From 32937a3a49e95d045b218c53e4c24e84b10f2341 Mon Sep 17 00:00:00 2001
From: bbrucezhang <bbrucezhang@tencent.com>
Date: Mon, 8 Dec 2025 11:41:44 +0800
Subject: [PATCH 1/2] Update to 5.6.5

---
 CVE-2025-64076.patch | 71 ++++++++++++++++++++++++++++++++++++++++++++
 python-cbor2.spec    | 37 ++++++++++++-----------
 sources              |  2 +-
 3 files changed, 91 insertions(+), 19 deletions(-)
 create mode 100644 CVE-2025-64076.patch

diff --git a/CVE-2025-64076.patch b/CVE-2025-64076.patch
new file mode 100644
index 0000000..8f26ad1
--- /dev/null
+++ b/CVE-2025-64076.patch
@@ -0,0 +1,71 @@
+From 851473490281f82d82560b2368284ef33cf6e8f9 Mon Sep 17 00:00:00 2001
+From: lizhenghao <sculizhenghao@foxmail.com>
+Date: Wed, 22 Oct 2025 10:26:34 +0800
+Subject: [PATCH] Fix: Fixed a read(-1) vulnerability caused by boundary
+ handling error in #264
+
+---
+ source/decoder.c      |  8 +++++++-
+ tests/test_decoder.py | 22 ++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/source/decoder.c b/source/decoder.c
+index 043210b..8b6b842 100644
+--- a/source/decoder.c
++++ b/source/decoder.c
+@@ -759,7 +759,7 @@ decode_definite_long_string(CBORDecoderObject *self, Py_ssize_t length)
+     char *buffer = NULL;
+     while (left) {
+         // Read up to 65536 bytes of data from the stream
+-        Py_ssize_t chunk_length = 65536 - buffer_size;
++        Py_ssize_t chunk_length = 65536 - buffer_length;
+         if (left < chunk_length)
+             chunk_length = left;
+ 
+@@ -829,7 +829,13 @@ decode_definite_long_string(CBORDecoderObject *self, Py_ssize_t length)
+                 memcpy(buffer, bytes_buffer + consumed, unconsumed);
+             }
+             buffer_length = unconsumed;
++        } else {
++            // All bytes consumed, reset buffer_length
++            buffer_length = 0;
+         }
++
++        Py_DECREF(chunk);
++        chunk = NULL;
+     }
+ 
+     if (ret && string_namespace_add(self, ret, length) == -1)
+diff --git a/tests/test_decoder.py b/tests/test_decoder.py
+index 0a3e8dd..c1dce57 100644
+--- a/tests/test_decoder.py
++++ b/tests/test_decoder.py
+@@ -260,6 +260,28 @@ def test_string_oversized(impl) -> None:
+         (impl.loads(unhexlify("aeaeaeaeaeaeaeaeae0108c29843d90100d8249f0000aeaeffc26ca799")),)
+ 
+ 
++def test_string_issue_264_multiple_chunks_utf8_boundary(impl) -> None:
++    """Test for Issue #264: UTF-8 characters split across multiple 65536-byte chunk boundaries."""
++    import struct
++
++    # Construct: 65535 'a' + '€' (3 bytes) + 65533 'b' + '€' (3 bytes) + 100 'd'
++    # Total: 131174 bytes, which spans 3 chunks (65536 + 65536 + 102)
++    total_bytes = 65535 + 3 + 65533 + 3 + 100
++
++    payload = b'\x7a' + struct.pack('>I', total_bytes)  # major type 3, 4-byte length
++    payload += b'a' * 65535
++    payload += '€'.encode('utf-8')  # U+20AC: E2 82 AC
++    payload += b'b' * 65533
++    payload += '€'.encode('utf-8')
++    payload += b'd' * 100
++
++    expected = 'a' * 65535 + '€' + 'b' * 65533 + '€' + 'd' * 100
++
++    result = impl.loads(payload)
++    assert result == expected
++    assert len(result) == 131170  # 65535 + 1 + 65533 + 1 + 100 characters
++
++
+ @pytest.mark.parametrize(
+     "payload, expected",
+     [
diff --git a/python-cbor2.spec b/python-cbor2.spec
index 59991df..fa0c187 100644
--- a/python-cbor2.spec
+++ b/python-cbor2.spec
@@ -1,15 +1,17 @@
 %global pypi_name cbor2
 
 Name:           python-%{pypi_name}
-Version:        5.1.2
-Release:    3%{?dist}
+Version:        5.6.5
+Release:        1%{?dist}
 Summary:        Python CBOR (de)serializer with extensive tag support
 
