Message ID | 20230510134849.562209-1-narpat.mali@windriver.com |
---|---|
State | New |
Headers | show |
Series | [meta-oe,kirkstone,1/1] python3-werkzeug: fix for CVE-2023-23934 | expand |
This change is now merged in kirkstone and causes: ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected: Applying patch CVE-2023-23934.patch patching file CHANGES.rst Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines). patching file src/werkzeug/_internal.py patching file src/werkzeug/http.py patching file tests/test_http.py The context lines in the patches can be updated with devtool: devtool modify python3-werkzeug devtool finish --force-patch-refresh python3-werkzeug <layer_path> Don't forget to review changes done by devtool! ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] Please send follow-up patch to fix patch-fuzz. On Wed, May 10, 2023 at 4:16 PM Narpat Mali via lists.openembedded.org <narpat.mali=windriver.com@lists.openembedded.org> wrote: > From: Narpat Mali <narpat.mali@windriver.com> > > Werkzeug is a comprehensive WSGI web application library. Browsers may > allow > "nameless" cookies that look like `=value` instead of `key=value`. A > vulnerable > browser may allow a compromised application on an adjacent subdomain to > exploit > this to set a cookie like `=__Host-test=bad` for another subdomain. > Werkzeug > prior to 2.2.3 will parse the cookie `=__Host-test=bad` as > __Host-test=bad`. > If a Werkzeug application is running next to a vulnerable or malicious > subdomain > which sets such a cookie using a vulnerable browser, the Werkzeug > application > will see the bad cookie value but the valid cookie key. The issue is fixed > in > Werkzeug 2.2.3. > > Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > --- > .../python3-werkzeug/CVE-2023-23934.patch | 116 ++++++++++++++++++ > .../python/python3-werkzeug_2.1.1.bb | 2 + > 2 files changed, 118 insertions(+) > create mode 100644 > meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > > diff --git > a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > new file mode 100644 > index 0000000000..0be97d2888 > --- /dev/null > +++ > b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > @@ -0,0 +1,116 @@ > +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001 > +From: David Lord <davidism@gmail.com> > +Date: Wed, 10 May 2023 11:33:18 +0000 > +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q > + > +don't strip leading `=` when parsing cookie > + > +"src/werkzeug/sansio/http.py" file is not available in the current recipe > +version 2.1.1 and this has been introduced from 2.2.0 version. Before > 2.2.0 > +version, this http.py file was only available in the > "src/werkzeug/http.py" > +and we could see the same functions available there which are getting > modified > +in the CVE fix commit. Hence, modifying the same at > "src/werkzeug/http.py" file. > + > +CVE: CVE-2023-23934 > + > +Upstream-Status: Backport [ > https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028 > ] > + > +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > +--- > + CHANGES.rst | 4 ++++ > + src/werkzeug/_internal.py | 13 +++++++++---- > + src/werkzeug/http.py | 4 ---- > + tests/test_http.py | 4 +++- > + 4 files changed, 16 insertions(+), 9 deletions(-) > + > +diff --git a/CHANGES.rst b/CHANGES.rst > +index a351d7c..23505d3 100644 > +--- a/CHANGES.rst > ++++ b/CHANGES.rst > +@@ -1,5 +1,9 @@ > + .. currentmodule:: werkzeug > + > ++- A cookie header that starts with ``=`` is treated as an empty key > and discarded, > ++ rather than stripping the leading ``==``. > ++ > ++ > + Version 2.1.1 > + ------------- > + > +diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py > +index a8b3523..d6290ba 100644 > +--- a/src/werkzeug/_internal.py > ++++ b/src/werkzeug/_internal.py > +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].") > + _legal_cookie_chars_re = > rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" > + _cookie_re = re.compile( > + rb""" > +- (?P<key>[^=;]+) > ++ (?P<key>[^=;]*) > + (?:\s*=\s* > + (?P<val> > + "(?:[^\\"]|\\.)*" | > +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> > t.Iterator[t.Tuple[bytes, bytes]]: > + """Lowlevel cookie parsing facility that operates on bytes.""" > + i = 0 > + n = len(b) > ++ b += b";" > + > + while i < n: > +- match = _cookie_re.search(b + b";", i) > ++ match = _cookie_re.match(b, i) > ++ > + if not match: > + break > + > +- key = match.group("key").strip() > +- value = match.group("val") or b"" > + i = match.end(0) > ++ key = match.group("key").strip() > ++ > ++ if not key: > ++ continue > + > ++ value = match.group("val") or b"" > + yield key, _cookie_unquote(value) > + > + > +diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py > +index 9369900..ae133e3 100644 > +--- a/src/werkzeug/http.py > ++++ b/src/werkzeug/http.py > +@@ -1205,10 +1205,6 @@ def parse_cookie( > + def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]: > + for key, val in _cookie_parse_impl(header): # type: ignore > + key_str = _to_str(key, charset, errors, > allow_none_charset=True) > +- > +- if not key_str: > +- continue > +- > + val_str = _to_str(val, charset, errors, > allow_none_charset=True) > + yield key_str, val_str > + > +diff --git a/tests/test_http.py b/tests/test_http.py > +index 5936bfa..59cc179 100644 > +--- a/tests/test_http.py > ++++ b/tests/test_http.py > +@@ -427,7 +427,8 @@ class TestHTTPUtility: > + def test_parse_cookie(self): > + cookies = http.parse_cookie( > + "dismiss-top=6; CP=null*; > PHPSESSID=0a539d42abc001cdc762809248d4beed;" > +- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d' > ++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;' > ++ "==__Host-eq=bad;__Host-eq=good;" > + ) > + assert cookies.to_dict() == { > + "CP": "null*", > +@@ -438,6 +439,7 @@ class TestHTTPUtility: > + "fo234{": "bar", > + "blub": "Blah", > + '"__Secure-c"': "d", > ++ "__Host-eq": "good", > + } > + > + def test_dump_cookie(self): > +-- > +2.40.0 > diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > index 476a3a5964..ca8705146e 100644 > --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM = > "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" > > PYPI_PACKAGE = "Werkzeug" > > +SRC_URI += "file://CVE-2023-23934.patch" > + > SRC_URI[sha256sum] = > "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74" > > inherit pypi setuptools3 > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#102533): > https://lists.openembedded.org/g/openembedded-devel/message/102533 > Mute This Topic: https://lists.openembedded.org/mt/98806142/3617156 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > Martin.Jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On 24-06-2023 19:41, Martin Jansa wrote: > ** > *CAUTION: This email comes from a non Wind River email account!* > Do not click links or open attachments unless you recognize the sender > and know the content is safe. > This change is now merged in kirkstone and causes: > ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected: > > Applying patch CVE-2023-23934.patch > patching file CHANGES.rst > Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines). > patching file src/werkzeug/_internal.py > patching file src/werkzeug/http.py > patching file tests/test_http.py > > > The context lines in the patches can be updated with devtool: > > devtool modify python3-werkzeug > devtool finish --force-patch-refresh python3-werkzeug <layer_path> > > Don't forget to review changes done by devtool! > > ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] > Please send follow-up patch to fix patch-fuzz. Hi Martin, Thanks for checking. Have double checked with building python3-werkzeug with poky but, I have not observed any patch-fuzz. Have followed the below steps: 1. Cloned the latest poky & meta-oe layer and switched to kirkstone branch for both of them. 2. Added latest meta-oe layer to poky build directory and built the python3-werkzeug successfully without any issue. Below are the logs in: meta-oe : $fd werkzeug meta-python/recipes-devtools/python/python3-werkzeug meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb $ls meta-python/recipes-devtools/python/python3-werkzeug CVE-2023-23934.patch CVE-2023-25577.patch $vi meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb $git branch dunfell * kirkstone master mickledore $ Poky Build logs: $bitbake python3-werkzeug Loading cache: 100% |##########################################################################################| Time: 0:00:05 Loaded 4328 entries from dependency cache. NOTE: Resolving any missing task queue dependencies Build Configuration: BB_VERSION = "2.0.0" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "universal" TARGET_SYS = "x86_64-poky-linux" MACHINE = "qemux86-64" DISTRO = "poky" DISTRO_VERSION = "4.0.11" TUNE_FEATURES = "m64 core2" TARGET_FPU = "" meta meta-poky meta-yocto-bsp = "kirkstone:fc697fe87412b9b179ae3a68d266ace85bb1fcc6" meta-filesystems meta-gnome meta-initramfs meta-multimedia meta-networking meta-oe meta-perl meta-python meta-webserver meta-xfce = "kirkstone:a82d92c8a6525da01524bf8f4a60bf6b35dcbb3d" Initialising tasks: 100% |#####################################################################################| Time: 0:00:02 Sstate summary: Wanted 0 Local 0 Mirrors 0 Missed 0 Current 279 (0% match, 100% complete) NOTE: Executing Tasks NOTE: Tasks Summary: Attempted 1056 tasks of which 1056 didn't need to be rerun and all succeeded. $ls tmp/work/core2-64-poky-linux/python3-werkzeug/2.1.1-r0/ CVE-2023-23934.patch dist packages-split pseudo source-date-epoch CVE-2023-25577.patch image pkgdata python3-werkzeug.spec sysroot-destdir deploy-rpms license-destdir pkgdata-pdata-input recipe-sysroot temp deploy-source-date-epoch package pkgdata-sysroot recipe-sysroot-native Werkzeug-2.1.1 nmali@blr-linux-engg1$ Best Regards, Narpat > > On Wed, May 10, 2023 at 4:16 PM Narpat Mali via lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA43zdPYINg$> > <narpat.mali=windriver.com@lists.openembedded.org> wrote: > > From: Narpat Mali <narpat.mali@windriver.com> > > Werkzeug is a comprehensive WSGI web application library. Browsers > may allow > "nameless" cookies that look like `=value` instead of `key=value`. > A vulnerable > browser may allow a compromised application on an adjacent > subdomain to exploit > this to set a cookie like `=__Host-test=bad` for another > subdomain. Werkzeug > prior to 2.2.3 will parse the cookie `=__Host-test=bad` as > __Host-test=bad`. > If a Werkzeug application is running next to a vulnerable or > malicious subdomain > which sets such a cookie using a vulnerable browser, the Werkzeug > application > will see the bad cookie value but the valid cookie key. The issue > is fixed in > Werkzeug 