://CVE-2024-41671-0001.patch \ file://CVE-2024-41671-0002.patch \ + file://CVE-2024-41810.patch \ " SRC_URI[sha256sum] = "6b38b6ece7296b5e122c9eb17da2eeab3d98a198f50ca9efd00fb03e5b4fd4ae" From patchwork Wed Jan 14 13:00:54 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78705 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D04FD37E25 for ; Wed, 14 Jan 2026 13:01:55 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.9449.1768395705815590101 for ; Wed, 14 Jan 2026 05:01:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=J0vtW+O1; spf=pass (domain: gmail.com, ip: 209.85.210.169, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-81f42a49437so1792236b3a.0 for ; Wed, 14 Jan 2026 05:01:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395705; x=1769000505; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uL/MC06w3J0sPU79R3CtNr0PuxijUcGE8O/UN8tdIT0=; b=J0vtW+O1p8z11coM7dM5rM2h85+6jAy4WbMRuPq3STNlvm/uZoff032lFzKMPBDVky ZImN65Xn1pJq9iAItTq0yxDxjnIaCMzBEsH4Gw7nMQdQ34N9B856QyfgZLOuLuWa4qFl I4mMRNcjot5ZE33zaT8ppdOD7UriQRVJ51yVRmLhvmaccFePQvT+5YhDMgRCfCG+SqpP dJbWJdMnozoTlC8jZCB15qmD+/JIAftGhr3gJ6W2TDfQheXQD4jekT8BD193lte9k32i Yo9TMF5dXMTHvY1q2XyUKjJ3eLbIJYTyWm+CAmRB+7FDXZiHF2nJStxBr3Q6QaXD0oBB dBRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395705; x=1769000505; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=uL/MC06w3J0sPU79R3CtNr0PuxijUcGE8O/UN8tdIT0=; b=FkhJm8MOBoP03stFcQLEeYa++vTgNmizLIctsMtzs7/irrYZbJk9QFaMRrIWfHqfb8 WZJMwWMnAe3Lx6mXX81JTbM0K6alSKudz+EjKDXGx2GCqA9d8sMs7RGsu5kce0GRcxMV ZH1oY+OzAZ4yjtchy0j+ladg7Xf94DsjlESlObYrCLh9fWd0pdweo+Sq/4DzQYwz6mO4 Rr+wQOTz3MN1BC4aNcQ8HfrJkwsDqNi3ctB0MYZVAUHw9PhU0EXxWPgj7i7zap9DWEZ1 qHWBbFz9yUyWg58ZQGx1kERg4fsxGfvLYnR4m5mTc6Mz2iHBCoE2CN38d0qeWFpydou5 Huug== X-Gm-Message-State: AOJu0YyRrfI9NrbYb1B77BFVpgA+M3ATc2iUc2ei29tucPkZtNJo5bHq Ru+dUdFtHlKFyQEs0OpGaJn4XGca0J4Clm60jKQV4tC2UxNpvD9n5uHFdNFifw== X-Gm-Gg: AY/fxX7ggIempmWyNoP48YOa2vNRjrlX1k7wJF0ljVsHu1WEPkcY2n/iHW7U+Nfq45x CGfLgPBXMyWHO+aximZts2Homqj2EWs4ITsr/64jAv/0DA08JuzWcg2//Ss23Lng/Up1iQ7PrSh mMIawFe5Ju20yRTpZ9qMfkQ/jNheaDuUn/fsmOCnrJmbui0ZjeglQOQ01aLWuzgQHxCnXxXoa0z RiohSxRIysl4yW62oP4uvtQMQEjRMb3iduJlgdwZig4yKOxjwqhbePhrmq/X5seN6KRoS00AmNf z91KvUt7GgZG5Anq8Hq775x06ufT61v23MY50o+lXkLLcL8fBguUQCGVS2BxgTXPlTWp7E3sQXH qy6leOPlSxiABQN6ZVYV43kKLAys3WlfU6bRNlWU9Vf8hI+r2jbVdwWJwlyYej0IEE9CK5o/rkL yMtEfR+J2tp12YCF2uHH68REfbXQoqHmpb+QLQ1ojPmCXY X-Received: by 2002:a05:6a00:8c10:b0:81e:3e27:df25 with SMTP id d2e1a72fcca58-81f81d0feedmr1892063b3a.5.1768395704594; Wed, 14 Jan 2026 05:01:44 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:44 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 17/20] python3-virtualenv: upgrade 20.25.3 -> 20.25.3 Date: Thu, 15 Jan 2026 02:00:54 +1300 Message-ID: <20260114130100.1016416-17-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123470 From: Ankur Tyagi https://virtualenv.pypa.io/en/latest/changelog.html#v20-25-3-2024-04-17 https://virtualenv.pypa.io/en/latest/changelog.html#v20-25-2-2024-04-16 https://virtualenv.pypa.io/en/latest/changelog.html#v20-25-1-2024-02-21 Signed-off-by: Ankur Tyagi --- ...hon3-virtualenv_20.25.0.bb => python3-virtualenv_20.25.