1 files changed, 120 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0002.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0002.patch
new file mode 100644
index 0000000000..37d5ba47c7
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0002.patch
@@ -0,0 +1,120 @@
+From 890b6b62634fa61224222aee31081c61b054ff01 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Fri, 3 May 2024 14:49:43 -0700
+Subject: [PATCH] only require trusted host for evalex
+CVE: CVE-2024-34069
+Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/890b6b62634fa61224222aee31081c61b054ff01]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/werkzeug/debug/__init__.py | 25 ++++++++++++++++++++-----
+ src/werkzeug/sansio/utils.py   |  2 +-
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
+index 87e68c4..0302b24 100644
+--- a/src/werkzeug/debug/__init__.py
+++ b/src/werkzeug/debug/__init__.py
+@@ -16,7 +16,9 @@ from zlib import adler32
+ from .._internal import _log
+ from ..exceptions import NotFound
+from ..exceptions import SecurityError
+ from ..http import parse_cookie
+from ..sansio.utils import host_is_trusted
+ from ..security import gen_salt
+ from ..utils import send_file
+ from ..wrappers.request import Request
+@@ -331,7 +333,7 @@ class DebuggedApplication:
+             is_trusted = bool(self.check_pin_trust(environ))
+             html = tb.render_debugger_html(
+-                evalex=self.evalex,
+                evalex=self.evalex and self.check_host_trust(environ),
+                 secret=self.secret,
+                 evalex_trusted=is_trusted,
+             )
+@@ -359,10 +361,16 @@ class DebuggedApplication:
+         frame: t.Union[DebugFrameSummary, _ConsoleFrame],
+     ) -> Response:
+         """Execute a command in a console."""
+        if not self.check_host_trust(request.environ):
+            return SecurityError()  # type: ignore[return-value]
+
+         return Response(frame.eval(command), mimetype="text/html")
+     def display_console(self, request: Request) -> Response:
+         """Display a standalone shell."""
+        if not self.check_host_trust(request.environ):
+            return SecurityError()  # type: ignore[return-value]
+
+         if 0 not in self.frames:
+             if self.console_init_func is None:
+                 ns = {}
+@@ -411,12 +419,18 @@ class DebuggedApplication:
+             return None
+         return (time.time() - PIN_TIME) < int(ts)
+    def check_host_trust(self, environ: WSGIEnvironment) -> bool:
+        return host_is_trusted(environ.get("HTTP_HOST"), self.trusted_hosts)
+
+     def _fail_pin_auth(self) -> None:
+         time.sleep(5.0 if self._failed_pin_auth > 5 else 0.5)
+         self._failed_pin_auth += 1
+     def pin_auth(self, request: Request) -> Response:
+         """Authenticates with the pin."""
+        if not self.check_host_trust(request.environ):
+            return SecurityError()  # type: ignore[return-value]
+
+         exhausted = False
+         auth = False
+         trust = self.check_pin_trust(request.environ)
+@@ -466,8 +480,11 @@ class DebuggedApplication:
+             rv.delete_cookie(self.pin_cookie_name)
+         return rv
+-    def log_pin_request(self) -> Response:
+    def log_pin_request(self, request: Request) -> Response:
+         """Log the pin if needed."""
+        if not self.check_host_trust(request.environ):
+            return SecurityError()  # type: ignore[return-value]
+
+         if self.pin_logging and self.pin is not None:
+             _log(
+                 "info", " * To enable the debugger you need to enter the security pin:"
+@@ -483,8 +500,6 @@ class DebuggedApplication:
+         # form data!  Otherwise the application won't have access to that data
+         # any more!
+         request = Request(environ)
+-        request.trusted_hosts = self.trusted_hosts
+-        assert request.host  # will raise 400 error if not trusted
+         response = self.debug_application
+         if request.args.get("__debugger__") == "yes":
+             cmd = request.args.get("cmd")
+@@ -496,7 +511,7 @@ class DebuggedApplication:
+             elif cmd == "pinauth" and secret == self.secret:
+                 response = self.pin_auth(request)  # type: ignore
+             elif cmd == "printpin" and secret == self.secret:
+-                response = self.log_pin_request()  # type: ignore
+                response = self.log_pin_request(request)  # type: ignore
+             elif (
+                 self.evalex
+                 and cmd is not None
+diff --git a/src/werkzeug/sansio/utils.py b/src/werkzeug/sansio/utils.py
+index 1b4d892..7e7b4d2 100644
+--- a/src/werkzeug/sansio/utils.py
+++ b/src/werkzeug/sansio/utils.py
+@@ -6,7 +6,7 @@ from ..urls import uri_to_iri
+ from ..urls import url_quote
+-def host_is_trusted(hostname: str, trusted_list: t.Iterable[str]) -> bool:
+def host_is_trusted(hostname: str | None, trusted_list: t.Iterable[str]) -> bool:
+     """Check if a host matches a list of trusted names.
+     :param hostname: The name to check.
