Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for CVE-2023-23934

2023-06-29 Thread Narpat Mali via lists.openembedded.org 
On 29-06-2023 07:10, Sanjaykumar kantibhai Chitroda -X (schitrod - 
E-INFO CHIPS INC at Cisco) wrote:

**
*CAUTION: This email comes from a non Wind River email account!*
Do not click links or open attachments unless you recognize the sender 
and know the content is safe.


Dear Narpat,

Once your python3-werkzeug package is built successfully using bitbake.

You can try to check 
/tmp/work/*/python3-werkzeug//temp/log.do_patch file.


It will provide the logs specific to do_patch task, where you can 
confirm this HUNK information.



Thank you Sanjay, It helped me to confirm the HUNK information.

@Martin,

Thanks for identifying the patch-fuzz.

Have sent the patch to fix the patch-fuzz : 
https://lore.kernel.org/openembedded-devel/20230629163608.3786099-1-narpat.m...@windriver.com/


Best Regards,

Narpat


Thanks,

Sanjay

*From:*openembedded-devel@lists.openembedded.org 
 *On Behalf Of *Narpat Mali 
via lists.openembedded.org 
<https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!bNzZUbPJMjaw1YWRoQUxKvW7kTxX0XvbVNwuRxNV-k35b3IGEfWuNh3D14V-bwlmOU8kmxirRCb1197e3RBc$>

*Sent:* Wednesday, June 28, 2023 11:49 AM
*To:* Martin Jansa 
*Cc:* openembedded-devel@lists.openembedded.org; 
hari.gpil...@windriver.com
*Subject:* Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: 
fix for CVE-2023-23934


On 24-06-2023 19:41, Martin Jansa wrote:

*CAUTION: This email comes from a non Wind River email account!*
Do not click links or open attachments unless you recognize the
sender and know the content is safe.

This change is now merged in kirkstone and causes:

ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected:

  


Applying patch CVE-2023-23934.patch

patching file CHANGES.rst

Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines).

patching file src/werkzeug/_internal.py

patching file src/werkzeug/http.py

patching file tests/test_http.py

  

  


The context lines in the patches can be updated with devtool:

  


     devtool modify python3-werkzeug

     devtool finish --force-patch-refresh python3-werkzeug 

  


Don't forget to review changes done by devtool!

  


ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log indicates 
that patches do not apply cleanly. [patch-fuzz]

Please send follow-up patch to fix patch-fuzz.

Hi Martin,

Thanks for checking.

Have double checked with building python3-werkzeug with poky but, I 
have not observed any patch-fuzz.


Have followed the below steps:

1. Cloned the latest poky & meta-oe layer and switched to kirkstone 
branch for both of them.


2. Added latest meta-oe layer to poky build directory and built the 
python3-werkzeug successfully without any issue.


Below are the logs in:

meta-oe :

$fd werkzeug
meta-python/recipes-devtools/python/python3-werkzeug
meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb 
<https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!bNzZUbPJMjaw1YWRoQUxKvW7kTxX0XvbVNwuRxNV-k35b3IGEfWuNh3D14V-bwlmOU8kmxirRCb110cwf6ls$>

$ls meta-python/recipes-devtools/python/python3-werkzeug
CVE-2023-23934.patch  CVE-2023-25577.patch
$vi meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb 
<https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!bNzZUbPJMjaw1YWRoQUxKvW7kTxX0XvbVNwuRxNV-k35b3IGEfWuNh3D14V-bwlmOU8kmxirRCb110cwf6ls$>

$git branch
  dunfell
* kirkstone
  master
  mickledore
$

Poky Build logs:

