Merge remote-tracking branch 'origin/slfo-main' into CVE-2025-64076

Add CVE-2025-64076.patch from upstream
Fix: bug in decode_definite_long_string() that causes incorrect chunk length calculation. bsc#1253746, CVE-2025-64076, gh#agronholm/cbor2#265
2025-11-24 16:54:21 +01:00 · 2025-11-19 12:02:31 +01:00 · 2025-11-03 14:40:09 +01:00 · 2024-10-23 19:09:46 +00:00 · 2024-10-22 13:48:05 +00:00
5 changed files with 116 additions and 6 deletions
--- a/CVE-2025-64076.patch
+++ b/CVE-2025-64076.patch
@@ -0,0 +1,71 @@
 From 851473490281f82d82560b2368284ef33cf6e8f9 Mon Sep 17 00:00:00 2001
 From: lizhenghao <sculizhenghao@foxmail.com>
 Date: Wed, 22 Oct 2025 10:26:34 +0800
 Subject: [PATCH 1/3] Fix: Fixed a read(-1) vulnerability caused by boundary
 handling error in #264
 ---
 source/decoder.c      |  8 +++++++-
 tests/test_decoder.py | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 Index: cbor2-5.6.5/source/decoder.c
 ===================================================================
 --- cbor2-5.6.5.orig/source/decoder.c
 +++ cbor2-5.6.5/source/decoder.c
@@ -758,7 +758,7 @@ decode_definite_long_string(CBORDecoderO
     char *buffer = NULL;
     while (left) {
         // Read up to 65536 bytes of data from the stream
 -        Py_ssize_t chunk_length = 65536 - buffer_size;
 +        Py_ssize_t chunk_length = 65536 - buffer_length;
         if (left < chunk_length)
             chunk_length = left;
@@ -828,7 +828,13 @@ decode_definite_long_string(CBORDecoderO
                 memcpy(buffer, bytes_buffer + consumed, unconsumed);
             }
             buffer_length = unconsumed;
 +        } else {
 +            // All bytes consumed, reset buffer_length
 +            buffer_length = 0;
         }
 +
 +        Py_DECREF(chunk);
 +        chunk = NULL;
     }
     if (ret && string_namespace_add(self, ret, length) == -1)
 Index: cbor2-5.6.5/tests/test_decoder.py
 ===================================================================
 --- cbor2-5.6.5.orig/tests/test_decoder.py
 +++ cbor2-5.6.5/tests/test_decoder.py
@@ -260,6 +260,28 @@ def test_string_oversized(impl) -> None:
         (impl.loads(unhexlify("aeaeaeaeaeaeaeaeae0108c29843d90100d8249f0000aeaeffc26ca799")),)
 +def test_string_issue_264_multiple_chunks_utf8_boundary(impl) -> None:
 +    """Test for Issue #264: UTF-8 characters split across multiple 65536-byte chunk boundaries."""