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-virtualenv_20.25.0.bb => python3-virtualenv_20.25.3.bb} (85%) diff --git a/meta-python/recipes-devtools/python/python3-virtualenv_20.25.0.bb b/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb similarity index 85% rename from meta-python/recipes-devtools/python/python3-virtualenv_20.25.0.bb rename to meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb index 1858fee25a..fee5250c4d 100644 --- a/meta-python/recipes-devtools/python/python3-virtualenv_20.25.0.bb +++ b/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://github.com/pypa/virtualenv" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=0ce089158cf60a8ab6abb452b6405538" -SRC_URI[sha256sum] = "bf51c0d9c7dd63ea8e44086fa1e4fb1093a31e963b86959257378aef020e1f1b" +SRC_URI[sha256sum] = "7bb554bbdfeaacc3349fa614ea5bff6ac300fc7c335e9facf3a3bcfc703f45be" BBCLASSEXTEND = "native nativesdk" inherit pypi python_hatchling From patchwork Wed Jan 14 13:00:55 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78706 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 225F7D37E27 for ; Wed, 14 Jan 2026 13:01:55 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9367.1768395707971401432 for ; Wed, 14 Jan 2026 05:01:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=UV2VZZsU; spf=pass (domain: gmail.com, ip: 209.85.210.181, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-81f4f4d4822so1602036b3a.3 for ; Wed, 14 Jan 2026 05:01:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395707; x=1769000507; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MSUW0s5FMloVggNHgGUaiGTI3zWYlqIe9ntUB2mwoDI=; b=UV2VZZsUdOcWL+tNTDu8KRXJu4HfRk5hB0JQLuKzw6VS/FCSlAVRLd0dSZ3f5gcxMS q/UGb9iVIvmXlh8bQstVdeEXsDasJ666GLFdg+H2V5SDpblcCTSfRBUj8oCueYhIiOlR N/YjpYPUR2ayEE1Q1Axv3tECc1TJhJRr4LXkDItQyA2CdW2hiUpkSDH5QJdB/Q6wR8G4 RpT/sLgGlKWqD89wdEsyUnf8YEwfug03f+r8G+dsZBaNN9uOVsruvVG5DHc+y5LZxLHf TSUJBUqMjCahMZFBunLwDSZXf5rAZ9QAhFPhs/+tUP4TQsoCLhFrUxx+cbTDBh7MX47Z ZO8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395707; x=1769000507; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=MSUW0s5FMloVggNHgGUaiGTI3zWYlqIe9ntUB2mwoDI=; b=kIX5b3pAqKWH9tnBXCVpyw3y2b+7PqYxLoDKLLFXVsaGzzCo/7HRDZcpfSEsQqzH9m xfdEjN8YWRDwq1JlfEDdN/oWyOYfT+UnWQwD5pAIahXx9pYCtPA/r+YCB00Irht62C1I AfYx2OJjirhPeIFP+223YldC7Sqj59Fr/HK1x1IKISMEZE1q8Dq3EnbVhzzuniwJA/jc 4xRwrfMci5x5mQT6nzU5pDVBD//wuZ+kv8UIk1BTFtXJklB/CNXeATxBe48fBn/spD2y 7QrADvIVK37s02MJSb6gxj3CKzjZbqRHbkuDTJkFWKi3AqVDu/aiqMuIncX7+oyefaaY cHkw== X-Gm-Message-State: AOJu0Yy832jUt4aOeJBCv5jHGGk1l2rL5STmeLidgm8xfDQ0bOc4BEjL x+zqebZm62nbF9EkggOq67lXidC9GmhqeOSaubTCql/7XmoyDxIQTo9dtmP/0g== X-Gm-Gg: AY/fxX6mfuI9Fy/b5wnbYUDqDoMczdR0QvnNAnogbR69tCDbP3Z6QBk32tRxoOKF/uL fnretoEpPgiOHPJm0Ci+wiBNoxUTZ/d5jxg6/KyQz1XomiH5S+1Pey5UeiXd4x+BSPiXfYP1GnW +zZOoYnzoeK3dPbJd4d6lHsZODg/cm777xpKL3YGmGxT5sIYkkj25o2mX+QfXOPs5UJtYyFW2Dn ycgorCLurVRKLEyxMYAbsEz4PHzQj4iS10N1XjAX3vROcdR4dn/mILmG6nJqvTG//4ypyIKBEEY PpvDBrYzqlTFIK8thD/eaEyZOdv62K8BhipQZxz0k+rm1i66C2h6r++knQm41Df0Cdjwyg3npi+ w2ou8aWnRt4v9pXGF40U46OPt4P2qCOw7LS2xHu4/4fu1+Qr7FFr+MGmjVVqVnATOP0AL8eZexb t2fMTLqXHCo2Hk7rHMdbqPvxo= X-Received: by 2002:a05:6a00:1d16:b0:81e:7aa8:c262 with SMTP id d2e1a72fcca58-81f81fa2512mr2369639b3a.45.1768395706769; Wed, 14 Jan 2026 05:01:46 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:46 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 18/20] python3-virtualenv: patch CVE-2024-53899 Date: Thu, 15 Jan 2026 02:00:55 +1300 Message-ID: <20260114130100.1016416-18-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123471 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2024-53899 Signed-off-by: Ankur Tyagi --- .../python3-virtualenv/CVE-2024-53899.patch | 422 ++++++++++++++++++ .../python/python3-virtualenv_20.25.3.bb | 2 + 2 files changed, 424 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-virtualenv/CVE-2024-53899.patch diff --git a/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2024-53899.patch b/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2024-53899.patch new file mode 100644 index 0000000000..ac1455f353 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2024-53899.patch @@ -0,0 +1,422 @@ +From 8675348c70a2d0c4938f0b31c4aa2aba46c00b32 Mon Sep 17 00:00:00 