This change is now merged in kirkstone and causes: ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected:
Applying patch CVE-2023-23934.patch patching file CHANGES.rst Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines). patching file src/werkzeug/_internal.py patching file src/werkzeug/http.py patching file tests/test_http.py The context lines in the patches can be updated with devtool: devtool modify python3-werkzeug devtool finish --force-patch-refresh python3-werkzeug <layer_path> Don't forget to review changes done by devtool! ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] Please send follow-up patch to fix patch-fuzz. On Wed, May 10, 2023 at 4:16 PM Narpat Mali via lists.openembedded.org <narpat.mali=windriver....@lists.openembedded.org> wrote: > From: Narpat Mali <narpat.m...@windriver.com> > > Werkzeug is a comprehensive WSGI web application library. Browsers may > allow > "nameless" cookies that look like `=value` instead of `key=value`. A > vulnerable > browser may allow a compromised application on an adjacent subdomain to > exploit > this to set a cookie like `=__Host-test=bad` for another subdomain. > Werkzeug > prior to 2.2.3 will parse the cookie `=__Host-test=bad` as > __Host-test=bad`. > If a Werkzeug application is running next to a vulnerable or malicious > subdomain > which sets such a cookie using a vulnerable browser, the Werkzeug > application > will see the bad cookie value but the valid cookie key. The issue is fixed > in > Werkzeug 2.2.3. > > Signed-off-by: Narpat Mali <narpat.m...@windriver.com> > --- > .../python3-werkzeug/CVE-2023-23934.patch | 116 ++++++++++++++++++ > .../python/python3-werkzeug_2.1.1.bb | 2 + > 2 files changed, 118 insertions(+) > create mode 100644 > meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > > diff --git > a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > new file mode 100644 > index 0000000000..0be97d2888 > --- /dev/null > +++ > b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > @@ -0,0 +1,116 @@ > +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001 > +From: David Lord <david...@gmail.com> > +Date: Wed, 10 May 2023 11:33:18 +0000 > +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q > + > +don't strip leading `=` when parsing cookie > + > +"src/werkzeug/sansio/http.py" file is not available in the current recipe > +version 2.1.1 and this has been introduced from 2.2.0 version. Before > 2.2.0 > +version, this http.py file was only available in the > "src/werkzeug/http.py" > +and we could see the same functions available there which are getting > modified > +in the CVE fix commit. Hence, modifying the same at > "src/werkzeug/http.py" file. > + > +CVE: CVE-2023-23934 > + > +Upstream-Status: Backport [ > https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028 > ] > + > +Signed-off-by: Narpat Mali <narpat.m...@windriver.com> > +--- > + CHANGES.rst | 4 ++++ > + src/werkzeug/_internal.py | 13 +++++++++---- > + src/werkzeug/http.py | 4 ---- > + tests/test_http.py | 4 +++- > + 4 files changed, 16 insertions(+), 9 deletions(-) > + > +diff --git a/CHANGES.rst b/CHANGES.rst > +index a351d7c..23505d3 100644 > +--- a/CHANGES.rst > ++++ b/CHANGES.rst > +@@ -1,5 +1,9 @@ > + .. currentmodule:: werkzeug > + > ++- A cookie header that starts with ``=`` is treated as an empty key > and discarded, > ++ rather than stripping the leading ``==``. > ++ > ++ > + Version 2.1.1 > + ------------- > + > +diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py > +index a8b3523..d6290ba 100644 > +--- a/src/werkzeug/_internal.py > ++++ b/src/werkzeug/_internal.py > +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].") > + _legal_cookie_chars_re = > rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" > + _cookie_re = re.compile( > + rb""" > +- (?P<key>[^=;]+) > ++ (?P<key>[^=;]*) > + (?:\s*=\s* > + (?P<val> > + "(?:[^\\"]|\\.)*" | > +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> > t.Iterator[t.Tuple[bytes, bytes]]: > + """Lowlevel cookie parsing facility that operates on bytes.""" > + i = 0 > + n = len(b) > ++ b += b";" > + > + while i < n: > +- match = _cookie_re.search(b + b";", i) > ++ match = _cookie_re.match(b, i) > ++ > + if not match: > + break > + > +- key = match.group("key").strip() > +- value = match.group("val") or b"" > + i = match.end(0) > ++ key = match.group("key").strip() > ++ > ++ if not key: > ++ continue > + > ++ value = match.group("val") or b"" > + yield key, _cookie_unquote(value) > + > + > +diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py > +index 9369900..ae133e3 100644 > +--- a/src/werkzeug/http.py > ++++ b/src/werkzeug/http.py > +@@ -1205,10 +1205,6 @@ def parse_cookie( > + def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]: > + for key, val in _cookie_parse_impl(header): # type: ignore > + key_str = _to_str(key, charset, errors, > allow_none_charset=True) > +- > +- if not key_str: > +- continue > +- > + val_str = _to_str(val, charset, errors, > allow_none_charset=True) > + yield key_str, val_str > + > +diff --git a/tests/test_http.py b/tests/test_http.py > +index 5936bfa..59cc179 100644 > +--- a/tests/test_http.py > ++++ b/tests/test_http.py > +@@ -427,7 +427,8 @@ class TestHTTPUtility: > + def test_parse_cookie(self): > + cookies = http.parse_cookie( > + "dismiss-top=6; CP=null*; > PHPSESSID=0a539d42abc001cdc762809248d4beed;" > +- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d' > ++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;' > ++ "==__Host-eq=bad;__Host-eq=good;" > + ) > + assert cookies.to_dict() == { > + "CP": "null*", > +@@ -438,6 +439,7 @@ class TestHTTPUtility: > + "fo234{": "bar", > + "blub": "Blah", > + '"__Secure-c"': "d", > ++ "__Host-eq": "good", > + } > + > + def test_dump_cookie(self): > +-- > +2.40.0 > diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > index 476a3a5964..ca8705146e 100644 > --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM = > "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" > > PYPI_PACKAGE = "Werkzeug" > > +SRC_URI += "file://CVE-2023-23934.patch" > + > SRC_URI[sha256sum] = > "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74" > > inherit pypi setuptools3 > -- > 2.40.0 > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#103558): https://lists.openembedded.org/g/openembedded-devel/message/103558 Mute This Topic: https://lists.openembedded.org/mt/98806142/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-