$bitbake python3-werkzeug
Loading cache: 100% 
|##| 
Time: 0:00:05

Loaded 4328 entries from dependency cache.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION   = "2.0.0"
BUILD_SYS    = "x86_64-linux"
NATIVELSBSTRING  = "universal"
TARGET_SYS   = "x86_64-poky-linux"
MACHINE  = "qemux86-64"
DISTRO   = "poky"
DISTRO_VERSION   = "4.0.11"
TUNE_FEATURES    = "m64 core2"
TARGET_FPU   = ""
meta
meta-poky
meta-yocto-bsp   = 
"kirkstone:fc697fe87412b9b179ae3a68d266ace85bb1fcc6"

meta-filesystems
meta-gnome
meta-initramfs
meta-multimedia
meta-networking
meta-oe
meta-perl
meta-python
meta-webserver
meta-xfce    = 
"kirkstone:a82d92c8a6525da01524bf8f4a60bf6b35dcbb3d"


Initialising tasks: 100% 
|#| 
Time: 0:00:02
Sstate summary: Wanted 0 Local 0 Mirrors 0 Missed 0 Current 279 (0% 
match, 100% complete)

NOTE: Executing Tasks
NOTE: Tasks Summary: Attempted 1056 tasks of which 1056 didn't need to 
be rerun and all succeeded.

$ls tmp/work/core2-64-poky-linux/python3-werkzeug/2.1.1-r0/
CVE-2023-23934.patch  dist packages-split 

Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for CVE-2023-23934

2023-06-28 Thread Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org 
Dear Narpat,

Once your python3-werkzeug package is built successfully using bitbake.
You can try to check 
/tmp/work/*/python3-werkzeug//temp/log.do_patch file.

It will provide the logs specific to do_patch task, where you can confirm this 
HUNK information.

Thanks,
Sanjay

From: openembedded-devel@lists.openembedded.org 
 On Behalf Of Narpat Mali via 
lists.openembedded.org
Sent: Wednesday, June 28, 2023 11:49 AM
To: Martin Jansa 
Cc: openembedded-devel@lists.openembedded.org; hari.gpil...@windriver.com
Subject: Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for 
CVE-2023-23934

On 24-06-2023 19:41, Martin Jansa wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.


This change is now merged in kirkstone and causes:

ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected:



Applying patch CVE-2023-23934.patch

patching file CHANGES.rst

Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines).

patching file src/werkzeug/_internal.py

patching file src/werkzeug/http.py

patching file tests/test_http.py





The context lines in the patches can be updated with devtool:



devtool modify python3-werkzeug

devtool finish --force-patch-refresh python3-werkzeug 



Don't forget to review changes done by devtool!



ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log indicates that 
patches do not apply cleanly. [patch-fuzz]

Please send follow-up patch to fix patch-fuzz.

Hi Martin,

Thanks for checking.

Have double checked with building python3-werkzeug with poky but, I have not 
observed any patch-fuzz.

Have followed the below steps:

1. Cloned the latest poky & meta-oe layer and switched to kirkstone branch for 
both of them.

2. Added latest meta-oe layer to poky build directory and built the 
python3-werkzeug successfully without any issue.

Below are the logs in:

meta-oe :

$fd werkzeug
meta-python/recipes-devtools/python/python3-werkzeug
meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
$ls meta-python/recipes-devtools/python/python3-werkzeug
CVE-2023-23934.patch  CVE-2023-25577.patch
$vi meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
$git branch
  dunfell
* kirkstone
  master
  mickledore
$

Poky Build logs:

$bitbake python3-werkzeug
Loading cache: 100% 
|##|
 Time: 0:00:05
Loaded 4328 entries from dependency cache.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION   = "2.0.0"
BUILD_SYS= "x86_64-linux"
NATIVELSBSTRING  = "universal"
TARGET_SYS   = "x86_64-poky-linux"
MACHINE  = "qemux86-64"
DISTRO   = "poky"
DISTRO_VERSION   = "4.0.11"
TUNE_FEATURES= "m64 core2"
TARGET_FPU   = ""
meta
meta-poky
meta-yocto-bsp   = "kirkstone:fc697fe87412b9b179ae3a68d266ace85bb1fcc6"
meta-filesystems
meta-gnome
meta-initramfs
meta-multimedia
meta-networking
meta-oe
meta-perl
meta-python
meta-webserver
meta-xfce= "kirkstone:a82d92c8a6525da01524bf8f4a60bf6b35dcbb3d"

