forked from pool/python-cbor2
Compare commits
16 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 6fe546da81 | |||
| 86be5cbd3a | |||
| 1ad01979cd | |||
| 0c6379bf3c | |||
| 6f747eba62 | |||
| 4e4816b20e | |||
| efb2683975 | |||
| a5a2e035cd | |||
| 82dd33088a | |||
| afbf1732e4 | |||
| 79bf25c878 | |||
| b02cd08f0c | |||
| d568a04ef6 | |||
| 5e07149833 | |||
| 4b1fd5d706 | |||
| ed762196f0 |
71
CVE-2025-64076.patch
Normal file
71
CVE-2025-64076.patch
Normal file
@@ -0,0 +1,71 @@
|
||||
From 851473490281f82d82560b2368284ef33cf6e8f9 Mon Sep 17 00:00:00 2001
|
||||
From: lizhenghao <sculizhenghao@foxmail.com>
|
||||
Date: Wed, 22 Oct 2025 10:26:34 +0800
|
||||
Subject: [PATCH 1/3] Fix: Fixed a read(-1) vulnerability caused by boundary
|
||||
handling error in #264
|
||||
|
||||
---
|
||||
source/decoder.c | 8 +++++++-
|
||||
tests/test_decoder.py | 22 ++++++++++++++++++++++
|
||||
2 files changed, 29 insertions(+), 1 deletion(-)
|
||||
|
||||
Index: cbor2-5.6.5/source/decoder.c
|
||||
===================================================================
|
||||
--- cbor2-5.6.5.orig/source/decoder.c
|
||||
+++ cbor2-5.6.5/source/decoder.c
|
||||
@@ -758,7 +758,7 @@ decode_definite_long_string(CBORDecoderO
|
||||
char *buffer = NULL;
|
||||
while (left) {
|
||||
// Read up to 65536 bytes of data from the stream
|
||||
- Py_ssize_t chunk_length = 65536 - buffer_size;
|
||||
+ Py_ssize_t chunk_length = 65536 - buffer_length;
|
||||
if (left < chunk_length)
|
||||
chunk_length = left;
|
||||
|
||||
@@ -828,7 +828,13 @@ decode_definite_long_string(CBORDecoderO
|
||||
memcpy(buffer, bytes_buffer + consumed, unconsumed);
|
||||
}
|
||||
buffer_length = unconsumed;
|
||||
+ } else {
|
||||
+ // All bytes consumed, reset buffer_length
|
||||
+ buffer_length = 0;
|
||||
}
|
||||
+
|
||||
+ Py_DECREF(chunk);
|
||||
+ chunk = NULL;
|
||||
}
|
||||
|
||||
if (ret && string_namespace_add(self, ret, length) == -1)
|
||||
Index: cbor2-5.6.5/tests/test_decoder.py
|
||||
===================================================================
|
||||
--- cbor2-5.6.5.orig/tests/test_decoder.py
|
||||
+++ cbor2-5.6.5/tests/test_decoder.py
|
||||
@@ -260,6 +260,28 @@ def test_string_oversized(impl) -> None:
|
||||
(impl.loads(unhexlify("aeaeaeaeaeaeaeaeae0108c29843d90100d8249f0000aeaeffc26ca799")),)
|
||||
|
||||
|
||||
+def test_string_issue_264_multiple_chunks_utf8_boundary(impl) -> None:
|
||||
+ """Test for Issue #264: UTF-8 characters split across multiple 65536-byte chunk boundaries."""
