Skip to content

deps: relax cbor2 upper bound to permit >=5.9.0#832

Open
k9ert wants to merge 2 commits into
bitcoin-core:masterfrom
k9ert:kn/relax-cbor2-cap
Open

deps: relax cbor2 upper bound to permit >=5.9.0#832
k9ert wants to merge 2 commits into
bitcoin-core:masterfrom
k9ert:kn/relax-cbor2-cap

Conversation

@k9ert
Copy link
Copy Markdown

@k9ert k9ert commented Apr 30, 2026

Summary

Relax the cbor2 constraint from >=5.4.6,<5.8 to >=5.4.6,!=5.8.0,<6.0.0, allowing downstreams to install HWI together with cbor2>=5.9.0.

Motivation

The current <5.8 cap was introduced in 38fae57 ("Constrain cbor2 to <5.8") in response to #817cbor2==5.8.0 changes the decoder's stream-read pattern from read(n=1) to read(n=4096), which causes Jade signing to hang on pyserial-style transports.

That fix made sense at the time, but it traps downstream users at a vulnerable version of cbor2:

  • GHSA-3c37-wwvx-h642 (high severity): DoS via uncontrolled recursion in cbor2.loads. Affects all cbor2 < 5.9.0.
  • GHSA-wcj4-jw5j-44wh (medium): CBORDecoder reuse can leak shareable values across decode calls. Fixed in cbor2 >= 5.8.0.

The high-severity advisory is unfixable under the current cap. Downstream projects that pin cbor2>=5.9.0 for security cannot install HWI 3.2.0 without overriding the resolver.

Evidence

I built a hardware-in-the-loop matrix that exercises the full Jade signing path (enumerategetmasterxpubsigntx) under HWI 3.2.0 against cbor2 versions 5.7.1, 5.8.0, and 5.9.0, with and without a candidate read-loop patch.

Test repo (with raw logs and reproduction instructions): https://github.com/al-munazzim/hwi-jade-cbor-repro

mode \ cbor2 5.7.1 5.8.0 5.9.0
stock HWI 3.2.0 PASS FROZEN PASS
with read-loop patch PASS PASS PASS

Tested on macOS 15.4.1, Python 3.9.23, HWI 3.2.0, against an unlocked Jade signer. The key cell: stock HWI 3.2.0 + cbor2 5.9.0 completes Jade signing successfully without any code change in HWI. Whatever changed in cbor2 5.8.0 to break the read pattern appears resolved in 5.9.0 itself.

Scope

This PR is intentionally minimal: cap relax only.

The JadeInterface.read() loop is still fragile — a future cbor2 change could in principle re-trigger the freeze. Hardening that path is a separate concern and a candidate follow-up PR (the patch from the test repo above can be the basis).

cbor2 == 5.8.0 is excluded explicitly (!= 5.8.0) since the FROZEN result there is reproducible and confirmed on real hardware.

Changes

  • pyproject.toml: cbor2 = ">=5.4.6,<5.8"cbor2 = ">=5.4.6,!=5.8.0,<6.0.0"
  • setup.py: same constraint (kept in sync with pyproject)
  • poetry.lock not regenerated in this PR. Happy to add a follow-up commit regenerating it if that is the convention; otherwise it can be regenerated at next release.

Refs

@k9ert
deps: relax cbor2 upper bound to permit >=5.9.0
624f130 
The <5.8 cap from bitcoin-core#817 traps downstreams at cbor2 versions
vulnerable to GHSA-3c37-wwvx-h642 (high-severity DoS in
cbor2.loads), first patched in 5.9.0.

Empirical testing on real Jade hardware shows stock HWI 3.2.0
+ cbor2 5.9.0 completes signing successfully. Whatever broke
in 5.8.0 is fixed in 5.9.0 itself. Test matrix and logs at
https://github.com/al-munazzim/hwi-jade-cbor-repro

Excludes 5.8.0 explicitly (still freezes Jade on pyserial
transports per the test matrix).

poetry.lock not regenerated in this commit; maintainers may
prefer to handle that separately or defer until next release.
@k9ert k9ert mentioned this pull request Apr 30, 2026
Open
@k9ert
Copy link
Copy Markdown
Author

k9ert commented Apr 30, 2026

The pin was IMHO done because @Sjors discovered a timeout of jade-tests and pinned in 38fae57 .
But those are now fixed for some reason, right?!

