Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for CVE-2023-23934

Sat, 24 Jun 2023 07:11:39 -0700 

This change is now merged in kirkstone and causes:

ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected:

Applying patch CVE-2023-23934.patch
patching file CHANGES.rst
Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines).
patching file src/werkzeug/_internal.py
patching file src/werkzeug/http.py
patching file tests/test_http.py


The context lines in the patches can be updated with devtool:

    devtool modify python3-werkzeug
    devtool finish --force-patch-refresh python3-werkzeug <layer_path>

Don't forget to review changes done by devtool!

ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log
indicates that patches do not apply cleanly. [patch-fuzz]


Please send follow-up patch to fix patch-fuzz.


On Wed, May 10, 2023 at 4:16 PM Narpat Mali via lists.openembedded.org
<narpat.mali=windriver....@lists.openembedded.org> wrote:

> From: Narpat Mali <narpat.m...@windriver.com>
>
> Werkzeug is a comprehensive WSGI web application library. Browsers may
> allow
> "nameless" cookies that look like `=value` instead of `key=value`. A
> vulnerable
> browser may allow a compromised application on an adjacent subdomain to
> exploit
> this to set a cookie like `=__Host-test=bad` for another subdomain.
> Werkzeug
> prior to 2.2.3 will parse the cookie `=__Host-test=bad` as
> __Host-test=bad`.
> If a Werkzeug application is running next to a vulnerable or malicious
> subdomain
> which sets such a cookie using a vulnerable browser, the Werkzeug
> application
> will see the bad cookie value but the valid cookie key. The issue is fixed
> in
> Werkzeug 2.2.3.
>
> Signed-off-by: Narpat Mali <narpat.m...@windriver.com>
> ---
>  .../python3-werkzeug/CVE-2023-23934.patch     | 116 ++++++++++++++++++
>  .../python/python3-werkzeug_2.1.1.bb          |   2 +
>  2 files changed, 118 insertions(+)
>  create mode 100644
> meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
>
> diff --git
> a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> new file mode 100644
> index 0000000000..0be97d2888
> --- /dev/null
> +++
> b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> @@ -0,0 +1,116 @@
> +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
> +From: David Lord <david...@gmail.com>
> +Date: Wed, 10 May 2023 11:33:18 +0000
> +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
> +
> +don't strip leading `=` when parsing cookie
> +
> +"src/werkzeug/sansio/http.py" file is not available in the current recipe
> +version 2.1.1 and this has been introduced from 2.2.0 version. Before
> 2.2.0
> +version, this http.py file was only available in the
> "src/werkzeug/http.py"
> +and we could see the same functions available there which are getting
> modified
> +in the CVE fix commit. Hence, modifying the same at
> "src/werkzeug/http.py" file.
> +
> +CVE: CVE-2023-23934
> +
> +Upstream-Status: Backport [
> https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
> ]
> +
> +Signed-off-by: Narpat Mali <narpat.m...@windriver.com>
> +---
> + CHANGES.rst               |  4 ++++
> + src/werkzeug/_internal.py | 13 +++++++++----
> + src/werkzeug/http.py      |  4 ----
> + tests/test_http.py        |  4 +++-
> + 4 files changed, 16 insertions(+), 9 deletions(-)
> +
> +diff --git a/CHANGES.rst b/CHANGES.rst
> +index a351d7c..23505d3 100644
> +--- a/CHANGES.rst
> ++++ b/CHANGES.rst
> +@@ -1,5 +1,9 @@
> + .. currentmodule:: werkzeug
> +
> ++-   A cookie header that starts with ``=`` is treated as an empty key
> and discarded,
> ++    rather than stripping the leading ``==``.
> ++
> ++
> + Version 2.1.1
> + -------------
> +
> +diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
> +index a8b3523..d6290ba 100644
> +--- a/src/werkzeug/_internal.py
> ++++ b/src/werkzeug/_internal.py
> +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
> + _legal_cookie_chars_re =
> rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
> + _cookie_re = re.compile(
> +     rb"""
> +-    (?P<key>[^=;]+)
> ++    (?P<key>[^=;]*)
> +     (?:\s*=\s*
> +         (?P<val>
> +             "(?:[^\\"]|\\.)*" |
> +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) ->
> t.Iterator[t.Tuple[bytes, bytes]]:
> +     """Lowlevel cookie parsing facility that operates on bytes."""
> +     i = 0
> +     n = len(b)
> ++    b += b";"
> +
> +     while i < n:
> +-        match = _cookie_re.search(b + b";", i)
> ++        match = _cookie_re.match(b, i)
> ++
> +         if not match:
> +             break
> +
> +-        key = match.group("key").strip()
> +-        value = match.group("val") or b""
> +         i = match.end(0)
> ++        key = match.group("key").strip()
> ++
> ++        if not key:
> ++            continue
> +
> ++        value = match.group("val") or b""
> +         yield key, _cookie_unquote(value)
> +
> +
> +diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
> +index 9369900..ae133e3 100644
> +--- a/src/werkzeug/http.py
> ++++ b/src/werkzeug/http.py
> +@@ -1205,10 +1205,6 @@ def parse_cookie(
> +     def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
> +         for key, val in _cookie_parse_impl(header):  # type: ignore
> +             key_str = _to_str(key, charset, errors,
> allow_none_charset=True)
> +-
> +-            if not key_str:
> +-                continue
> +-
> +             val_str = _to_str(val, charset, errors,
> allow_none_charset=True)
> +             yield key_str, val_str
> +
> +diff --git a/tests/test_http.py b/tests/test_http.py
> +index 5936bfa..59cc179 100644
> +--- a/tests/test_http.py
> ++++ b/tests/test_http.py
> +@@ -427,7 +427,8 @@ class TestHTTPUtility:
> +     def test_parse_cookie(self):
> +         cookies = http.parse_cookie(
> +             "dismiss-top=6; CP=null*;
> PHPSESSID=0a539d42abc001cdc762809248d4beed;"
> +-            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
> ++            'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
> ++            "==__Host-eq=bad;__Host-eq=good;"
> +         )
> +         assert cookies.to_dict() == {
> +             "CP": "null*",
> +@@ -438,6 +439,7 @@ class TestHTTPUtility:
> +             "fo234{": "bar",
> +             "blub": "Blah",
> +             '"__Secure-c"': "d",
> ++            "__Host-eq": "good",
> +         }
> +
> +     def test_dump_cookie(self):
> +--
> +2.40.0
> diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
> b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
> index 476a3a5964..ca8705146e 100644
> --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
> +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
> @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM =
> "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
>
>  PYPI_PACKAGE = "Werkzeug"
>
> +SRC_URI += "file://CVE-2023-23934.patch"
> +
>  SRC_URI[sha256sum] =
> "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"
>
>  inherit pypi setuptools3
> --
> 2.40.0
>
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103558): 
https://lists.openembedded.org/g/openembedded-devel/message/103558
Mute This Topic: https://lists.openembedded.org/mt/98806142/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
  • ... Narpat Mali via lists.openembedded.org
    • ... Martin Jansa
      • ... Narpat Mali via lists.openembedded.org
        • ... Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
          • ... Narpat Mali via lists.openembedded.org
    • ... Narpat Mali via lists.openembedded.org

Reply via email to