Thanks,
Sanjay
*From:*openembedded-devel@lists.openembedded.org
<openembedded-devel@lists.openembedded.org> *On Behalf Of *Narpat Mali
via lists.openembedded.org
<https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!bNzZUbPJMjaw1YWRoQUxKvW7kTxX0XvbVNwuRxNV-k35b3IGEfWuNh3D14V-bwlmOU8kmxirRCb1197e3RBc$>
*Sent:* Wednesday, June 28, 2023 11:49 AM
*To:* Martin Jansa <martin.ja...@gmail.com>
*Cc:* openembedded-devel@lists.openembedded.org;
hari.gpil...@windriver.com
*Subject:* Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug:
fix for CVE-2023-23934
On 24-06-2023 19:41, Martin Jansa wrote:
*CAUTION: This email comes from a non Wind River email account!*
Do not click links or open attachments unless you recognize the
sender and know the content is safe.
This change is now merged in kirkstone and causes:
ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected:
Applying patch CVE-2023-23934.patch
patching file CHANGES.rst
Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines).
patching file src/werkzeug/_internal.py
patching file src/werkzeug/http.py
patching file tests/test_http.py
The context lines in the patches can be updated with devtool:
devtool modify python3-werkzeug
devtool finish --force-patch-refresh python3-werkzeug <layer_path>
Don't forget to review changes done by devtool!
ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log indicates
that patches do not apply cleanly. [patch-fuzz]
Please send follow-up patch to fix patch-fuzz.
Hi Martin,
Thanks for checking.
Have double checked with building python3-werkzeug with poky but, I
have not observed any patch-fuzz.
Have followed the below steps:
1. Cloned the latest poky & meta-oe layer and switched to kirkstone
branch for both of them.
2. Added latest meta-oe layer to poky build directory and built the
python3-werkzeug successfully without any issue.
Below are the logs in:
meta-oe :
$fd werkzeug
meta-python/recipes-devtools/python/python3-werkzeug
meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
<https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!bNzZUbPJMjaw1YWRoQUxKvW7kTxX0XvbVNwuRxNV-k35b3IGEfWuNh3D14V-bwlmOU8kmxirRCb110cwf6ls$>
$ls meta-python/recipes-devtools/python/python3-werkzeug
CVE-2023-23934.patch CVE-2023-25577.patch
$vi meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
<https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!bNzZUbPJMjaw1YWRoQUxKvW7kTxX0XvbVNwuRxNV-k35b3IGEfWuNh3D14V-bwlmOU8kmxirRCb110cwf6ls$>
$git branch
dunfell
* kirkstone
master
mickledore
$
Poky Build logs:
$bitbake python3-werkzeug
Loading cache: 100%
|##########################################################################################|
Time: 0:00:05
Loaded 4328 entries from dependency cache.
NOTE: Resolving any missing task queue dependencies
Build Configuration:
BB_VERSION = "2.0.0"
BUILD_SYS = "x86_64-linux"
NATIVELSBSTRING = "universal"
TARGET_SYS = "x86_64-poky-linux"
MACHINE = "qemux86-64"
DISTRO = "poky"
DISTRO_VERSION = "4.0.11"
TUNE_FEATURES = "m64 core2"
TARGET_FPU = ""
meta
meta-poky
meta-yocto-bsp =
"kirkstone:fc697fe87412b9b179ae3a68d266ace85bb1fcc6"
meta-filesystems
meta-gnome
meta-initramfs
meta-multimedia
meta-networking
meta-oe
meta-perl
meta-python
meta-webserver
meta-xfce =
"kirkstone:a82d92c8a6525da01524bf8f4a60bf6b35dcbb3d"
Initialising tasks: 100%
|#####################################################################################|
Time: 0:00:02
Sstate summary: Wanted 0 Local 0 Mirrors 0 Missed 0 Current 279 (0%
match, 100% complete)
NOTE: Executing Tasks
NOTE: Tasks Summary: Attempted 1056 tasks of which 1056 didn't need to
be rerun and all succeeded.
$ls tmp/work/core2-64-poky-linux/python3-werkzeug/2.1.1-r0/
CVE-2023-23934.patch dist packages-split pseudo
source-date-epoch
CVE-2023-25577.patch image pkgdata
python3-werkzeug.spec sysroot-destdir
deploy-rpms license-destdir pkgdata-pdata-input
recipe-sysroot temp
deploy-source-date-epoch package pkgdata-sysroot
recipe-sysroot-native Werkzeug-2.1.1
nmali@blr-linux-engg1$
Best Regards,
Narpat
On Wed, May 10, 2023 at 4:16 PM Narpat Mali via
lists.openembedded.org
<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA43zdPYINg$>
<narpat.mali=windriver....@lists.openembedded.org> wrote:
From: Narpat Mali <narpat.m...@windriver.com>
Werkzeug is a comprehensive WSGI web application library.
Browsers may allow
"nameless" cookies that look like `=value` instead of
`key=value`. A vulnerable
browser may allow a compromised application on an adjacent
subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another
subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as
__Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or
malicious subdomain
which sets such a cookie using a vulnerable browser, the
Werkzeug application
will see the bad cookie value but the valid cookie key. The
issue is fixed in
Werkzeug 2.2.3.