|
||||
+ import struct
|
||||
+
|
||||
+ # Construct: 65535 'a' + '€' (3 bytes) + 65533 'b' + '€' (3 bytes) + 100 'd'
|
||||
+ # Total: 131174 bytes, which spans 3 chunks (65536 + 65536 + 102)
|
||||
+ total_bytes = 65535 + 3 + 65533 + 3 + 100
|
||||
+
|
||||
+ payload = b"\x7a" + struct.pack(">I", total_bytes) # major type 3, 4-byte length
|
||||
+ payload += b"a" * 65535
|
||||
+ payload += "€".encode() # U+20AC: E2 82 AC
|
||||
+ payload += b"b" * 65533
|
||||
+ payload += "€".encode()
|
||||
+ payload += b"d" * 100
|
||||
+
|
||||
+ expected = "a" * 65535 + "€" + "b" * 65533 + "€" + "d" * 100
|
||||
+
|
||||
+ result = impl.loads(payload)
|
||||
+ assert result == expected
|
||||
+ assert len(result) == 131170 # 65535 + 1 + 65533 + 1 + 100 characters
|
||||
+
|
||||
+
|
||||
@pytest.mark.parametrize(
|
||||
"payload, expected",
|
||||
[
|
||||
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1c533c50dde86bef1c6950602054a0ffa3c376e8b0e20c7b8f5b108793f6983e
|
||||
size 100865
|
||||
BIN
cbor2-5.6.5.tar.gz
LFS
Normal file
BIN
cbor2-5.6.5.tar.gz
LFS
Normal file
Binary file not shown.
@@ -1,3 +1,27 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 19 10:56:07 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
|
||||
|
||||
- Add CVE-2025-64076.patch from upstream. Fix: bug in
|
||||
decode_definite_long_string() that causes incorrect chunk length
|
||||
calculation
|
||||
(bsc#1253746, CVE-2025-64076, gh#agronholm/cbor2#265)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 12 08:01:01 UTC 2025 - Markéta Machová <mmachova@suse.com>
|
||||
|
||||
- Make the libalternatives transition conditional
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 25 11:44:28 UTC 2025 - Markéta Machová <mmachova@suse.com>
|
||||
|
||||
- Convert to libalternatives
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 22 13:48:00 UTC 2024 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 5.6.5:
|
||||
* Published binary wheels for Python 3.13
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 6 10:36:17 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
@@ -10,7 +34,7 @@ Thu Jun 6 10:36:17 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.c
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 5 15:47:30 UTC 2024 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
|
||||
|
||||
- Update to 5.6.3
|
||||
- Update to 5.6.3 (bsc#1220096, CVE-2024-26134):
|
||||
* Fixed decoding of epoch-based dates being affected by the local
|
||||
time zone in the C extension
|
||||
- from version 5.6.2
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package python-cbor2
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -16,14 +16,21 @@
|
||||
#
|
||||
|
||||
|
||||
%if 0%{?suse_version} > 1500
|
||||
%bcond_without libalternatives
|
||||
%else
|
||||
%bcond_with libalternatives
|
||||
%endif
|
||||
%{?sle15_python_module_pythons}
|
||||
Name: python-cbor2
|
||||
Version: 5.6.4
|
||||
Version: 5.6.5
|
||||
Release: 0
|
||||
Summary: Pure Python CBOR (de)serializer with extensive tag support
|
||||
License: MIT
|
||||
URL: https://github.com/agronholm/cbor2
|
||||
Source: https://files.pythonhosted.org/packages/source/c/cbor2/cbor2-%{version}.tar.gz
|
||||
# PATCH-FIX-UPSTREAM CVE-2025-64076.patch bsc#1253746 gh#agronholm/cbor2#265
|
||||
Patch0: CVE-2025-64076.patch
|
||||
BuildRequires: %{python_module devel}
|
||||
BuildRequires: %{python_module hypothesis}
|
||||
BuildRequires: %{python_module pip}
|
||||
@@ -33,8 +40,13 @@ BuildRequires: %{python_module setuptools_scm >= 6.4}
|
||||
BuildRequires: %{python_module wheel}
|
||||
BuildRequires: fdupes
|
||||
BuildRequires: python-rpm-macros
|
||||
%if %{with libalternatives}
|
||||
BuildRequires: alts
|
||||
Requires: alts
|
||||
%else
|
||||
Requires(post): update-alternatives
|
||||
Requires(postun): update-alternatives
|
||||
%endif
|
||||
%python_subpackages
|
||||
|
||||
%description
|
||||
@@ -60,6 +72,9 @@ export LANG=en_US.UTF8
|
||||
export LANG=en_US.UTF8
|
||||
%pytest_arch
|
||||
|
||||
%pre
|
||||
%python_libalternatives_reset_alternative cbor2
|
||||
|
||||
%post
|
||||
%python_install_alternative cbor2
|
||||
|
||||
|
||||
Reference in New Issue
Block a user