This change is now merged in kirkstone and causes:
ERROR: python3-werkzeug-2.1.1-r0 do_patch: Fuzz detected:
Applying patch CVE-2023-23934.patch
patching file CHANGES.rst
Hunk #1 succeeded at 6 with fuzz 2 (offset 5 lines).
patching file src/werkzeug/_internal.py
patching file src/werkzeug/http.py
patching file tests/test_http.py
The context lines in the patches can be updated with devtool:
devtool modify python3-werkzeug
devtool finish --force-patch-refresh python3-werkzeug <layer_path>
Don't forget to review changes done by devtool!
ERROR: python3-werkzeug-2.1.1-r0 do_patch: QA Issue: Patch log
indicates that patches do not apply cleanly. [patch-fuzz]
Please send follow-up patch to fix patch-fuzz.
On Wed, May 10, 2023 at 4:16 PM Narpat Mali via lists.openembedded.org
<[email protected]> wrote:
> From: Narpat Mali <[email protected]>
>
> Werkzeug is a comprehensive WSGI web application library. Browsers may
> allow
> "nameless" cookies that look like `=value` instead of `key=value`. A
> vulnerable
> browser may allow a compromised application on an adjacent subdomain to
> exploit
> this to set a cookie like `=__Host-test=bad` for another subdomain.
> Werkzeug
> prior to 2.2.3 will parse the cookie `=__Host-test=bad` as
> __Host-test=bad`.
> If a Werkzeug application is running next to a vulnerable or malicious
> subdomain
> which sets such a cookie using a vulnerable browser, the Werkzeug
> application
> will see the bad cookie value but the valid cookie key. The issue is fixed
> in
> Werkzeug 2.2.3.
>
> Signed-off-by: Narpat Mali <[email protected]>
> ---
> .../python3-werkzeug/CVE-2023-23934.patch | 116 ++++++++++++++++++
> .../python/python3-werkzeug_2.1.1.bb | 2 +
> 2 files changed, 118 insertions(+)
> create mode 100644
> meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
>
> diff --git
> a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> new file mode 100644
> index 0000000000..0be97d2888
> --- /dev/null
> +++
> b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2023-23934.patch
> @@ -0,0 +1,116 @@
> +From b070a40ebbd89d88f4d8144a6ece017d33604d00 Mon Sep 17 00:00:00 2001
> +From: David Lord <[email protected]>
> +Date: Wed, 10 May 2023 11:33:18 +0000
> +Subject: [PATCH] Merge pull request from GHSA-px8h-6qxv-m22q
> +
> +don't strip leading `=` when parsing cookie
> +
> +"src/werkzeug/sansio/http.py" file is not available in the current recipe
> +version 2.1.1 and this has been introduced from 2.2.0 version. Before
> 2.2.0
> +version, this http.py file was only available in the
> "src/werkzeug/http.py"
> +and we could see the same functions available there which are getting
> modified
> +in the CVE fix commit. Hence, modifying the same at
> "src/werkzeug/http.py" file.
> +
> +CVE: CVE-2023-23934
> +
> +Upstream-Status: Backport [
> https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
> ]
> +
> +Signed-off-by: Narpat Mali <[email protected]>
> +---
> + CHANGES.rst | 4 ++++
> + src/werkzeug/_internal.py | 13 +++++++++----
> + src/werkzeug/http.py | 4 ----
> + tests/test_http.py | 4 +++-
> + 4 files changed, 16 insertions(+), 9 deletions(-)
> +
> +diff --git a/CHANGES.rst b/CHANGES.rst
> +index a351d7c..23505d3 100644
> +--- a/CHANGES.rst
> ++++ b/CHANGES.rst
> +@@ -1,5 +1,9 @@
> + .. currentmodule:: werkzeug
> +
> ++- A cookie header that starts with ``=`` is treated as an empty key
> and discarded,
> ++ rather than stripping the leading ``==``.