Initialising tasks: 100% 
|#|
 Time: 0:00:02
Sstate summary: Wanted 0 Local 0 Mirrors 0 Missed 0 Current 279 (0% match, 100% 
complete)
NOTE: Executing Tasks
NOTE: Tasks Summary: Attempted 1056 tasks of which 1056 didn't need to be rerun 
and all succeeded.
$ls tmp/work/core2-64-poky-linux/python3-werkzeug/2.1.1-r0/
CVE-2023-23934.patch  dist packages-split   pseudo  
   source-date-epoch
CVE-2023-25577.patch  imagepkgdata  
python3-werkzeug.spec  sysroot-destdir
deploy-rpms   license-destdir  pkgdata-pdata-input  recipe-sysroot  
   temp
deploy-source-date-epoch  package  pkgdata-sysroot  
recipe-sysroot-native  Werkzeug-2.1.1
nmali@blr-linux-engg1$

Best Regards,

Narpat

On Wed, May 10, 2023 at 4:16 PM Narpat Mali via 
lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA43zdPYINg$>
 
mailto:windriver@lists.openembedded.org>>
 wrote:
From: Narpat Mali mailto:narpat.m...@windriver.com>>

Werkzeug is a comprehensive WSGI web application library. Browsers may allow
"nameless" cookies that look like `=value` instead of `key=value`. A vulnerable
browser may allow a compromised application on an adjacent subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or

Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for CVE-2023-23934

2023-06-28 Thread Narpat Mali via lists.openembedded.org 

On 24-06-2023 19:41, Martin Jansa wrote:

**
*CAUTION: This email comes from a non Wind River email account!*
Do not click links or open attachments unless you recognize the sender 
and know the content is safe.

This change is now merged in kirkstone and causes:
ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected:

Applying patch CVE-2023-23934.patch
patching file CHANGES.rst
Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines).
patching file src/werkzeug/_internal.py
patching file src/werkzeug/http.py
patching file tests/test_http.py


The context lines in the patches can be updated with devtool:

 devtool modify python3-werkzeug
 devtool finish --force-patch-refresh python3-werkzeug 

Don't forget to review changes done by devtool!

ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log indicates that 
patches do not apply cleanly. [patch-fuzz]
Please send follow-up patch to fix patch-fuzz.


Hi Martin,

Thanks for checking.

Have double checked with building python3-werkzeug with poky but, I have 
not observed any patch-fuzz.


Have followed the below steps:

1. Cloned the latest poky & meta-oe layer and switched to kirkstone 
branch for both of them.


2. Added latest meta-oe layer to poky build directory and built the 
python3-werkzeug successfully without any issue.


Below are the logs in:

meta-oe :

$fd werkzeug
meta-python/recipes-devtools/python/python3-werkzeug
meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
$ls meta-python/recipes-devtools/python/python3-werkzeug
CVE-2023-23934.patch  CVE-2023-25577.patch
$vi meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
$git branch
  dunfell
* kirkstone
  master
  mickledore
$

Poky Build logs:

$bitbake python3-werkzeug
Loading cache: 100% 
|##| 
Time: 0:00:05

Loaded 4328 entries from dependency cache.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION   = "2.0.0"
BUILD_SYS    = "x86_64-linux"
NATIVELSBSTRING  = "universal"
TARGET_SYS   = "x86_64-poky-linux"
MACHINE  = "qemux86-64"
DISTRO   = "poky"
DISTRO_VERSION   = "4.0.11"
TUNE_FEATURES    = "m64 core2"
TARGET_FPU   = ""
meta
meta-poky
meta-yocto-bsp   = "kirkstone:fc697fe87412b9b179ae3a68d266ace85bb1fcc6"
meta-filesystems
meta-gnome
meta-initramfs
meta-multimedia
meta-networking
meta-oe
meta-perl
meta-python
meta-webserver
meta-xfce    = "kirkstone:a82d92c8a6525da01524bf8f4a60bf6b35dcbb3d"