2.2.3. > > Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > --- > .../python3-werkzeug/CVE-2023-23934.patch | 116 > ++++++++++++++++++ > .../python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > | 2 + > 2 files changed, 118 insertions(+) > create mode 100644 > meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > > diff --git > a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > new file mode 100644 > index 0000000000..0be97d2888 > --- /dev/null > +++ > b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > @@ -0,0 +1,116 @@ > +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 > 2001 > +From: David Lord <davidism@gmail.com> > +Date: Wed, 10 May 2023 11:33:18 +0000 > +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q > + > +don't strip leading `=` when parsing cookie > + > +"src/werkzeug/sansio/http.py" file is not available in the > current recipe > +version 2.1.1 and this has been introduced from 2.2.0 version. > Before 2.2.0 > +version, this http.py > <https://urldefense.com/v3/__http://http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > file was only available in the "src/werkzeug/http.py" > +and we could see the same functions available there which are > getting modified > +in the CVE fix commit. Hence, modifying the same at > "src/werkzeug/http.py" file. > + > +CVE: CVE-2023-23934 > + > +Upstream-Status: Backport > [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028 > <https://urldefense.com/v3/__https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42AsHiz9w$>] > + > +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > +--- > + CHANGES.rst | 4 ++++ > + src/werkzeug/_internal.py > <https://urldefense.com/v3/__http://_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > | 13 +++++++++---- > + src/werkzeug/http.py | 4 ---- > + tests/test_http.py | 4 +++- > + 4 files changed, 16 insertions(+), 9 deletions(-) > + > +diff --git a/CHANGES.rst b/CHANGES.rst > +index a351d7c..23505d3 100644 > +--- a/CHANGES.rst > ++++ b/CHANGES.rst > +@@ -1,5 +1,9 @@ > + .. currentmodule:: werkzeug > + > ++- A cookie header that starts with ``=`` is treated as an > empty key and discarded, > ++ rather than stripping the leading ``==``. > ++ > ++ > + Version 2.1.1 > + ------------- > + > +diff --git a/src/werkzeug/_internal.py > <https://urldefense.com/v3/__http://_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > b/src/werkzeug/_internal.py > <https://urldefense.com/v3/__http://_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > +index a8b3523..d6290ba 100644 > +--- a/src/werkzeug/_internal.py > <https://urldefense.com/v3/__http://_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > ++++ b/src/werkzeug/_internal.py > <https://urldefense.com/v3/__http://_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].") > + _legal_cookie_chars_re = > rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" > + _cookie_re = re.compile( > + rb""" > +- (?P<key>[^=;]+) > ++ (?P<key>[^=;]*) > + (?:\s*=\s* > + (?P<val> > + "(?:[^\\"]|\\.)*" | > +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> > t.Iterator[t.Tuple[bytes, bytes]]: > + """Lowlevel cookie parsing facility that operates on bytes.""" > + i = 0 > + n = len(b) > ++ b += b";" > + > + while i < n: > +- match = _cookie_re.search(b + b";", i) > ++ match = _cookie_re.match(b, i) > ++ > + if not match: > + break > + > +- key = match.group("key").strip() > +- value = match.group("val") or b"" > + i = match.end(0) > ++ key = match.group("key").strip() > ++ > ++ if not key: > ++ continue > + > ++ value = match.group("val") or b"" > + yield key, _cookie_unquote(value) > + > + > +diff --git a/src/werkzeug/http.py > <https://urldefense.com/v3/__http://http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > b/src/werkzeug/http.py > <https://urldefense.com/v3/__http://http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > +index 9369900..ae133e3 100644 > +--- a/src/werkzeug/http.py > <https://urldefense.com/v3/__http://http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > ++++ b/src/werkzeug/http.py > <https://urldefense.com/v3/__http://http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > +@@ -1205,10 +1205,6 @@ def parse_cookie( > + def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]: > + for key, val in _cookie_parse_impl(header): # type: ignore > + key_str = _to_str(key, charset, errors, > allow_none_charset=True) > +- > +- if not key_str: > +- continue > +- > + val_str = _to_str(val, charset, errors, > allow_none_charset=True) > + yield key_str, val_str > + > +diff --git a/tests/test_http.py > <https://urldefense.com/v3/__http://test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> > b/tests/test_http.py > <https://urldefense.com/v3/__http://test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> > +index 5936bfa..59cc179 100644 > +--- a/tests/test_http.py > <https://urldefense.com/v3/__http://test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> > ++++ b/tests/test_http.py > <https://urldefense.com/v3/__http://test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> > +@@ -427,7 +427,8 @@ class TestHTTPUtility: > + def test_parse_cookie(self): > + cookies = http.parse_cookie( > + "dismiss-top=6; CP=null*; > PHPSESSID=0a539d42abc001cdc762809248d4beed;" > +- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d' > ++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; > "__Secure-c"=d;' > ++ "==__Host-eq=bad;__Host-eq=good;" > + ) > + assert