Signed-off-by: Narpat Mali <narpat.m...@windriver.com>
---
.../python3-werkzeug/CVE-2023-23934.patch | 116
++++++++++++++++++
.../python/python3-werkzeug_2.1.1.bb
<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$>
| 2 +
2 files changed, 118 insertions(+)
create mode 100644
meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
diff --git
a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
new file mode 100644
index 0000000000..0be97d2888
--- /dev/null
+++
b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -0,0 +1,116 @@
+From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17
00:00:00 2001
+From: David Lord <david...@gmail.com>
+Date: Wed, 10 May 2023 11:33:18 +0000
+Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
+
+don't strip leading `=` when parsing cookie
+
+"src/werkzeug/sansio/http.py" file is not available in the
current recipe
+version 2.1.1 and this has been introduced from 2.2.0
version. Before 2.2.0
+version, this http.py
<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$>
file was only available in the "src/werkzeug/http.py"
+and we could see the same functions available there which are
getting modified
+in the CVE fix commit. Hence, modifying the same at
"src/werkzeug/http.py" file.
+
+CVE: CVE-2023-23934
+
+Upstream-Status: Backport
[https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
<https://urldefense.com/v3/__https:/github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42AsHiz9w$>]
+
+Signed-off-by: Narpat Mali <narpat.m...@windriver.com>
+---
+ CHANGES.rst | 4 ++++
+ src/werkzeug/_internal.py
<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$>
| 13 +++++++++----
+ src/werkzeug/http.py | 4 ----
+ tests/test_http.py | 4 +++-
+ 4 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/CHANGES.rst b/CHANGES.rst
+index a351d7c..23505d3 100644
+--- a/CHANGES.rst
++++ b/CHANGES.rst
+@@ -1,5 +1,9 @@
+ .. currentmodule:: werkzeug
+
++- A cookie header that starts with ``=`` is treated as an
empty key and discarded,
++ rather than stripping the leading ``==``.
++
++
+ Version 2.1.1
+ -------------
+
+diff --git a/src/werkzeug/_internal.py
<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$>
b/src/werkzeug/_internal.py
<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$>
+index a8b3523..d6290ba 100644
+--- a/src/werkzeug/_internal.py
<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$>
++++ b/src/werkzeug/_internal.py
<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$>
+@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
+ _legal_cookie_chars_re =
rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
+ _cookie_re = re.compile(
+ rb"""
+- (?P<key>[^=;]+)
++ (?P<key>[^=;]*)
+ (?:\s*=\s*
+ (?P<val>
+ "(?:[^\\"]|\\.)*" |
+@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) ->
t.Iterator[t.Tuple[bytes, bytes]]:
+ """Lowlevel cookie parsing facility that operates on
bytes."""
+ i = 0
+ n = len(b)
++ b += b";"
+
+ while i < n:
+- match = _cookie_re.search(b + b";", i)
++ match = _cookie_re.match(b, i)
++
+ if not match:
+ break
+
+- key = match.group("key").strip()
+- value = match.group("val") or b""
+ i = match.end(0)
++ key = match.group("key").strip()
++
++ if not key:
++ continue
+
++ value = match.group("val") or b""
+ yield key, _cookie_unquote(value)
+
+
+diff --git a/src/werkzeug/http.py
<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$>
b/src/werkzeug/http.py
<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$>
+index 9369900..ae133e3 100644
+--- a/src/werkzeug/http.py
<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$>
++++ b/src/werkzeug/http.py
<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$>
+@@ -1205,10 +1205,6 @@ def parse_cookie(
+ def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
+ for key, val in _cookie_parse_impl(header): # type:
ignore
+ key_str = _to_str(key, charset, errors,
allow_none_charset=True)
+-
+- if not key_str:
+- continue
+-
+ val_str = _to_str(val, charset, errors,
allow_none_charset=True)
+ yield key_str, val_str
+
+diff --git a/tests/test_http.py
<https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$>
b/tests/test_http.py
<https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$>
+index 5936bfa..59cc179 100644
+--- a/tests/test_http.py
<https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$>
++++ b/tests/test_http.py
<https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$>
+@@ -427,7 +427,8 @@ class TestHTTPUtility:
+ def test_parse_cookie(self):
+ cookies = http.parse_cookie(
+ "dismiss-top=6; CP=null*;
PHPSESSID=0a539d42abc001cdc762809248d4beed;"
+- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah;
"__Secure-c"=d'
++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah;
"__Secure-c"=d;'
++ "==__Host-eq=bad;__Host-eq=good;"
+ )
+ assert cookies.to_dict() == {
+ "CP": "null*",
+@@ -438,6 +439,7 @@ class TestHTTPUtility:
+ "fo234{": "bar",
+ "blub": "Blah",
+ '"__Secure-c"': "d",
++ "__Host-eq": "good",
+ }
+
+ def test_dump_cookie(self):
+--
+2.40.0
diff --git
a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$>
b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$>
index 476a3a5964..ca8705146e 100644
---
a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$>
+++
b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$>
@@ -12,6 +12,8 @@ LIC_FILES_CHKSUM =
"file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
<file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462>
PYPI_PACKAGE = "Werkzeug"
+SRC_URI += "file://CVE-2023-23934.patch"
<file://CVE-2023-23934.patch>
+
SRC_URI[sha256sum] =
"f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"
inherit pypi setuptools3
--
2.40.0