 +    import struct
 +
 +    # Construct: 65535 'a' + '€' (3 bytes) + 65533 'b' + '€' (3 bytes) + 100 'd'
 +    # Total: 131174 bytes, which spans 3 chunks (65536 + 65536 + 102)
 +    total_bytes = 65535 + 3 + 65533 + 3 + 100
 +
 +    payload = b"\x7a" + struct.pack(">I", total_bytes)  # major type 3, 4-byte length
 +    payload += b"a" * 65535
 +    payload += "€".encode()  # U+20AC: E2 82 AC
 +    payload += b"b" * 65533
 +    payload += "€".encode()
 +    payload += b"d" * 100
 +
 +    expected = "a" * 65535 + "€" + "b" * 65533 + "€" + "d" * 100
 +
 +    result = impl.loads(payload)
 +    assert result == expected
 +    assert len(result) == 131170  # 65535 + 1 + 65533 + 1 + 100 characters
 +
 +
 @pytest.mark.parametrize(
     "payload, expected",
     [
--- a/cbor2-5.6.4.tar.gz
+++ b/cbor2-5.6.4.tar.gz
@@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:1c533c50dde86bef1c6950602054a0ffa3c376e8b0e20c7b8f5b108793f6983e
 size 100865
--- a/cbor2-5.6.5.tar.gz
+++ b/cbor2-5.6.5.tar.gz
--- a/python-cbor2.changes
+++ b/python-cbor2.changes
@@ -1,3 +1,27 @@
 -------------------------------------------------------------------
 Wed Nov 19 10:56:07 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
 - Add CVE-2025-64076.patch from upstream. Fix: bug in
  decode_definite_long_string() that causes incorrect chunk length
  calculation
  (bsc#1253746, CVE-2025-64076, gh#agronholm/cbor2#265)
 -------------------------------------------------------------------
 Tue Aug 12 08:01:01 UTC 2025 - Markéta Machová <mmachova@suse.com>
 - Make the libalternatives transition conditional
 -------------------------------------------------------------------
 Wed Jun 25 11:44:28 UTC 2025 - Markéta Machová <mmachova@suse.com>
 - Convert to libalternatives
 -------------------------------------------------------------------
 Tue Oct 22 13:48:00 UTC 2024 - Dirk Müller <dmueller@suse.com>
 - update to 5.6.5:
  * Published binary wheels for Python 3.13
 -------------------------------------------------------------------
 Thu Jun  6 10:36:17 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
@@ -10,7 +34,7 @@ Thu Jun  6 10:36:17 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.c
 -------------------------------------------------------------------
 Wed Jun  5 15:47:30 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
- Update to 5.6.3
+- Update to 5.6.3 (bsc#1220096, CVE-2024-26134):
  * Fixed decoding of epoch-based dates being affected by the local
    time zone in the C extension
 - from version 5.6.2
--- a/python-cbor2.spec
+++ b/python-cbor2.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package python-cbor2
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,14 +16,21 @@
 #
 %if 0%{?suse_version} > 1500
 %bcond_without libalternatives
 %else
 %bcond_with libalternatives
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-cbor2
-Version:        5.6.4
+Version:        5.6.5
 Release:        0
 Summary:        Pure Python CBOR (de)serializer with extensive tag support
 License:        MIT
 URL:            https://github.com/agronholm/cbor2
 Source:         https://files.pythonhosted.org/packages/source/c/cbor2/cbor2-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM CVE-2025-64076.patch bsc#1253746 gh#agronholm/cbor2#265
 Patch0:         CVE-2025-64076.patch
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module hypothesis}
 BuildRequires:  %{python_module pip}
@@ -33,8 +40,13 @@ BuildRequires:  %{python_module setuptools_scm >= 6.4}
 BuildRequires:  %{python_module wheel}
 BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 %if %{with libalternatives}
 BuildRequires:  alts
 Requires:       alts
 %else
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
 %endif
 %python_subpackages
 %description
@@ -60,6 +72,9 @@ export LANG=en_US.UTF8
 export LANG=en_US.UTF8
 %pytest_arch
 %pre
 %python_libalternatives_reset_alternative cbor2
 %post
 %python_install_alternative cbor2
Author	SHA256	Message	Date
Daniel Garcia Moreno	6fe546da81	Merge remote-tracking branch 'origin/slfo-main' into CVE-2025-64076	2025-11-24 16:54:21 +01:00
Daniel Garcia Moreno	86be5cbd3a	Add CVE-2025-64076.patch from upstream Fix: bug in decode_definite_long_string() that causes incorrect chunk length calculation. bsc#1253746, CVE-2025-64076, gh#agronholm/cbor2#265	2025-11-19 12:02:31 +01:00
Daniel Garcia Moreno	1ad01979cd	Convert to libalternatives, bsc#1245883	2025-11-03 14:40:09 +01:00
Ana Guerrero	0c6379bf3c	Accepting request 1217046 from devel:languages:python - update to 5.6.5: * Published binary wheels for Python 3.13 OBS-URL: https://build.opensuse.org/request/show/1217046 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-cbor2?expand=0&rev=13	2024-10-23 19:09:46 +00:00
Dirk Mueller	6f747eba62	- update to 5.6.5: * Published binary wheels for Python 3.13 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cbor2?expand=0&rev=27	2024-10-22 13:48:05 +00:00