cookies.to_dict() == { > + "CP": "null*", > +@@ -438,6 +439,7 @@ class TestHTTPUtility: > + "fo234{": "bar", > + "blub": "Blah", > + '"__Secure-c"': "d", > ++ "__Host-eq": "good", > + } > + > + def test_dump_cookie(self): > +-- > +2.40.0 > diff --git > a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > index 476a3a5964..ca8705146e 100644 > --- > a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > +++ > b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM = > "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" > > PYPI_PACKAGE = "Werkzeug" > > +SRC_URI += "file://CVE-2023-23934.patch" > + > SRC_URI[sha256sum] = > "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74" > > inherit pypi setuptools3 > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#102533): > https://lists.openembedded.org/g/openembedded-devel/message/102533 > <https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-devel/message/102533__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA400eOGMSg$> > Mute This Topic: > https://lists.openembedded.org/mt/98806142/3617156 > <https://urldefense.com/v3/__https://lists.openembedded.org/mt/98806142/3617156__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA43JVkw2Zw$> > Group Owner: openembedded-devel+owner@lists.openembedded.org > <mailto:openembedded-devel%2Bowner@lists.openembedded.org> > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub > <https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-devel/unsub__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42mksaTWg$> > [Martin.Jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Dear Narpat, Once your python3-werkzeug package is built successfully using bitbake. You can try to check <build>/tmp/work/*/python3-werkzeug/<version>/temp/log.do_patch file. It will provide the logs specific to do_patch task, where you can confirm this HUNK information. Thanks, Sanjay From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Narpat Mali via lists.openembedded.org Sent: Wednesday, June 28, 2023 11:49 AM To: Martin Jansa <martin.jansa@gmail.com> Cc: openembedded-devel@lists.openembedded.org; hari.gpillai@windriver.com Subject: Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: fix for CVE-2023-23934 On 24-06-2023 19:41, Martin Jansa wrote: CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. This change is now merged in kirkstone and causes: ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected: Applying patch CVE-2023-23934.patch patching file CHANGES.rst Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines). patching file src/werkzeug/_internal.py patching file src/werkzeug/http.py patching file tests/test_http.py The context lines in the patches can be updated with devtool: devtool modify python3-werkzeug devtool finish --force-patch-refresh python3-werkzeug <layer_path> Don't forget to review changes done by devtool! ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] Please send follow-up patch to fix patch-fuzz. Hi Martin, Thanks for checking. Have double checked with building python3-werkzeug with poky but, I have not observed any patch-fuzz. Have followed the below steps: 1. Cloned the latest poky & meta-oe layer and switched to kirkstone branch for both of them. 2. Added latest meta-oe layer to poky build directory and built the python3-werkzeug successfully without any issue. Below are the logs in: meta-oe : $fd werkzeug meta-python/recipes-devtools/python/python3-werkzeug meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb $ls meta-python/recipes-devtools/python/python3-werkzeug CVE-2023-23934.patch CVE-2023-25577.patch $vi meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb $git branch dunfell * kirkstone master mickledore $ Poky Build logs: $bitbake python3-werkzeug Loading cache: 100% |##########################################################################################| Time: 0:00:05 Loaded 4328 entries from dependency cache. NOTE: Resolving any missing task queue dependencies Build Configuration: BB_VERSION = "2.0.0" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "universal" TARGET_SYS = "x86_64-poky-linux" MACHINE = "qemux86-64" DISTRO = "poky" DISTRO_VERSION = "4.0.11" TUNE_FEATURES = "m64 core2" TARGET_FPU = "" meta meta-poky meta-yocto-bsp = "kirkstone:fc697fe87412b9b179ae3a68d266ace85bb1fcc6" meta-filesystems meta-gnome meta-initramfs meta-multimedia meta-networking meta-oe meta-perl meta-python meta-webserver meta-xfce = "kirkstone:a82d92c8a6525da01524bf8f4a60bf6b35dcbb3d" Initialising tasks: 100% |#####################################################################################| Time: 0:00:02 Sstate summary: Wanted 0 Local 0 Mirrors 0 Missed 0 Current 279 (0% match, 100% complete) NOTE: Executing Tasks NOTE: Tasks Summary: Attempted 1056 tasks of which 1056 didn't need to be rerun and all succeeded. $ls tmp/work/core2-64-poky-linux/python3-werkzeug/2.1.1-r0/ CVE-2023-23934.patch dist packages-split pseudo source-date-epoch CVE-2023-25577.patch image pkgdata python3-werkzeug.spec sysroot-destdir deploy-rpms license-destdir pkgdata-pdata-input recipe-sysroot temp deploy-source-date-epoch package pkgdata-sysroot recipe-sysroot-native Werkzeug-2.1.1 nmali@blr-linux-engg1$ Best Regards, Narpat On Wed, May 10, 2023 at 4:16 PM Narpat Mali via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA43zdPYINg$> <narpat.mali=windriver.com@lists.openembedded.org<mailto:windriver.com@lists.openembedded.org>> wrote: From: Narpat Mali <narpat.mali@windriver.com<mailto:narpat.mali@windriver.com>> Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3. Signed-off-by: Narpat Mali <narpat.mali@windriver.com<mailto:narpat.mali@windriver.com>> --- .../python3-werkzeug/CVE-2023-23934.patch | 116 ++++++++++++++++++ .../python/python3-werkzeug_2.1.1.bb<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> | 2 + 2 files changed, 118 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch new file mode 100644 index 0000000000..0be97d2888 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch @@ -0,0 +1,116 @@ +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001 +From: David Lord <davidism@gmail.com<mailto:davidism@gmail.com>> +Date: Wed, 10 May 2023 11:33:18 +0000 +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q + +don't strip leading `=` when parsing cookie + +"src/werkzeug/sansio/http.py" file is not available in the current recipe +version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0 +version, this http.py<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> file was only available in the "src/werkzeug/http.py" +and we could see the same functions available there which are getting modified +in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file. + +CVE: CVE-2023-23934 + +Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028<https://urldefense.com/v3/__https:/github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42AsHiz9w$>] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com<mailto:narpat.mali@windriver.com>> +--- + CHANGES.rst | 4 ++++ + src/werkzeug/_internal.py<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> | 13 +++++++++---- + src/werkzeug/http.py | 4 ---- + tests/test_http.py | 4 +++- + 4 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/CHANGES.rst b/CHANGES.rst +index a351d7c..23505d3 100644 +--- a/CHANGES.rst ++++ b/CHANGES.rst +@@ -1,5 +1,9 @@ + .. currentmodule:: werkzeug + ++- A cookie header that starts with ``=`` is treated as an empty key and discarded, ++ rather than stripping the leading ``==``. ++ ++ + Version 2.1.1 + ------------- + +diff --git a/src/werkzeug/_internal.py<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> b/src/werkzeug/_internal.py<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> +index a8b3523..d6290ba 100644 +--- a/src/werkzeug/_internal.py<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> ++++ b/src/werkzeug/_internal.py<https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].") + _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" + _cookie_re = re.compile( + rb""" +- (?P<key>[^=;]+) ++ (?P<key>[^=;]*) + (?:\s*=\s* + (?P<val> + "(?:[^\\"]|\\.)*" | +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]: + """Lowlevel cookie parsing facility that operates on bytes.""" + i = 0 + n = len(b) ++ b += b";" + + while i < n: +- match = _cookie_re.search(b + b";", i) ++ match = _cookie_re.match(b, i) ++ + if not match: + break + +- key = match.group("key").strip() +- value = match.group("val") or b"" + i = match.end(0) ++ key = match.group("key").strip() ++ ++ if not key: ++ continue + ++ value = match.group("val") or b"" + yield key, _cookie_unquote(value) + + +diff --git a/src/werkzeug/http.py<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> b/src/werkzeug/http.py<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> +index 9369900..ae133e3 100644 +--- a/src/werkzeug/http.py<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> ++++ b/src/werkzeug/http.py<https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> +@@ -1205,10 +1205,6 @@ def parse_cookie( + def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]: + for key, val in _cookie_parse_impl(header): # type: ignore + key_str = _to_str(key, charset, errors, allow_none_charset=True) +- +- if not key_str: +- continue +- + val_str = _to_str(val, charset, errors, allow_none_charset=True) + yield key_str, val_str + +diff --git a/tests/test_http.py<https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> b/tests/test_http.py<https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> +index 5936bfa..59cc179 100644 +--- a/tests/test_http.py<https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> ++++ b/tests/test_http.py<https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> +@@ -427,7 +427,8 @@ class TestHTTPUtility: + def test_parse_cookie(self): + cookies = http.parse_cookie( + "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;" +- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d' ++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;' ++ "==__Host-eq=bad;__Host-eq=good;" + ) + assert cookies.to_dict() == { + "CP": "null*", +@@ -438,6 +439,7 @@ class TestHTTPUtility: + "fo234{": "bar", + "blub": "Blah", + '"__Secure-c"': "d", ++ "__Host-eq": "good", + } + + def test_dump_cookie(self): +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> index 476a3a5964..ca8705146e 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb<https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"<file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462> PYPI_PACKAGE = "Werkzeug" +SRC_URI += "file://CVE-2023-23934.patch"<file://CVE-2023-23934.patch> + SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74" inherit pypi setuptools3 -- 2.40.0