2001 +From: Y5 <124019959+y5c4l3@users.noreply.github.com> +Date: Fri, 27 Sep 2024 16:16:08 +0000 +Subject: [PATCH] Fix #2768: Quote template strings in activation scripts + (#2771) + +CVE: CVE-2024-53899 +Upstream-Status: Backport [https://github.com/pypa/virtualenv/commit/86dddeda7c991f8529e1995bbff280fb7b761972] +Signed-off-by: Ankur Tyagi +--- + src/virtualenv/activation/bash/activate.sh | 8 +++---- + src/virtualenv/activation/batch/__init__.py | 4 ++++ + src/virtualenv/activation/cshell/activate.csh | 8 +++---- + src/virtualenv/activation/fish/activate.fish | 8 +++---- + src/virtualenv/activation/nushell/__init__.py | 19 +++++++++++++++++ + src/virtualenv/activation/nushell/activate.nu | 8 +++---- + .../activation/powershell/__init__.py | 12 +++++++++++ + .../activation/powershell/activate.ps1 | 6 +++--- + src/virtualenv/activation/python/__init__.py | 6 +++++- + .../activation/python/activate_this.py | 8 +++---- + src/virtualenv/activation/via_template.py | 13 +++++++++++- + tests/conftest.py | 6 +++++- + tests/unit/activation/conftest.py | 3 +-- + tests/unit/activation/test_batch.py | 10 ++++----- + tests/unit/activation/test_powershell.py | 21 +++++++++++++------ + 16 files changed, 104 insertions(+), 39 deletions(-) + +diff --git a/src/virtualenv/activation/bash/activate.sh b/src/virtualenv/activation/bash/activate.sh +index b06e3fd3..e412509b 100644 +--- a/src/virtualenv/activation/bash/activate.sh ++++ b/src/virtualenv/activation/bash/activate.sh +@@ -45,18 +45,18 @@ deactivate () { + # unset irrelevant variables + deactivate nondestructive + +-VIRTUAL_ENV='__VIRTUAL_ENV__' ++VIRTUAL_ENV=__VIRTUAL_ENV__ + if ([ "$OSTYPE" = "cygwin" ] || [ "$OSTYPE" = "msys" ]) && $(command -v cygpath &> /dev/null) ; then + VIRTUAL_ENV=$(cygpath -u "$VIRTUAL_ENV") + fi + export VIRTUAL_ENV + + _OLD_VIRTUAL_PATH="$PATH" +-PATH="$VIRTUAL_ENV/__BIN_NAME__:$PATH" ++PATH="$VIRTUAL_ENV/"__BIN_NAME__":$PATH" + export PATH + +-if [ "x__VIRTUAL_PROMPT__" != x ] ; then +- VIRTUAL_ENV_PROMPT="__VIRTUAL_PROMPT__" ++if [ "x"__VIRTUAL_PROMPT__ != x ] ; then ++ VIRTUAL_ENV_PROMPT=__VIRTUAL_PROMPT__ + else + VIRTUAL_ENV_PROMPT=$(basename "$VIRTUAL_ENV") + fi +diff --git a/src/virtualenv/activation/batch/__init__.py b/src/virtualenv/activation/batch/__init__.py +index a6d58ebb..3d74ba83 100644 +--- a/src/virtualenv/activation/batch/__init__.py ++++ b/src/virtualenv/activation/batch/__init__.py +@@ -15,6 +15,10 @@ class BatchActivator(ViaTemplateActivator): + yield "deactivate.bat" + yield "pydoc.bat" + ++ @staticmethod ++ def quote(string): ++ return string ++ + def instantiate_template(self, replacements, template, creator): + # ensure the text has all newlines as \r\n - required by batch + base = super().instantiate_template(replacements, template, creator) +diff --git a/src/virtualenv/activation/cshell/activate.csh b/src/virtualenv/activation/cshell/activate.csh +index f0c9cca9..24de5508 100644 +--- a/src/virtualenv/activation/cshell/activate.csh ++++ b/src/virtualenv/activation/cshell/activate.csh +@@ -10,15 +10,15 @@ alias deactivate 'test $?_OLD_VIRTUAL_PATH != 0 && setenv PATH "$_OLD_VIRTUAL_PA + # Unset irrelevant variables. + deactivate nondestructive + +-setenv VIRTUAL_ENV '__VIRTUAL_ENV__' ++setenv VIRTUAL_ENV __VIRTUAL_ENV__ + + set _OLD_VIRTUAL_PATH="$PATH:q" +-setenv PATH "$VIRTUAL_ENV:q/__BIN_NAME__:$PATH:q" ++setenv PATH "$VIRTUAL_ENV:q/"__BIN_NAME__":$PATH:q" + + + +-if ('__VIRTUAL_PROMPT__' != "") then +- setenv VIRTUAL_ENV_PROMPT '__VIRTUAL_PROMPT__' ++if (__VIRTUAL_PROMPT__ != "") then ++ setenv VIRTUAL_ENV_PROMPT __VIRTUAL_PROMPT__ + else + setenv VIRTUAL_ENV_PROMPT "$VIRTUAL_ENV:t:q" + endif +diff --git a/src/virtualenv/activation/fish/activate.fish