Initialising tasks: 100% 
|#| 
Time: 0:00:02
Sstate summary: Wanted 0 Local 0 Mirrors 0 Missed 0 Current 279 (0% 
match, 100% complete)

NOTE: Executing Tasks
NOTE: Tasks Summary: Attempted 1056 tasks of which 1056 didn't need to 
be rerun and all succeeded.

$ls tmp/work/core2-64-poky-linux/python3-werkzeug/2.1.1-r0/
CVE-2023-23934.patch  dist packages-split 
pseudo source-date-epoch
CVE-2023-25577.patch  image    pkgdata 
python3-werkzeug.spec  sysroot-destdir
deploy-rpms   license-destdir  pkgdata-pdata-input 
recipe-sysroot temp
deploy-source-date-epoch  package  pkgdata-sysroot 
recipe-sysroot-native  Werkzeug-2.1.1

nmali@blr-linux-engg1$

Best Regards,

Narpat



On Wed, May 10, 2023 at 4:16 PM Narpat Mali via lists.openembedded.org 
 
 wrote:


From: Narpat Mali 

Werkzeug is a comprehensive WSGI web application library. Browsers
may allow
"nameless" cookies that look like `=value` instead of `key=value`.
A vulnerable
browser may allow a compromised application on an adjacent
subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another
subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as
__Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or
malicious subdomain
which sets such a cookie using a vulnerable browser, the Werkzeug
application
will see the bad cookie value but the valid cookie key. The issue
is fixed in
Werkzeug 2.2.3.

Signed-off-by: Narpat Mali 
---
 .../python3-werkzeug/CVE-2023-23934.patch     | 116
++
 .../python/python3-werkzeug_2.1.1.bb


        |   2 +
 2 files changed, 118 insertions(+)
 create mode 100644
meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch

diff --git

Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for CVE-2023-23934

2023-06-24 Thread Martin Jansa 
This change is now merged in kirkstone and causes:

ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected:

Applying patch CVE-2023-23934.patch
patching file CHANGES.rst
Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines).
patching file src/werkzeug/_internal.py
patching file src/werkzeug/http.py
patching file tests/test_http.py


The context lines in the patches can be updated with devtool:

devtool modify python3-werkzeug
devtool finish --force-patch-refresh python3-werkzeug 

Don't forget to review changes done by devtool!

ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log
indicates that patches do not apply cleanly. [patch-fuzz]


Please send follow-up patch to fix patch-fuzz.


On Wed, May 10, 2023 at 4:16 PM Narpat Mali via lists.openembedded.org
 wrote:

> From: Narpat Mali 
>
> Werkzeug is a comprehensive WSGI web application library. Browsers may
> allow
> "nameless" cookies that look like `=value` instead of `key=value`. A
> vulnerable
> browser may allow a compromised application on an adjacent subdomain to
> exploit
> this to set a cookie like `=__Host-test=bad` for another subdomain.
> Werkzeug
> prior to 2.2.3 will parse the cookie `=__Host-test=bad` as
> __Host-test=bad`.
> If a Werkzeug application is running next to a vulnerable or malicious
> subdomain
> which sets such a cookie using a vulnerable browser, the Werkzeug
> application
> will see the bad cookie value but the valid cookie key. The issue is fixed
> in
> Werkzeug 2.2.3.
>
> Signed-off-by: Narpat Mali 
> ---
>  .../python3-werkzeug/CVE-2023-23934.patch | 116 ++
>  .../python/python3-werkzeug_2.1.1.bb  |   2 +
>  2 files changed, 118 insertions(+)
>  create mode 100644
> meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
>
> diff --git
> a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> new file mode 100644
> index 00..0be97d2888
> --- /dev/null
> +++
> b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> @@ -0,0 +1,116 @@
> +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
> +From: David Lord 
> +Date: Wed, 10 May 2023 11:33:18 +
> +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
> +
> +don't strip leading `=` when parsing cookie
> +
> +"src/werkzeug/sansio/http.py" file is not available in the current recipe
> +version 2.1.1 and this has been introduced from 2.2.0 version. Before
> 2.2.0
> +version, this http.py file was only available in the
> "src/werkzeug/http.py"
> +and we could see the same functions available there which are getting
> modified
> +in the CVE fix commit. Hence, modifying the same at
> "src/werkzeug/http.py" file.
> +
> +CVE: CVE-2023-23934
> +
> +Upstream-Status: Backport [
> https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
> ]
> +
> +Signed-off-by: Narpat Mali 
> +---
> + CHANGES.rst   |  4 
> + src/werkzeug/_internal.py | 13 +
> + src/werkzeug/http.py  |  4 
> + tests/test_http.py|  4 +++-
> + 4 files changed, 16 insertions(+), 9 deletions(-)
> +
> +diff --git a/CHANGES.rst b/CHANGES.rst
> +index a351d7c..23505d3 100644
> +--- a/CHANGES.rst
>  b/CHANGES.rst
> +@@ -1,5 +1,9 @@
> + .. currentmodule:: werkzeug
> +
> ++-   A cookie header that starts with ``=`` is treated as an empty key
> and discarded,
> ++rather than stripping the leading ``==``.
> ++
> ++
> + Version 2.1.1
> + -
> +
> +diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
> +index a8b3523..d6290ba 100644
> +--- a/src/werkzeug/_internal.py
>  b/src/werkzeug/_internal.py
> +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
> + _legal_cookie_chars_re =
> rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
> + _cookie_re = re.compile(
> + rb"""
> +-(?P[^=;]+)
> ++(?P[^=;]*)
> + (?:\s*=\s*
> + (?P
> + "(?:[^\\"]|\\.)*" |
> +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) ->
> t.Iterator[t.Tuple[bytes, bytes]]:
> + """Lowlevel cookie parsing facility that operates on bytes."""
> + i = 0
> + n = len(b)
> ++b += b";"
> +
> + while i < n:
> +-match = _cookie_re.search(b + b";", i)
> ++match = _cookie_re.match(b, i)
> ++
> + if not match:
> + break
> +
> +-key = match.group("key").strip()
> +-value = match.group("val") or b""
> + i = match.end(0)
> ++key = match.group("key").strip()
> ++
> ++if not key:
> ++continue
> +
> ++value = match.group("val") or b""
> + yield key, _cookie_unquote(value)
> +
> +
> +diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
> +index 9369900..ae133e3 100644
> +--- a/src/werkzeug/http.py
>  b/src/werkzeug/http.py
> +@@ -1205,10 +1205,6 @@ def parse_cookie(
> + def

Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for CVE-2023-23934

2023-06-09 Thread Narpat Mali via lists.openembedded.org 


Reminder.

On 10-05-2023 19:18, Narpat Mali via lists.openembedded.org wrote:

From: Narpat Mali 

Werkzeug is a comprehensive WSGI web application library. Browsers may allow
"nameless" cookies that look like `=value` instead of `key=value`. A vulnerable
browser may allow a compromised application on an adjacent subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or malicious subdomain
which sets such a cookie using a vulnerable browser, the Werkzeug application
will see the bad cookie value but the valid cookie key. The issue is fixed in
Werkzeug 2.2.3.