On 29-06-2023 07:10, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote: > ** > *CAUTION: This email comes from a non Wind River email account!* > Do not click links or open attachments unless you recognize the sender > and know the content is safe. > > Dear Narpat, > > Once your python3-werkzeug package is built successfully using bitbake. > > You can try to check > <build>/tmp/work/*/python3-werkzeug/<version>/temp/log.do_patch file. > > It will provide the logs specific to do_patch task, where you can > confirm this HUNK information. > Thank you Sanjay, It helped me to confirm the HUNK information. @Martin, Thanks for identifying the patch-fuzz. Have sent the patch to fix the patch-fuzz : https://lore.kernel.org/openembedded-devel/20230629163608.3786099-1-narpat.mali@windriver.com/ Best Regards, Narpat > Thanks, > > Sanjay > > *From:*openembedded-devel@lists.openembedded.org > <openembedded-devel@lists.openembedded.org> *On Behalf Of *Narpat Mali > via lists.openembedded.org > <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!bNzZUbPJMjaw1YWRoQUxKvW7kTxX0XvbVNwuRxNV-k35b3IGEfWuNh3D14V-bwlmOU8kmxirRCb1197e3RBc$> > *Sent:* Wednesday, June 28, 2023 11:49 AM > *To:* Martin Jansa <martin.jansa@gmail.com> > *Cc:* openembedded-devel@lists.openembedded.org; > hari.gpillai@windriver.com > *Subject:* Re: [oe] [meta-oe][kirkstone][PATCH 1/1] python3-werkzeug: > fix for CVE-2023-23934 > > On 24-06-2023 19:41, Martin Jansa wrote: > > *CAUTION: This email comes from a non Wind River email account!* > Do not click links or open attachments unless you recognize the > sender and know the content is safe. > > This change is now merged in kirkstone and causes: > > ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected: > > > > Applying patch CVE-2023-23934.patch > > patching file CHANGES.rst > > Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines). > > patching file src/werkzeug/_internal.py > > patching file src/werkzeug/http.py > > patching file tests/test_http.py > > > > > > The context lines in the patches can be updated with devtool: > > > > devtool modify python3-werkzeug > > devtool finish --force-patch-refresh python3-werkzeug <layer_path> > > > > Don't forget to review changes done by devtool! > > > > ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log indicates that patches do not apply cleanly. [patch-fuzz] > > Please send follow-up patch to fix patch-fuzz. > > Hi Martin, > > Thanks for checking. > > Have double checked with building python3-werkzeug with poky but, I > have not observed any patch-fuzz. > > Have followed the below steps: > > 1. Cloned the latest poky & meta-oe layer and switched to kirkstone > branch for both of them. > > 2. Added latest meta-oe layer to poky build directory and built the > python3-werkzeug successfully without any issue. > > Below are the logs in: > > meta-oe : > > $fd werkzeug > meta-python/recipes-devtools/python/python3-werkzeug > meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!bNzZUbPJMjaw1YWRoQUxKvW7kTxX0XvbVNwuRxNV-k35b3IGEfWuNh3D14V-bwlmOU8kmxirRCb110cwf6ls$> > $ls meta-python/recipes-devtools/python/python3-werkzeug > CVE-2023-23934.patch CVE-2023-25577.patch > $vi meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http://python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!bNzZUbPJMjaw1YWRoQUxKvW7kTxX0XvbVNwuRxNV-k35b3IGEfWuNh3D14V-bwlmOU8kmxirRCb110cwf6ls$> > $git branch > dunfell > * kirkstone > master > mickledore > $ > > Poky Build logs: > > $bitbake python3-werkzeug > Loading cache: 100% > |##########################################################################################| > Time: 0:00:05 > Loaded 4328 entries from dependency cache. > NOTE: Resolving any missing task queue dependencies > > Build Configuration: > BB_VERSION = "2.0.0" > BUILD_SYS = "x86_64-linux" > NATIVELSBSTRING = "universal" > TARGET_SYS = "x86_64-poky-linux" > MACHINE = "qemux86-64" > DISTRO = "poky" > DISTRO_VERSION = "4.0.11" > TUNE_FEATURES = "m64 core2" > TARGET_FPU = "" > meta > meta-poky > meta-yocto-bsp = > "kirkstone:fc697fe87412b9b179ae3a68d266ace85bb1fcc6" > meta-filesystems > meta-gnome > meta-initramfs > meta-multimedia > meta-networking > meta-oe > meta-perl > meta-python > meta-webserver > meta-xfce = > "kirkstone:a82d92c8a6525da01524bf8f4a60bf6b35dcbb3d" > > Initialising tasks: 100% > |#####################################################################################| > Time: 0:00:02 > Sstate summary: Wanted 0 Local 0 Mirrors 0 Missed 0 Current 279 (0% > match, 100% complete) > NOTE: Executing Tasks > NOTE: Tasks Summary: Attempted 1056 tasks of which 1056 didn't need to > be rerun and all succeeded. > $ls tmp/work/core2-64-poky-linux/python3-werkzeug/2.1.1-r0/ > CVE-2023-23934.patch dist packages-split pseudo > source-date-epoch > CVE-2023-25577.patch image pkgdata > python3-werkzeug.spec sysroot-destdir > deploy-rpms license-destdir pkgdata-pdata-input > recipe-sysroot temp > deploy-source-date-epoch package pkgdata-sysroot > recipe-sysroot-native Werkzeug-2.1.1 > nmali@blr-linux-engg1$ > > Best Regards, > > Narpat > > On Wed, May 10, 2023 at 4:16 PM Narpat Mali via > lists.openembedded.org > <https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA43zdPYINg$> > <narpat.mali=windriver.com@lists.openembedded.org> wrote: > > From: Narpat Mali <narpat.mali@windriver.com> > > Werkzeug is a comprehensive WSGI web application library. > Browsers