+--
+2.40.0

diff --git a/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0002.patch b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0002.patch new file mode 100644 index 0000000000..37d5ba47c7 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-werkzeug/CVE-2024-34069-0002.patch
@@ -0,0 +1,120 @@
	1	From 890b6b62634fa61224222aee31081c61b054ff01 Mon Sep 17 00:00:00 2001
	2	From: David Lord <davidism@gmail.com>
	3	Date: Fri, 3 May 2024 14:49:43 -0700
	4	Subject: [PATCH] only require trusted host for evalex
	5
	6	CVE: CVE-2024-34069
	7
	8	Upstream-Status: Backport [https://github.com/pallets/werkzeug/commit/890b6b62634fa61224222aee31081c61b054ff01]
	9
	10	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
	11	---
	12	src/werkzeug/debug/__init__.py \| 25 ++++++++++++++++++++-----
	13	src/werkzeug/sansio/utils.py \| 2 +-
	14	2 files changed, 21 insertions(+), 6 deletions(-)
	15
	16	diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
	17	index 87e68c4..0302b24 100644
	18	--- a/src/werkzeug/debug/__init__.py
	19	+++ b/src/werkzeug/debug/__init__.py
	20	@@ -16,7 +16,9 @@ from zlib import adler32
	21
	22	from .._internal import _log
	23	from ..exceptions import NotFound
	24	+from ..exceptions import SecurityError
	25	from ..http import parse_cookie
	26	+from ..sansio.utils import host_is_trusted
	27	from ..security import gen_salt
	28	from ..utils import send_file
	29	from ..wrappers.request import Request
	30	@@ -331,7 +333,7 @@ class DebuggedApplication:
	31
	32	is_trusted = bool(self.check_pin_trust(environ))
	33	html = tb.render_debugger_html(
	34	- evalex=self.evalex,
	35	+ evalex=self.evalex and self.check_host_trust(environ),
	36	secret=self.secret,
	37	evalex_trusted=is_trusted,
	38	)
	39	@@ -359,10 +361,16 @@ class DebuggedApplication:
	40	frame: t.Union[DebugFrameSummary, _ConsoleFrame],
	41	) -> Response:
	42	"""Execute a command in a console."""
	43	+ if not self.check_host_trust(request.environ):
	44	+ return SecurityError() # type: ignore[return-value]
	45	+
	46	return Response(frame.eval(command), mimetype="text/html")
	47
	48	def display_console(self, request: Request) -> Response:
	49	"""Display a standalone shell."""
	50	+ if not self.check_host_trust(request.environ):
	51	+ return SecurityError() # type: ignore[return-value]
	52	+
	53	if 0 not in self.frames:
	54	if self.console_init_func is None:
	55	ns = {}
	56	@@ -411,12 +419,18 @@ class DebuggedApplication:
	57	return None
	58	return (time.time() - PIN_TIME) < int(ts)
	59
	60	+ def check_host_trust(self, environ: WSGIEnvironment) -> bool:
	61	+ return host_is_trusted(environ.get("HTTP_HOST"), self.trusted_hosts)
	62	+
	63	def _fail_pin_auth(self) -> None:
	64	time.sleep(5.0 if self._failed_pin_auth > 5 else 0.5)
	65	self._failed_pin_auth += 1
	66
	67	def pin_auth(self, request: Request) -> Response:
	68	"""Authenticates with the pin."""
	69	+ if not self.check_host_trust(request.environ):
	70	+ return SecurityError() # type: ignore[return-value]
	71	+
	72	exhausted = False
	73	auth = False
	74	trust = self.check_pin_trust(request.environ)
	75	@@ -466,8 +480,11 @@ class DebuggedApplication:
	76	rv.delete_cookie(self.pin_cookie_name)
	77	return rv
	78
	79	- def log_pin_request(self) -> Response:
	80	+ def log_pin_request(self, request: Request) -> Response:
	81	"""Log the pin if needed."""
	82	+ if not self.check_host_trust(request.environ):
	83	+ return SecurityError() # type: ignore[return-value]
	84	+
	85	if self.pin_logging and self.pin is not None:
	86	_log(
	87	"info", " * To enable the debugger you need to enter the security pin:"
	88	@@ -483,8 +500,6 @@ class DebuggedApplication:
	89	# form data! Otherwise the application won't have access to that data
	90	# any more!
	91	request = Request(environ)
	92	- request.trusted_hosts = self.trusted_hosts
	93	- assert request.host # will raise 400 error if not trusted
	94	response = self.debug_application
	95	if request.args.get("__debugger__") == "yes":
	96	cmd = request.args.get("cmd")
	97	@@ -496,7 +511,7 @@ class DebuggedApplication:
	98	elif cmd == "pinauth" and secret == self.secret:
	99	response = self.pin_auth(request) # type: ignore
	100	elif cmd == "printpin" and secret == self.secret:
	101	- response = self.log_pin_request() # type: ignore
	102	+ response = self.log_pin_request(request) # type: ignore
	103	elif (
	104	self.evalex
	105	and cmd is not None
	106	diff --git a/src/werkzeug/sansio/utils.py b/src/werkzeug/sansio/utils.py
	107	index 1b4d892..7e7b4d2 100644
	108	--- a/src/werkzeug/sansio/utils.py
	109	+++ b/src/werkzeug/sansio/utils.py
	110	@@ -6,7 +6,7 @@ from ..urls import uri_to_iri
	111	from ..urls import url_quote
	112
	113
	114	-def host_is_trusted(hostname: str, trusted_list: t.Iterable[str]) -> bool:
	115	+def host_is_trusted(hostname: str \| None, trusted_list: t.Iterable[str]) -> bool:
	116	"""Check if a host matches a list of trusted names.
	117
	118	:param hostname: The name to check.
	119	--
	120	2.40.0