Signed-off-by: Narpat Mali 
---
  .../python3-werkzeug/CVE-2023-23934.patch | 116 ++
  .../python/python3-werkzeug_2.1.1.bb  |   2 +
  2 files changed, 118 insertions(+)
  create mode 100644 
meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch

diff --git 
a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch 
b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
new file mode 100644
index 00..0be97d2888
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -0,0 +1,116 @@
+From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
+From: David Lord 
+Date: Wed, 10 May 2023 11:33:18 +
+Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
+
+don't strip leading `=` when parsing cookie
+
+"src/werkzeug/sansio/http.py" file is not available in the current recipe
+version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0
+version, this http.py file was only available in the "src/werkzeug/http.py"
+and we could see the same functions available there which are getting modified
+in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" 
file.
+
+CVE: CVE-2023-23934
+
+Upstream-Status: Backport 
[https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028]
+
+Signed-off-by: Narpat Mali 
+---
+ CHANGES.rst   |  4 
+ src/werkzeug/_internal.py | 13 +
+ src/werkzeug/http.py  |  4 
+ tests/test_http.py|  4 +++-
+ 4 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/CHANGES.rst b/CHANGES.rst
+index a351d7c..23505d3 100644
+--- a/CHANGES.rst
 b/CHANGES.rst
+@@ -1,5 +1,9 @@
+ .. currentmodule:: werkzeug
+
++-   A cookie header that starts with ``=`` is treated as an empty key and 
discarded,
++rather than stripping the leading ``==``.
++
++
+ Version 2.1.1
+ -
+
+diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
+index a8b3523..d6290ba 100644
+--- a/src/werkzeug/_internal.py
 b/src/werkzeug/_internal.py
+@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
+ _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
+ _cookie_re = re.compile(
+ rb"""
+-(?P[^=;]+)
++(?P[^=;]*)
+ (?:\s*=\s*
+ (?P
+ "(?:[^\\"]|\\.)*" |
+@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> 
t.Iterator[t.Tuple[bytes, bytes]]:
+ """Lowlevel cookie parsing facility that operates on bytes."""
+ i = 0
+ n = len(b)
++b += b";"
+
+ while i < n:
+-match = _cookie_re.search(b + b";", i)
++match = _cookie_re.match(b, i)
++
+ if not match:
+ break
+
+-key = match.group("key").strip()
+-value = match.group("val") or b""
+ i = match.end(0)
++key = match.group("key").strip()
++
++if not key:
++continue
+
++value = match.group("val") or b""
+ yield key, _cookie_unquote(value)
+
+
+diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
+index 9369900..ae133e3 100644
+--- a/src/werkzeug/http.py
 b/src/werkzeug/http.py
+@@ -1205,10 +1205,6 @@ def parse_cookie(
+ def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
+ for key, val in _cookie_parse_impl(header):  # type: ignore
+ key_str = _to_str(key, charset, errors, allow_none_charset=True)
+-
+-if not key_str:
+-continue
+-
+ val_str = _to_str(val, charset, errors, allow_none_charset=True)
+ yield key_str, val_str
+
+diff --git a/tests/test_http.py b/tests/test_http.py
+index 5936bfa..59cc179 100644
+--- a/tests/test_http.py
 b/tests/test_http.py
+@@ -427,7 +427,8 @@ class TestHTTPUtility:
+ def test_parse_cookie(self):
+ cookies = http.parse_cookie(
+ "dismiss-top=6; CP=null*; 
PHPSESSID=0a539d42abc001cdc762809248d4beed;"
+-'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
++'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
++"==__Host-eq=bad;__Host-eq=good;"
+ )
+ assert cookies.to_dict() == {
+

[oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for CVE-2023-23934

2023-05-10 Thread Narpat Mali via lists.openembedded.org 
From: Narpat Mali 

Werkzeug is a comprehensive WSGI web application library. Browsers may allow
"nameless" cookies that look like `=value` instead of `key=value`. A vulnerable
browser may allow a compromised application on an adjacent subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or malicious subdomain
which sets such a cookie using a vulnerable browser, the Werkzeug application
will see the bad cookie value but the valid cookie key. The issue is fixed in
Werkzeug 2.2.3.