may allow > "nameless" cookies that look like `=value` instead of > `key=value`. A vulnerable > browser may allow a compromised application on an adjacent > subdomain to exploit > this to set a cookie like `=__Host-test=bad` for another > subdomain. Werkzeug > prior to 2.2.3 will parse the cookie `=__Host-test=bad` as > __Host-test=bad`. > If a Werkzeug application is running next to a vulnerable or > malicious subdomain > which sets such a cookie using a vulnerable browser, the > Werkzeug application > will see the bad cookie value but the valid cookie key. The > issue is fixed in > Werkzeug 2.2.3. > > Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > --- > .../python3-werkzeug/CVE-2023-23934.patch | 116 > ++++++++++++++++++ > .../python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > | 2 + > 2 files changed, 118 insertions(+) > create mode 100644 > meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > > diff --git > a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > new file mode 100644 > index 0000000000..0be97d2888 > --- /dev/null > +++ > b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch > @@ -0,0 +1,116 @@ > +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 > 00:00:00 2001 > +From: David Lord <davidism@gmail.com> > +Date: Wed, 10 May 2023 11:33:18 +0000 > +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q > + > +don't strip leading `=` when parsing cookie > + > +"src/werkzeug/sansio/http.py" file is not available in the > current recipe > +version 2.1.1 and this has been introduced from 2.2.0 > version. Before 2.2.0 > +version, this http.py > <https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > file was only available in the "src/werkzeug/http.py" > +and we could see the same functions available there which are > getting modified > +in the CVE fix commit. Hence, modifying the same at > "src/werkzeug/http.py" file. > + > +CVE: CVE-2023-23934 > + > +Upstream-Status: Backport > [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028 > <https://urldefense.com/v3/__https:/github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42AsHiz9w$>] > + > +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> > +--- > + CHANGES.rst | 4 ++++ > + src/werkzeug/_internal.py > <https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > | 13 +++++++++---- > + src/werkzeug/http.py | 4 ---- > + tests/test_http.py | 4 +++- > + 4 files changed, 16 insertions(+), 9 deletions(-) > + > +diff --git a/CHANGES.rst b/CHANGES.rst > +index a351d7c..23505d3 100644 > +--- a/CHANGES.rst > ++++ b/CHANGES.rst > +@@ -1,5 +1,9 @@ > + .. currentmodule:: werkzeug > + > ++- A cookie header that starts with ``=`` is treated as an > empty key and discarded, > ++ rather than stripping the leading ``==``. > ++ > ++ > + Version 2.1.1 > + ------------- > + > +diff --git a/src/werkzeug/_internal.py > <https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > b/src/werkzeug/_internal.py > <https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > +index a8b3523..d6290ba 100644 > +--- a/src/werkzeug/_internal.py > <https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > ++++ b/src/werkzeug/_internal.py > <https://urldefense.com/v3/__http:/_internal.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41UuKh0Rw$> > +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].") > + _legal_cookie_chars_re = > rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" > + _cookie_re = re.compile( > + rb""" > +- (?P<key>[^=;]+) > ++ (?P<key>[^=;]*) > + (?:\s*=\s* > + (?P<val> > + "(?:[^\\"]|\\.)*" | > +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> > t.Iterator[t.Tuple[bytes, bytes]]: > + """Lowlevel cookie parsing facility that operates on > bytes.""" > + i = 0 > + n = len(b) > ++ b += b";" > + > + while i < n: > +- match = _cookie_re.search(b + b";", i) > ++ match = _cookie_re.match(b, i) > ++ > + if not match: > + break > + > +- key = match.group("key").strip() > +- value = match.group("val") or b"" > + i = match.end(0) > ++ key = match.group("key").strip() > ++ > ++ if not key: > ++ continue > + > ++ value = match.group("val") or b"" > + yield key, _cookie_unquote(value) > + > + > +diff --git a/src/werkzeug/http.py > <https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > b/src/werkzeug/http.py > <https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > +index 9369900..ae133e3 100644 > +--- a/src/werkzeug/http.py > <https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > ++++ b/src/werkzeug/http.py > <https://urldefense.com/v3/__http:/http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42CACK-xA$> > +@@ -1205,10 +1205,6 @@ def parse_cookie( > + def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]: > + for key, val in _cookie_parse_impl(header): # type: > ignore > + key_str = _to_str(key, charset, errors, > allow_none_charset=True) > +- > +- if not key_str: > +- continue > +- > + val_str = _to_str(val, charset, errors, > allow_none_charset=True) > + yield key_str, val_str > + > +diff --git a/tests/test_http.py > <https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> > b/tests/test_http.py > <https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> > +index 5936bfa..59cc179 100644 > +--- a/tests/test_http.py > <https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> > ++++ b/tests/test_http.py > <https://urldefense.com/v3/__http:/test_http.py__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA42izb7SXw$> > +@@ -427,7 +427,8 @@ class TestHTTPUtility: > + def test_parse_cookie(self): > + cookies = http.parse_cookie( > + "dismiss-top=6; CP=null*; > PHPSESSID=0a539d42abc001cdc762809248d4beed;" > +- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; > "__Secure-c"=d' > ++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; > "__Secure-c"=d;' > ++ "==__Host-eq=bad;__Host-eq=good;" > + ) > + assert cookies.to_dict() == { > + "CP": "null*", > +@@ -438,6 +439,7 @@ class TestHTTPUtility: > + "fo234{": "bar", > + "blub": "Blah", > + '"__Secure-c"': "d", > ++ "__Host-eq": "good", > + } > + > + def test_dump_cookie(self): > +-- > +2.40.0 > diff --git > a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > index 476a3a5964..ca8705146e 100644 > --- > a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > +++ > b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb > <https://urldefense.com/v3/__http:/python3-werkzeug_2.1.1.bb__;!!AjveYdw8EvQ!ZvOorDfOQ_KpEJTHk_XU_lnxnaCMh_Vx1SzdGqA7PxwWGmD1tbYEb5Feqzv2UAhyU9W6r44OcxKB_13MA41M9C3f8A$> > @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM = > "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" > <file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462> > > PYPI_PACKAGE = "Werkzeug" > > +SRC_URI += "file://CVE-2023-23934.patch" > <file://CVE-2023-23934.patch> > + > SRC_URI[sha256sum] = > "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74" > > inherit pypi setuptools3 > -- > 2.40.0 > > >
diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch new file mode 100644 index 0000000000..0be97d2888 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch @@ -0,0 +1,116 @@ +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001 +From: David Lord <davidism@gmail.com> +Date: Wed, 10 May 2023 11:33:18 +0000 +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q + +don't strip leading `=` when parsing cookie + +"src/werkzeug/sansio/http.py" file is not available in the current recipe +version 2.1.1 and this has been introduced from 2.2.0 version. Before 2.2.0 +version, this http.py file was only available in the "src/werkzeug/http.py" +and we could see the same functions available there which are getting modified +in the CVE fix commit. Hence, modifying the same at "src/werkzeug/http.py" file. + +CVE: CVE-2023-23934 + +Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + CHANGES.rst | 4 ++++ + src/werkzeug/_internal.py | 13 +++++++++---- + src/werkzeug/http.py | 4 ---- + tests/test_http.py | 4 +++- + 4 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/CHANGES.rst b/CHANGES.rst +index a351d7c..23505d3 100644 +--- a/CHANGES.rst ++++ b/CHANGES.rst +@@ -1,5 +1,9 @@ + .. currentmodule:: werkzeug + ++- A cookie header that starts with ``=`` is treated as an empty key and discarded, ++ rather than stripping the leading ``==``. ++ ++ + Version 2.1.1 + ------------- + +diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py +index a8b3523..d6290ba 100644 +--- a/src/werkzeug/_internal.py ++++ b/src/werkzeug/_internal.py +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].") + _legal_cookie_chars_re = rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" + _cookie_re = re.compile( + rb""" +- (?P<key>[^=;]+) ++ (?P<key>[^=;]*) + (?:\s*=\s* + (?P<val> + "(?:[^\\"]|\\.)*" | +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) -> t.Iterator[t.Tuple[bytes, bytes]]: + """Lowlevel cookie parsing facility that operates on bytes.""" + i = 0 + n = len(b) ++ b += b";" + + while i < n: +- match = _cookie_re.search(b + b";", i) ++ match = _cookie_re.match(b, i) ++ + if not match: + break + +- key = match.group("key").strip() +- value = match.group("val") or b"" + i = match.end(0) ++ key = match.group("key").strip() ++ ++ if not key: ++ continue + ++ value = match.group("val") or b"" + yield key, _cookie_unquote(value) + + +diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py +index 9369900..ae133e3 100644 +--- a/src/werkzeug/http.py ++++ b/src/werkzeug/http.py +@@ -1205,10 +1205,6 @@ def parse_cookie( + def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]: + for key, val in _cookie_parse_impl(header): # type: ignore + key_str = _to_str(key, charset, errors, allow_none_charset=True) +- +- if not key_str: +- continue +- + val_str = _to_str(val, charset, errors, allow_none_charset=True) + yield key_str, val_str + +diff --git a/tests/test_http.py b/tests/test_http.py +index 5936bfa..59cc179 100644 +--- a/tests/test_http.py ++++ b/tests/test_http.py +@@ -427,7 +427,8 @@ class TestHTTPUtility: + def test_parse_cookie(self): + cookies = http.parse_cookie( + "dismiss-top=6; CP=null*; PHPSESSID=0a539d42abc001cdc762809248d4beed;" +- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d' ++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;' ++ "==__Host-eq=bad;__Host-eq=good;" + ) + assert cookies.to_dict() == { + "CP": "null*", +@@ -438,6 +439,7 @@ class TestHTTPUtility: + "fo234{": "bar", + "blub": "Blah", + '"__Secure-c"': "d", ++ "__Host-eq": "good", + } + + def test_dump_cookie(self): +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb index 476a3a5964..ca8705146e 100644 --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" PYPI_PACKAGE = "Werkzeug" +SRC_URI += "file://CVE-2023-23934.patch" + SRC_URI[sha256sum] = "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74" inherit pypi setuptools3