> ++
> ++
> + Version 2.1.1
> + -------------
> +
> +diff --git a/src/werkzeug/_internal.py b/src/werkzeug/_internal.py
> +index a8b3523..d6290ba 100644
> +--- a/src/werkzeug/_internal.py
> ++++ b/src/werkzeug/_internal.py
> +@@ -34,7 +34,7 @@ _quote_re = re.compile(rb"[\\].")
> + _legal_cookie_chars_re =
> rb"[\w\d!#%&\'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]"
> + _cookie_re = re.compile(
> + rb"""
> +- (?P<key>[^=;]+)
> ++ (?P<key>[^=;]*)
> + (?:\s*=\s*
> + (?P<val>
> + "(?:[^\\"]|\\.)*" |
> +@@ -382,16 +382,21 @@ def _cookie_parse_impl(b: bytes) ->
> t.Iterator[t.Tuple[bytes, bytes]]:
> + """Lowlevel cookie parsing facility that operates on bytes."""
> + i = 0
> + n = len(b)
> ++ b += b";"
> +
> + while i < n:
> +- match = _cookie_re.search(b + b";", i)
> ++ match = _cookie_re.match(b, i)
> ++
> + if not match:
> + break
> +
> +- key = match.group("key").strip()
> +- value = match.group("val") or b""
> + i = match.end(0)
> ++ key = match.group("key").strip()
> ++
> ++ if not key:
> ++ continue
> +
> ++ value = match.group("val") or b""
> + yield key, _cookie_unquote(value)
> +
> +
> +diff --git a/src/werkzeug/http.py b/src/werkzeug/http.py
> +index 9369900..ae133e3 100644
> +--- a/src/werkzeug/http.py
> ++++ b/src/werkzeug/http.py
> +@@ -1205,10 +1205,6 @@ def parse_cookie(
> + def _parse_pairs() -> t.Iterator[t.Tuple[str, str]]:
> + for key, val in _cookie_parse_impl(header): # type: ignore
> + key_str = _to_str(key, charset, errors,
> allow_none_charset=True)
> +-
> +- if not key_str:
> +- continue
> +-
> + val_str = _to_str(val, charset, errors,
> allow_none_charset=True)
> + yield key_str, val_str
> +
> +diff --git a/tests/test_http.py b/tests/test_http.py
> +index 5936bfa..59cc179 100644
> +--- a/tests/test_http.py
> ++++ b/tests/test_http.py
> +@@ -427,7 +427,8 @@ class TestHTTPUtility:
> + def test_parse_cookie(self):
> + cookies = http.parse_cookie(
> + "dismiss-top=6; CP=null*;
> PHPSESSID=0a539d42abc001cdc762809248d4beed;"
> +- 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d'
> ++ 'a=42; b="\\";"; ; fo234{=bar;blub=Blah; "__Secure-c"=d;'
> ++ "==__Host-eq=bad;__Host-eq=good;"
> + )
> + assert cookies.to_dict() == {
> + "CP": "null*",
> +@@ -438,6 +439,7 @@ class TestHTTPUtility:
> + "fo234{": "bar",
> + "blub": "Blah",
> + '"__Secure-c"': "d",
> ++ "__Host-eq": "good",
> + }
> +
> + def test_dump_cookie(self):
> +--
> +2.40.0
> diff --git a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
> b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
> index 476a3a5964..ca8705146e 100644
> --- a/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
> +++ b/meta-python/recipes-devtools/python/python3-werkzeug_2.1.1.bb
> @@ -12,6 +12,8 @@ LIC_FILES_CHKSUM =
> "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462"
>
> PYPI_PACKAGE = "Werkzeug"
>
> +SRC_URI += "file://CVE-2023-23934.patch"
> +
> SRC_URI[sha256sum] =
> "f8e89a20aeabbe8a893c24a461d3ee5dad2123b05cc6abd73ceed01d39c3ae74"
>
> inherit pypi setuptools3
> --
> 2.40.0
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103558):
https://lists.openembedded.org/g/openembedded-devel/message/103558
Mute This Topic: https://lists.openembedded.org/mt/98806142/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