Signed-off-by: Narpat Mali 
---
 .../python3-werkzeug/CVE-2023-23934.patch | 116 ++
 .../python/python3-werkzeug_2.1.1.bb  |   2 +
 2 files changed, 118 insertions(+)
 create mode 100644 
meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch

diff --git 
a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch 
b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
new file mode 100644
index 00..0be97d2888
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
@@ -0,0 +1,116 @@
+From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
+From: David Lord 
+Date: Wed, 10 May 2023 11:33:18 +
+Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
+
+don't strip leading `=` when parsing cookie
+
+"src/werkzeug/sansio/http.py" file is not available in the current recipe
+version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0
+version, this http.py file was only available in the "src/werkzeug/http.py"
+and we could see the same functions available there which are getting modified
+in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" 
file.
+
+CVE: CVE-2023-23934
+
+Upstream-Status: Backport 
[https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028]
+
+Signed-off-by: Narpat Mali 
+---
+ CHANGES.rst   |  4 
+ src/werkzeug/_internal.py | 13 +
+ src/werkzeug/http.py  |  4 
+ tests/test_http.py|  4 +++-
+ 4 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/CHANGES.rst b/CHANGES.rst
+index a351d7c..23505d3 100644
+--- a/CHANGES.rst
 b/CHANGES.rst
+@@ -1,5 +1,9 @@
+ .. currentmodule:: werkzeug
+
++-   A cookie header that starts with ``=`` is treated as an empty key and 
discarded,
++rather than stripping the leading ``==``.
++
++
+ Version 2.1.1
+ -
+
+diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
+index a8b3523..d6290ba 100644
+--- a/src/werkzeug/_internal.py
 b/src/werkzeug/_internal.py
+@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
+ _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
+ _cookie_re = re.compile(
+ rb"""
+-(?P[^=;]+)
++(?P[^=;]*)
+ (?:\s*=\s*
+ (?P
+ "(?:[^\\"]|\\.)*" |
+@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> 
t.Iterator[t.Tuple[bytes, bytes]]:
+ """Lowlevel cookie parsing facility that operates on bytes."""
+ i = 0
+ n = len(b)
++b += b";"
+
+ while i < n:
+-match = _cookie_re.search(b + b";", i)
++match = _cookie_re.match(b, i)
++
+ if not match:
+ break
+
+-key = match.group("key").strip()
+-value = match.group("val") or b""
+ i = match.end(0)
++key = match.group("key").strip()
++
++if not key:
++continue
+
++value = match.group("val") or b""
+ yield key, _cookie_unquote(value)
+
+
+diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
+index 9369900..ae133e3 100644
+--- a/src/werkzeug/http.py
 b/src/werkzeug/http.py
+@@ -1205,10 +1205,6 @@ def parse_cookie(
+ def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
+ for key, val in _cookie_parse_impl(header):  # type: ignore
+ key_str = _to_str(key, charset, errors, allow_none_charset=True)
+-
+-if not key_str:
+-continue
+-
+ val_str = _to_str(val, charset, errors, allow_none_charset=True)
+ yield key_str, val_str
+
+diff --git a/tests/test_http.py b/tests/test_http.py
+index 5936bfa..59cc179 100644
+--- a/tests/test_http.py
 b/tests/test_http.py
+@@ -427,7 +427,8 @@ class TestHTTPUtility:
+ def test_parse_cookie(self):
+ cookies = http.parse_cookie(
+ "dismiss-top=6; CP=null*; 
PHPSESSID=0a539d42abc001cdc762809248d4beed;"
+-'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
++'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
++"==__Host-eq=bad;__Host-eq=good;"
+ )
+ assert cookies.to_dict() == {
+ "CP": "null*",
+@@ -438,6 +439,7 @@ class TestHTTPUtility:
+