diff --git a/CVE-2025-64076.patch b/CVE-2025-64076.patch new file mode 100644 index 0000000..9e3ed57 --- /dev/null +++ b/CVE-2025-64076.patch @@ -0,0 +1,71 @@ +From 851473490281f82d82560b2368284ef33cf6e8f9 Mon Sep 17 00:00:00 2001 +From: lizhenghao +Date: Wed, 22 Oct 2025 10:26:34 +0800 +Subject: [PATCH 1/3] Fix: Fixed a read(-1) vulnerability caused by boundary + handling error in #264 + +--- + source/decoder.c | 8 +++++++- + tests/test_decoder.py | 22 ++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + +Index: cbor2-5.6.5/source/decoder.c +=================================================================== +--- cbor2-5.6.5.orig/source/decoder.c ++++ cbor2-5.6.5/source/decoder.c +@@ -758,7 +758,7 @@ decode_definite_long_string(CBORDecoderO + char *buffer = NULL; + while (left) { + // Read up to 65536 bytes of data from the stream +- Py_ssize_t chunk_length = 65536 - buffer_size; ++ Py_ssize_t chunk_length = 65536 - buffer_length; + if (left < chunk_length) + chunk_length = left; + +@@ -828,7 +828,13 @@ decode_definite_long_string(CBORDecoderO + memcpy(buffer, bytes_buffer + consumed, unconsumed); + } + buffer_length = unconsumed; ++ } else { ++ // All bytes consumed, reset buffer_length ++ buffer_length = 0; + } ++ ++ Py_DECREF(chunk); ++ chunk = NULL; + } + + if (ret && string_namespace_add(self, ret, length) == -1) +Index: cbor2-5.6.5/tests/test_decoder.py +=================================================================== +--- cbor2-5.6.5.orig/tests/test_decoder.py ++++ cbor2-5.6.5/tests/test_decoder.py +@@ -260,6 +260,28 @@ def test_string_oversized(impl) -> None: + (impl.loads(unhexlify("aeaeaeaeaeaeaeaeae0108c29843d90100d8249f0000aeaeffc26ca799")),) + + ++def test_string_issue_264_multiple_chunks_utf8_boundary(impl) -> None: ++ """Test for Issue #264: UTF-8 characters split across multiple 65536-byte chunk boundaries.""" ++ import struct ++ ++ # Construct: 65535 'a' + '€' (3 bytes) + 65533 'b' + '€' (3 bytes) + 100 'd' ++ # Total: 131174 bytes, which spans 3 chunks (65536 + 65536 + 102) ++ total_bytes = 65535 + 3 + 65533 + 3 + 100 ++ ++ payload = b"\x7a" + struct.pack(">I", total_bytes) # major type 3, 4-byte length ++ payload += b"a" * 65535 ++ payload += "€".encode() # U+20AC: E2 82 AC ++ payload += b"b" * 65533 ++ payload += "€".encode() ++ payload += b"d" * 100 ++ ++ expected = "a" * 65535 + "€" + "b" * 65533 + "€" + "d" * 100 ++ ++ result = impl.loads(payload) ++ assert result == expected ++ assert len(result) == 131170 # 65535 + 1 + 65533 + 1 + 100 characters ++ ++ + @pytest.mark.parametrize( + "payload, expected", + [ diff --git a/python-cbor2.changes b/python-cbor2.changes index ac162ef..7753e7a 100644 --- a/python-cbor2.changes +++ b/python-cbor2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Nov 19 10:56:07 UTC 2025 - Daniel Garcia + +- Add CVE-2025-64076.patch from upstream. Fix: bug in + decode_definite_long_string() that causes incorrect chunk length + calculation + (bsc#1253746, CVE-2025-64076, gh#agronholm/cbor2#265) + ------------------------------------------------------------------- Tue Oct 22 13:48:00 UTC 2024 - Dirk Müller diff --git a/python-cbor2.spec b/python-cbor2.spec index 203a2f6..602af70 100644 --- a/python-cbor2.spec +++ b/python-cbor2.spec @@ -24,6 +24,8 @@ Summary: Pure Python CBOR (de)serializer with extensive tag support License: MIT URL: https://github.com/agronholm/cbor2 Source: https://files.pythonhosted.org/packages/source/c/cbor2/cbor2-%{version}.tar.gz +# PATCH-FIX-UPSTREAM CVE-2025-64076.patch bsc#1253746 gh#agronholm/cbor2#265 +Patch0: CVE-2025-64076.patch BuildRequires: %{python_module devel} BuildRequires: %{python_module hypothesis} BuildRequires: %{python_module pip}