b/src/virtualenv/activation/fish/activate.fish +index c453caf9..f3cd1f2a 100644 +--- a/src/virtualenv/activation/fish/activate.fish ++++ b/src/virtualenv/activation/fish/activate.fish +@@ -58,7 +58,7 @@ end + # Unset irrelevant variables. + deactivate nondestructive + +-set -gx VIRTUAL_ENV '__VIRTUAL_ENV__' ++set -gx VIRTUAL_ENV __VIRTUAL_ENV__ + + # https://github.com/fish-shell/fish-shell/issues/436 altered PATH handling + if test (echo $FISH_VERSION | head -c 1) -lt 3 +@@ -66,12 +66,12 @@ if test (echo $FISH_VERSION | head -c 1) -lt 3 + else + set -gx _OLD_VIRTUAL_PATH $PATH + end +-set -gx PATH "$VIRTUAL_ENV"'/__BIN_NAME__' $PATH ++set -gx PATH "$VIRTUAL_ENV"'/'__BIN_NAME__ $PATH + + # Prompt override provided? + # If not, just use the environment name. +-if test -n '__VIRTUAL_PROMPT__' +- set -gx VIRTUAL_ENV_PROMPT '__VIRTUAL_PROMPT__' ++if test -n __VIRTUAL_PROMPT__ ++ set -gx VIRTUAL_ENV_PROMPT __VIRTUAL_PROMPT__ + else + set -gx VIRTUAL_ENV_PROMPT (basename "$VIRTUAL_ENV") + end +diff --git a/src/virtualenv/activation/nushell/__init__.py b/src/virtualenv/activation/nushell/__init__.py +index 68cd4a3b..ef7a79a9 100644 +--- a/src/virtualenv/activation/nushell/__init__.py ++++ b/src/virtualenv/activation/nushell/__init__.py +@@ -7,6 +7,25 @@ class NushellActivator(ViaTemplateActivator): + def templates(self): + yield "activate.nu" + ++ @staticmethod ++ def quote(string): ++ """ ++ Nushell supports raw strings like: r###'this is a string'###. ++ ++ This method finds the maximum continuous sharps in the string and then ++ quote it with an extra sharp. ++ """ ++ max_sharps = 0 ++ current_sharps = 0 ++ for char in string: ++ if char == "#": ++ current_sharps += 1 ++ max_sharps = max(current_sharps, max_sharps) ++ else: ++ current_sharps = 0 ++ wrapping = "#" * (max_sharps + 1) ++ return f"r{wrapping}'{string}'{wrapping}" ++ + def replacements(self, creator, dest_folder): # noqa: ARG002 + return { + "__VIRTUAL_PROMPT__": "" if self.flag_prompt is None else self.flag_prompt, +diff --git a/src/virtualenv/activation/nushell/activate.nu b/src/virtualenv/activation/nushell/activate.nu +index 19d4fa1d..00a41e0e 100644 +--- a/src/virtualenv/activation/nushell/activate.nu ++++ b/src/virtualenv/activation/nushell/activate.nu +@@ -32,8 +32,8 @@ export-env { + } + } + +- let virtual_env = '__VIRTUAL_ENV__' +- let bin = '__BIN_NAME__' ++ let virtual_env = __VIRTUAL_ENV__ ++ let bin = __BIN_NAME__ + + let is_windows = ($nu.os-info.family) == 'windows' + let path_name = (if (has-env 'Path') { +@@ -47,10 +47,10 @@ export-env { + let new_path = ($env | get $path_name | prepend $venv_path) + + # If there is no default prompt, then use the env name instead +- let virtual_env_prompt = (if ('__VIRTUAL_PROMPT__' | is-empty) { ++ let virtual_env_prompt = (if (__VIRTUAL_PROMPT__ | is-empty) { + ($virtual_env | path basename) + } else { +- '__VIRTUAL_PROMPT__' ++ __VIRTUAL_PROMPT__ + }) + + let new_env = { +diff --git a/src/virtualenv/activation/powershell/__init__.py b/src/virtualenv/activation/powershell/__init__.py +index 1f6d0f4e..8489656c 100644 +--- a/src/virtualenv/activation/powershell/__init__.py ++++ b/src/virtualenv/activation/powershell/__init__.py +@@ -7,6 +7,18 @@ class PowerShellActivator(ViaTemplateActivator): + def templates(self): + yield "activate.ps1" + ++ @staticmethod ++ def quote(string): ++ """ ++ This should satisfy PowerShell quoting rules [1], unless the quoted ++ string is passed directly to Windows native commands [2]. ++ ++ [1]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules ++ [2]: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_parsing#passing-arguments-that-contain-quote-characters ++ """ # noqa: D205 ++ string = string.replace("'", "''") ++ return f"'{string}'" ++ + + __all__ = [ + "PowerShellActivator", +diff --git a/src/virtualenv/activation/powershell/activate.ps1 b/src/virtualenv/activation/powershell/activate.ps1 +index 5ccfe120..bd30e2ee 100644 +--- a/src/virtualenv/activation/powershell/activate.ps1 ++++ b/src/virtualenv/activation/powershell/activate.ps1 +@@ -37,8 +37,8 @@ deactivate -nondestructive + $VIRTUAL_ENV = $BASE_DIR + $env:VIRTUAL_ENV = $VIRTUAL_ENV + +-if ("__VIRTUAL_PROMPT__" -ne "") { +- $env:VIRTUAL_ENV_PROMPT = "__VIRTUAL_PROMPT__" ++if (__VIRTUAL_PROMPT__ -ne "") { ++ $env:VIRTUAL_ENV_PROMPT = __VIRTUAL_PROMPT__ + } + else { + $env:VIRTUAL_ENV_PROMPT = $( Split-Path $env:VIRTUAL_ENV -Leaf ) +@@ -46,7 +46,7 @@ else { + + New-Variable -Scope global -Name _OLD_VIRTUAL_PATH -Value $env:PATH + +-$env:PATH = "$env:VIRTUAL_ENV/__BIN_NAME____PATH_SEP__" + $env:PATH ++$env:PATH = "$env:VIRTUAL_ENV/" + __BIN_NAME__ + __PATH_SEP__ + $env:PATH + if (!$env:VIRTUAL_ENV_DISABLE_PROMPT) { + function global:_old_virtual_prompt { + "" +diff --git a/src/virtualenv/activation/python/__init__.py b/src/virtualenv/activation/python/__init__.py +index 3126a39f..e900f7ec 100644 +--- a/src/virtualenv/activation/python/__init__.py ++++ b/src/virtualenv/activation/python/__init__.py +@@ -10,10 +10,14 @@ class PythonActivator(ViaTemplateActivator): + def templates(self): + yield "activate_this.py" + ++ @staticmethod ++ def quote(string): ++ return repr(string) ++ + def replacements(self, creator, dest_folder): + replacements = super().replacements(creator, dest_folder) + lib_folders = OrderedDict((os.path.relpath(str(i), str(dest_folder)), None) for i in creator.libs) +- lib_folders = os.pathsep.join(lib_folders.keys()).replace("\\", "\\\\") # escape Windows path characters ++ lib_folders = os.pathsep.join(lib_folders.keys()) + replacements.update( + { + "__LIB_FOLDERS__": lib_folders, +diff --git a/src/virtualenv/activation/python/activate_this.py b/src/virtualenv/activation/python/activate_this.py +index befe8f40..f297cae3 100644 +--- a/src/virtualenv/activation/python/activate_this.py ++++ b/src/virtualenv/activation/python/activate_this.py +@@ -19,18 +19,18 @@ except NameError as exc: + raise AssertionError(msg) from exc + + bin_dir = os.path.dirname(abs_file) +-base = bin_dir[: -len("__BIN_NAME__") - 1] # strip away the bin part from the __file__, plus the path separator ++base = bin_dir[: -len(__BIN_NAME__) - 1] # strip away the bin part from the __file__, plus the path separator + + # prepend bin to PATH (this file is inside the bin directory) + os.environ["PATH"] = os.pathsep.join([bin_dir, *os.environ.get("PATH", "").split(os.pathsep)]) + os.environ["VIRTUAL_ENV"] = base # virtual env is right above bin directory +-os.environ["VIRTUAL_ENV_PROMPT"] = "__VIRTUAL_PROMPT__" or os.path.basename(base) # noqa: SIM222 ++os.environ["VIRTUAL_ENV_PROMPT"] = __VIRTUAL_PROMPT__ or os.path.basename(base) + + # add the virtual environments libraries to the host python import mechanism + prev_length = len(sys.path) +-for lib in "__LIB_FOLDERS__".split(os.pathsep): ++for lib in __LIB_FOLDERS__.split(os.pathsep): + path = os.path.realpath(os.path.join(bin_dir, lib)) +- site.addsitedir(path.decode("utf-8") if "__DECODE_PATH__" else path) ++ site.addsitedir(path.decode("utf-8") if __DECODE_PATH__ else path) + sys.path[:] = sys.path[prev_length:] + sys.path[0:prev_length] + + sys.real_prefix = sys.prefix +diff --git a/src/virtualenv/activation/via_template.py b/src/virtualenv/activation/via_template.py +index 373316cf..1f532213 100644 +--- a/src/virtualenv/activation/via_template.py ++++ b/src/virtualenv/activation/via_template.py +@@ -1,6 +1,7 @@ + from __future__ import annotations + + import os ++import shlex + import sys + from abc import ABC, abstractmethod + +@@ -21,6 +22,16 @@ class ViaTemplateActivator(Activator, ABC): + def templates(self): + raise NotImplementedError + ++ @staticmethod ++ def quote(string): ++ """ ++ Quote strings in the activation script. ++ ++ :param string: the string to quote ++ :return: quoted string that works in the activation script ++ """ ++ return shlex.quote(string) ++ + def generate(self, creator): + dest_folder = creator.bin_dir + replacements = self.replacements(creator, dest_folder) +@@ -63,7 +74,7 @@ class ViaTemplateActivator(Activator, ABC): + text = binary.decode("utf-8", errors="strict") + for key, value in replacements.items(): + value_uni = self._repr_unicode(creator, value) +- text = text.replace(key, value_uni) ++ text = text.replace(key, self.quote(value_uni)) + return text + + @staticmethod +diff --git a/tests/conftest.py b/tests/conftest.py +index 03f808fa..b67c2956 100644 +--- a/tests/conftest.py ++++ b/tests/conftest.py +@@ -275,7 +275,11 @@ def is_inside_ci(): + + @pytest.fixture(scope="session") + def special_char_name(): +- base = "e-$ èрт From patchwork Wed Jan 14 13:00:56 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78708 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C9DAD37E29 for ; Wed, 14 Jan 2026 13:01:55 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9368.1768395711368711469 for ; Wed, 14 Jan 2026 05:01:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=bjOtw3LO; spf=pass (domain: gmail.com, ip: 209.85.210.170, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-81f478e5283so3363719b3a.2 for ; Wed, 14 Jan 2026 05:01:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395710; x=1769000510; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RF4pJj9H8fGJANRyKKXrFxFZqV32WGED+Q7X91pd2G0=; b=bjOtw3LOsI7N7JKSgVGbjVUe4ruFh7Y/8RnEmjGQkd4XYUWDE58OXUD+qZZ0ZNGf/P hVvP4EHYc51ASpR029RfF9x9UiGsDIsMCXcfj6BOEIUx6kf5j0+Ne/nm+3DhIjMfIQQx jbSznVkg6aSdZAQwc1G4/JrpEok+PuKGYUm+fP9oU+aSPvPJP5+M0xaEu2/KmexTGw6f dU6yfOOyKsA71sESQ3ZuyULQkEnq5mL2ek8ym/sJ6ExmJxb8XKP2ijS7olKg/27+56Yc uCoozKTf5+0zOA8fViAeGFU8gp0nLtcg4KU6KjnMH46mqJy7S/QqR71PPgMPG/cuGr5F pcgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395710; x=1769000510; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=RF4pJj9H8fGJANRyKKXrFxFZqV32WGED+Q7X91pd2G0=; b=Zr1r/CgTGzqnuXYVh0dSr8WSD9q3TF8s6z1PgaPqlLvULp53a/J3jfiurBxfgMvWA8 6JnzuBfKjC9ysZ51jD4k4seR+XkuUOgK0SiIbUDrtzyG5kNGtGKvYSo803kn+/9oRB+J VFx4/kWHWlT9MEbE1ZEt4xw2cRwjxRq5cNISbbp+s9P5lFjLlfK0Hu1X8UB6ZOo4lT3M 5AHxv39YmDTXm/taqBfCpmxkj1Ug5RWyEdZNZ9NOJPUlLuO9UngADNg9TPg86Au1Fuar iB91DQ/0kGXMKld31M5y2JzL1QLAnrsP6eJdtf9jqFmXXClVE2R0y04vVKGajGVSfwig j4UQ== X-Gm-Message-State: AOJu0YwVslSc+iE3jCCe8g4rSqX/V5+uCJ6dyzOtjG7XafHJP9xJX20Z rUs9WerzdfZpIjsAHwl6YoyJdlIK5gSMEwfiyUMCtdwhIoWGU6OmCdiv/l33Pg== X-Gm-Gg: AY/fxX5HLHduF99942IokVnWakx6x9DmnJ9OcKMj5O4tPA77+eLyFNnqdVKSzYvkYOB O/JdA+QU9CKCFTrzCQ+HyoZo96zF/91zC7yb1v0MwwtMKsPAuuTrw5rtzDgZqJzo/A+uMxPBDHf ym4zsHpxgHnkEr2vWsafjQdAuHNql43SPjUOPdS2x1N5TzbDS4b073RKdr1ed2y4PxPqnx44ggH joYkHMGL6uKDKC1gZ291JR/ZcBr5bVflJOuA/C53JzJd68OM7OrnKy7o72n2xy+sWGFGJ6Y36Em 3euyomP98S0KqkGRgR9ogFeEUkdn2Sar2MNlxiWKGf0tTfge38j08DaSjs3nl6irBzjL4UoA7HB T0MkIn8bK3QcC3e9rkq0/H8neCzwCht7FJMvbH4pzlDJ4T/zHyRPceGb3s/Ndexudf86RM5mCcA 08ZT3fil3AtnwxmrGnt7sZOYQ= X-Received: by 2002:a05:6a00:f05:b0:81c:4a92:258f with SMTP id d2e1a72fcca58-81f83d786a7mr1972910b3a.68.1768395708863; Wed, 14 Jan 2026 05:01:48 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:48 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 19/20] python3-virtualenv: patch CVE-2026-22702 Date: Thu, 15 Jan 2026 02:00:56 +1300 Message-ID: <20260114130100.1016416-19-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123472 From: Ankur Tyagi Details: https://nvd.nist.gov/vuln/detail/CVE-2026-22702 Signed-off-by: Ankur Tyagi --- .../python3-virtualenv/CVE-2026-22702.patch | 60 +++++++++++++++++++ .../python/python3-virtualenv_20.25.3.bb | 4 +- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch diff --git a/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch b/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch new file mode 100644 index 0000000000..30f177b4d7 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-virtualenv/CVE-2026-22702.patch @@ -0,0 +1,60 @@ +From c57ef93ee6f63129d20b24e71a6ddab1c75752b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bern=C3=A1t=20G=C3=A1bor?= +Date: Fri, 9 Jan 2026 10:19:39 -0800 +Subject: [PATCH] Merge pull request #3013 from gaborbernat/fix-sec + +CVE: CVE-2026-22702 +Upstream-Status: Backport [https://github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebc] +Signed-off-by: Ankur Tyagi +--- + src/virtualenv/app_data/__init__.py | 11 +++++------ + src/virtualenv/util/lock.py | 7 +++---- + 2 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/src/virtualenv/app_data/__init__.py b/src/virtualenv/app_data/__init__.py +index 148c9418..301a00f7 100644 +--- a/src/virtualenv/app_data/__init__.py ++++ b/src/virtualenv/app_data/__init__.py +@@ -34,12 +34,11 @@ def make_app_data(folder, **kwargs): + if is_read_only: + return ReadOnlyAppData(folder) + +- if not os.path.isdir(folder): +- try: +- os.makedirs(folder) +- logging.debug("created app data folder %s", folder) +- except OSError as exception: +- logging.info("could not create app data folder %s due to %r", folder, exception) ++ try: ++ os.makedirs(folder, exist_ok=True) ++ logging.debug("created app data folder %s", folder) ++ except OSError as exception: ++ logging.info("could not create app data folder %s due to %r", folder, exception) + + if os.access(folder, os.W_OK): + return AppDataDiskFolder(folder) +diff --git a/src/virtualenv/util/lock.py b/src/virtualenv/util/lock.py +index b4dc66a3..a28b32f8 100644 +--- a/src/virtualenv/util/lock.py ++++ b/src/virtualenv/util/lock.py +@@ -15,9 +15,8 @@ from filelock import FileLock, Timeout + class _CountedFileLock(FileLock): + def __init__(self, lock_file) -> None: + parent = os.path.dirname(lock_file) +- if not os.path.isdir(parent): +- with suppress(OSError): +- os.makedirs(parent) ++ with suppress(OSError): ++ os.makedirs(parent, exist_ok=True) + + super().__init__(lock_file) + self.count = 0 +@@ -109,7 +108,7 @@ class ReentrantFileLock(PathLockBase): + # a lock, but that lock might then become expensive, and it's not clear where that lock should live. + # Instead here we just ignore if we fail to create the directory. + with suppress(OSError): +- os.makedirs(str(self.path)) ++ os.makedirs(str(self.path), exist_ok=True) + + try: + lock.acquire(0.0001) diff --git a/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb b/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb index a980727dd6..b7dd5729ef 100644 --- a/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb +++ b/meta-python/recipes-devtools/python/python3-virtualenv_20.25.3.bb @@ -8,7 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=0ce089158cf60a8ab6abb452b6405538" SRC_URI[sha256sum] = "7bb554bbdfeaacc3349fa614ea5bff6ac300fc7c335e9facf3a3bcfc703f45be" -SRC_URI += "file://CVE-2024-53899.patch" +SRC_URI += "file://CVE-2024-53899.patch \ + file://CVE-2026-22702.patch \ +" BBCLASSEXTEND = "native nativesdk" inherit pypi python_hatchling From patchwork Wed Jan 14 13:00:57 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Tyagi X-Patchwork-Id: 78707 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2EE7ED37E28 for ; Wed, 14 Jan 2026 13:01:55 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.9369.1768395712338577313 for ; Wed, 14 Jan 2026 05:01:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PSAPE9zY; spf=pass (domain: gmail.com, ip: 209.85.210.169, mailfrom: ankur.tyagi85@gmail.