 License:        MIT
 URL:            https://github.com/agronholm/cbor2
 Source0:        %{pypi_source}
+Patch0:         CVE-2025-64076.patch
 
 BuildRequires:  gcc
+BuildRequires:  python3-devel
 
 %description
 This library provides encoding and decoding for the Concise Binary Object
@@ -18,13 +20,6 @@ Representation (CBOR) (RFC 7049) serialization format.
 %package -n     python3-%{pypi_name}
 Summary:        %{summary}
 
-BuildRequires:  python3-devel
-BuildRequires:  python3dist(pytest)
-BuildRequires:  python3dist(pytest-cov)
-BuildRequires:  python3dist(setuptools)
-BuildRequires:  python3dist(setuptools-scm)
-%{?python_provide:%python_provide python3-%{pypi_name}}
-
 %description -n python3-%{pypi_name}
 This library provides encoding and decoding for the Concise Binary Object
 Representation (CBOR) (RFC 7049) serialization format.
@@ -32,39 +27,45 @@ Representation (CBOR) (RFC 7049) serialization format.
 %package -n python-%{pypi_name}-doc
 Summary:        cbor2 documentation
 BuildArch:      noarch
-
 BuildRequires:  python3dist(sphinx)
 BuildRequires:  python3dist(sphinx-rtd-theme)
+BuildRequires:  python3dist(sphinx-autodoc-typehints)
+
 %description -n python-%{pypi_name}-doc
 Documentation for cbor2.
 
 %prep
-%autosetup -n %{pypi_name}-%{version}
-rm -rf %{pypi_name}.egg-info
+%autosetup -n %{pypi_name}-%{version} -p1
+
+%generate_buildrequires
+%pyproject_buildrequires -x test
 
 %build
-%py3_build
+%pyproject_wheel
 
 %install
-%py3_install
+%pyproject_install
+%pyproject_save_files %{pypi_name}
 PYTHONPATH=${PWD} sphinx-build-3 docs html
 rm -rf html/.{doctrees,buildinfo}
 
 %check
 %pytest -v tests
 
-%files -n python3-%{pypi_name}
-%license LICENSE.txt
+%files -n python3-%{pypi_name} -f %{pyproject_files}
 %doc README.rst
-%{python3_sitearch}/%{pypi_name}/
 %{python3_sitearch}/_%{pypi_name}.*.so
-%{python3_sitearch}/%{pypi_name}-%{version}-py%{python3_version}.egg-info/
+%{_bindir}/%{pypi_name}
 
 %files -n python-%{pypi_name}-doc
 %doc html
 %license LICENSE.txt
 
 %changelog
+* Mon Dec 08 2025 bbrucezhang <bbrucezhang@tencent.com> - 5.6.5-1
+- [Type] security
+- [DESC] Update to 5.6.5
+
 * Wed Jun 11 2025 bbrucezhang <bbrucezhang@tencent.com> - 5.1.2-3
 - Rebuilt for loongarch64
 
diff --git a/sources b/sources
index be569a4..df7dc3f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (cbor2-5.1.2.tar.gz) = 81e4c3e8c727fea6db8bbed657806ace8777d8ad157395de3db7f0dab369abcd7f173f0cfad538c325a49bf90b450eab16ad2f4aa4f69c324dd0807ae0ab556f
+SHA512 (cbor2-5.6.5.tar.gz) = 9c3fc14b579e8c687b3e955452fcf9056fcfcce8ebe72b89c7d6e74e0ba5a29e0a61a225bbb6040f73285dfcc9f3bb37758badbbf45bd723ead8ecdf7e64b685
-- 
Gitee


From 398e9ee0f9e366957a89885a04e58de463f6584c Mon Sep 17 00:00:00 2001
From: bbrucezhang <bbrucezhang@tencent.com>
Date: Mon, 15 Dec 2025 15:10:26 +0800
Subject: [PATCH 2/2] small fix

---
 python-cbor2.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python-cbor2.spec b/python-cbor2.spec
index fa0c187..aa01830 100644
--- a/python-cbor2.spec
+++ b/python-cbor2.spec
@@ -8,7 +8,7 @@ Summary:        Python CBOR (de)serializer with extensive tag support
 License:        MIT
 URL:            https://github.com/agronholm/cbor2
 Source0:        %{pypi_source}
-Patch0:         CVE-2025-64076.patch
+Patch0001:      CVE-2025-64076.patch
 
 BuildRequires:  gcc
 BuildRequires:  python3-devel
-- 
Gitee