@k9ert k9ert mentioned this pull request Apr 30, 2026
Merged
5 tasks
@Sjors
Copy link
Copy Markdown
Member

Sjors commented Apr 30, 2026

But those are now fixed for some reason, right?

From that commit:

In the Sdist and Wheel test environments, the Jade tests all timed out.

So this would be hard to miss.

@k9ert
Copy link
Copy Markdown
Author

k9ert commented May 1, 2026

  1. I had forgotten to update poetry.lock after relaxing the cbor2 bound in pyproject.toml.
    That mismatch caused early CI failures in lint / Non-device tests / Dist builder / Wine builder.
    After adding the lockfile update, those jobs are green in the latest PR run:

• Dist builder ✅ https://github.com/bitcoin-core/HWI/actions/runs/25211462096/job/73922819687
• Non-device tests ✅ https://github.com/bitcoin-core/HWI/actions/runs/25211462096/job/73922819680
• lint ✅ https://github.com/bitcoin-core/HWI/actions/runs/25211462096/job/73922819673
• Wine builder ✅ https://github.com/bitcoin-core/HWI/actions/runs/25211462096/job/73922819703

Also, regarding the earlier timeout context: Jade jobs are not timing out in this run (they are green), e.g.

• Jade library ✅ https://github.com/bitcoin-core/HWI/actions/runs/25211462096/job/73923444972
• Jade bindist ✅ https://github.com/bitcoin-core/HWI/actions/runs/25211462096/job/73923444980

  1. The remaining red jobs do not appear to be caused by this PR change, since the same failures are present on master:

• Trezor sim builder fails on master with error[E0658]: custom test frameworks are an unstable feature
https://github.com/bitcoin-core/HWI/actions/runs/25012560729/job/73251883660
• Ledger/ledger-legacy jobs fail on master with speculos safe-directory error (fatal: detected dubious ownership ... /test/work/speculos)
https://github.com/bitcoin-core/HWI/actions/runs/25012560729/job/73253524077

So the lockfile issue is fixed in this PR, the remaining failures look like pre-existing CI/environment issues.

@k9ert
Copy link
Copy Markdown
Author

k9ert commented May 8, 2026

Any feedback, @Sjors ?!

k9ert added a commit to k9ert/specter-desktop that referenced this pull request May 22, 2026
@k9ert
deps: bump hwi 2.4.0 -> 3.1.0; require Python >=3.9,<3.13
f41827c 
Brings: Trezor Safe 5 support, Ledger Nano model IDs, tr() single-leaf
descriptor parsing fix, Debian Buster Linux build compat.

requires-python lifted from >=3.7,<4.0 to >=3.9,<3.13 — HWI 3.x drops
3.7/3.8 (and caps at <3.13). Drops support for those Python versions.

API impact on Specter (verified): all hwilib symbols Specter imports
(hwwclient, errors, key, psbt, _script, descriptor, common,
bitbox02_lib.util, trezorlib.{transport,messages,protobuf}) are
unchanged 2.4 -> 3.1. enumerate() gained allow_emulators=False kwarg
(default ignores emulators). Specter's own simulator paths in vendored
jade/keepkey/specter_diy clients are unaffected; the only behavioral
change is Trezor emulator no longer auto-discovered through Specter
(no callers observed in tests/).

cbor2 stays at 5.9.0 — HWI 3.1's cap is <6.0.0, no conflict. (HWI 3.2
introduces a <5.8 cap that conflicts with the GHSA-3c37-wwvx-h642 fix
floor; relax PR filed upstream as bitcoin-core/HWI#832, prerequisite
for a later 3.2/3.3 bump.)

Note: only mechanical add'n to requirements.txt is the new pip-tools 7
boilerplate text; cbor2 and all other transitive deps unchanged.

Refs:
- cryptoadvance#2597 (BitBox02
  Nova; deferred to 3.2/3.3 bump after upstream cap relax merges)
- bitcoin-core/HWI#832
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@k9ert @Sjors