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-81dbc0a99d2so2551662b3a.1 for ; Wed, 14 Jan 2026 05:01:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1768395711; x=1769000511; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=trrRyNZ5Eg9y0syX/OR1gzLC3438QDHiYrNLd5fmml8=; b=PSAPE9zY2rvpvCRuau5TIwSJIuOIFcg2EuhzAooAniSaHRCMyC98NbBZP7z5WlbpUa M5AuuLOl47G3Ccx48rDBtYtv/W4SqzJburCLQZSbAC/VEGzFb0/be+HnyUo/vJhlnDWO JMruP9FonUTIDp8sxAg38kjdw6RgQ7Xb9SqdSso3dmsepgWshdvakNfyPz+JsCcnaYH3 3Pz0hnWxVX5Lz31xuwekAvP0YXJun8+M00SoRxmtFbJZtWe/32rQkygh0aiMePx+D7jO bdQVGDZnfDKUDTzTyX34RK+Uaexj2BySuZ4SoEdBvryVheXNPqaKLw5LgdHwjWnxzG5J x8sA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768395711; x=1769000511; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=trrRyNZ5Eg9y0syX/OR1gzLC3438QDHiYrNLd5fmml8=; b=L836YyzGD6ZUZGRHM6suuLJakkyGL10riEDRq9w0TvKS4/qyerIy7K59TyJgprRrCS 8Dc8uISeOpGsoOcMJEFGi4jS8ZporZXnAz8lv0VQehra/V3/aub92AsIgpbV7XD0SMxD YSkQtfFAujcNdtXKieVeGRkyamUEdMbUT/DCyXjOrgiB8LN/bghw8HqUoufUK1vMBOtg hmTwmMQ2BSgnva2P7kLb8lX/4fGg177cRgUWshF7sDhNi8cbWZD1c2AaOt/tNa1xanm/ w0/+AqLlUjQej8kbMEY6DFUVUwl70j+HDoIMNjcBHc3FudW/+cYdiq7YF5rRcJAMqMfR Zl8w== X-Gm-Message-State: AOJu0YzufpEHeMLDskUa+kpAaigibu/PdD6kMlPTMPNZtyUBzncRwmPs 1D6xM1u7Uld236UEOUqqx3eQdoBlzpGSik8Wl6XxI4MTBAcf2gwwhhNR4Io9Sg== X-Gm-Gg: AY/fxX6x5KeW3Lytyk3noTJyNojLbqYw1r5lFyHMj5/m1zZr2o0JiHffy6SfiRvrJRH iUovtswVmYZHXtY9dLV5glZ3O2Q5yE+hPOLO+yWmoVAqTOJJfmoULMwKYaQSVMUux3pFpHOdPK5 chJs6kyJJJdP+8rD/Yafcp263b6/Q8UgQlIhx0gySQJMe2Wdve9TWxfkTM/WUKxpL3cZ31kC/zy 3xwcM3kCsicwc+NuYjknyvg1J9ejal+myixt1Tn25XtPmG/kh/ywpGbPhIxw182fnZa2B4L1Q+P hTtIlZqDLxDc6pnEgNfM0HkjLd5oVB06zHN5zrjLV2rTBqYfe3/5g83Ikq+ZEhX80wuL8EnNhb4 5xgSYo3J3F2Z/Vfjv2yaz1Vwe5hFDhTSL78tdda2r5gveewW+z2qIqY5b4ED5/j9q49DZ/Qyfny qp3cVrl+yLMW2CSS8AnWa5ggDOuCk3C4CtGg== X-Received: by 2002:a05:6a00:8006:b0:81f:23b5:dc33 with SMTP id d2e1a72fcca58-81f83ca479fmr1884111b3a.30.1768395711350; Wed, 14 Jan 2026 05:01:51 -0800 (PST) Received: from NVAPF55DW0D-IPD.. ([147.161.217.27]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-819ab137711sm23340853b3a.0.2026.01.14.05.01.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Jan 2026 05:01:51 -0800 (PST) From: ankur.tyagi85@gmail.com To: openembedded-devel@lists.openembedded.org Cc: Ankur Tyagi Subject: [oe][meta-python][scarthgap][PATCH 20/20] python3-werkzeug: ignore CVE-2025-66221 and CVE-2026-21860 Date: Thu, 15 Jan 2026 02:00:57 +1300 Message-ID: <20260114130100.1016416-20-ankur.tyagi85@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> References: <20260114130100.1016416-1-ankur.tyagi85@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Jan 2026 13:01:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123473 From: Ankur Tyagi Both vulnerabilties are for Windows and can be ignored. Details: - https://nvd.nist.gov/vuln/detail/CVE-2025-66221 - https://nvd.nist.gov/vuln/detail/CVE-2026-21860 Signed-off-by: Ankur Tyagi --- meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb b/meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb index 5758830cb9..5f88a9577a 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_3.0.6.bb @@ -22,3 +22,6 @@ RDEPENDS:${PN} += " \ python3-json \ python3-difflib \ " + +CVE_STATUS[CVE-2025-66221] = "not-applicable-platform: The vulnerability is Windows specific" +CVE_STATUS[CVE-2026-21860] = "not-applicable-platform: The vulnerability is Windows specific"