python3-aiohttp: patch CVE-2025-69224

Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69224 Backport the patch indicated by the NVD advisory. Only a part of the tests were backported, because some of the new tests require a compression method that is not supported yet by this version. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-02-04 17:29:16 +0100
committer: Anuj Mittal <anuj.mittal@oss.qualcomm.com> 2026-02-05 06:59:36 +0530
commit: c24b8f9ced42391891b62f3d552424bb0f29eb54 (patch)
tree: f59ceebe070489d5dc4e27cf736309c8be691ca2 /meta-python
parent: e26c5f452797be41fa33ca8b2b7882790405d813 (diff)
download: meta-openembedded-c24b8f9ced42391891b62f3d552424bb0f29eb54.tar.gz
2 files changed, 94 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69224.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69224.patch
new file mode 100644
index 0000000000..7f36e699fd
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69224.patch
@@ -0,0 +1,93 @@
+From 225412b13f66a76a7222d7719777e6162638faa3 Mon Sep 17 00:00:00 2001
+From: Sam Bull <git@sambull.org>
+Date: Sat, 3 Jan 2026 00:02:45 +0000
+Subject: [PATCH] Reject non-ascii characters in some headers (#11886) (#11902)
+(cherry picked from commit 5affd64f86d28a16a8f8e6fea2d217c99bf7831f)
+CVE: CVE-2025-69224
+Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ aiohttp/_http_parser.pyx  |  6 +++---
+ aiohttp/http_parser.py    |  8 ++++++--
+ tests/test_http_parser.py | 16 +++++++++++++++-
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+diff --git a/aiohttp/_http_parser.pyx b/aiohttp/_http_parser.pyx
+index 16893f0..23f1dd1 100644
+--- a/aiohttp/_http_parser.pyx
+++ b/aiohttp/_http_parser.pyx
+@@ -421,7 +421,8 @@ cdef class HttpParser:
+         headers = CIMultiDictProxy(CIMultiDict(self._headers))
+ 
+         if self._cparser.type == cparser.HTTP_REQUEST:
+-            allowed = upgrade and headers.get("upgrade", "").lower() in ALLOWED_UPGRADES
+            h_upg = headers.get("upgrade", "")
+            allowed = upgrade and h_upg.isascii() and h_upg.lower() in ALLOWED_UPGRADES
+             if allowed or self._cparser.method == cparser.HTTP_CONNECT:
+                 self._upgraded = True
+         else:
+@@ -436,8 +437,7 @@ cdef class HttpParser:
+         enc = self._content_encoding
+         if enc is not None:
+             self._content_encoding = None
+-            enc = enc.lower()
+-            if enc in ('gzip', 'deflate', 'br'):
+            if enc.isascii() and enc.lower() in {"gzip", "deflate", "br"}:
+                 encoding = enc
+ 
+         if self._cparser.type == cparser.HTTP_REQUEST:
+diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
+index 9f864b2..bc8f7da 100644
+--- a/aiohttp/http_parser.py
+++ b/aiohttp/http_parser.py
+@@ -232,7 +232,9 @@ class HeadersParser:
+ 
+ def _is_supported_upgrade(headers: CIMultiDictProxy[str]) -> bool:
+     """Check if the upgrade header is supported."""
+-    return headers.get(hdrs.UPGRADE, "").lower() in {"tcp", "websocket"}
+    u = headers.get(hdrs.UPGRADE, "")
+    # .lower() can transform non-ascii characters.
+    return u.isascii() and u.lower() in {"tcp", "websocket"}
+ 
+ 
+ class HttpParser(abc.ABC, Generic[_MsgT]):
+@@ -664,7 +666,9 @@ class HttpRequestParser(HttpParser[RawRequestMessage]):
+         )
+ 
+     def _is_chunked_te(self, te: str) -> bool:
+-        if te.rsplit(",", maxsplit=1)[-1].strip(" \t").lower() == "chunked":
+        te = te.rsplit(",", maxsplit=1)[-1].strip(" \t")
+        # .lower() transforms some non-ascii chars, so must check first.
+        if te.isascii() and te.lower() == "chunked":
+             return True
+         # https://www.rfc-editor.org/rfc/rfc9112#section-6.3-2.4.3
+         raise BadHttpMessage("Request has invalid `Transfer-Encoding`")
+diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py
+index 385452c..d4c1768 100644
+--- a/tests/test_http_parser.py
+++ b/tests/test_http_parser.py
+@@ -468,7 +468,21 @@ def test_request_chunked(parser) -> None:
+     assert isinstance(payload, streams.StreamReader)
+ 
+ 
+-def test_request_te_chunked_with_content_length(parser: Any) -> None:
+def test_te_header_non_ascii(parser: HttpRequestParser) -> None:
+    # K = Kelvin sign, not valid ascii.
+    text = "GET /test HTTP/1.1\r\nTransfer-Encoding: chunKed\r\n\r\n"
+    with pytest.raises(http_exceptions.BadHttpMessage):
+        parser.feed_data(text.encode())
+
+
+def test_upgrade_header_non_ascii(parser: HttpRequestParser) -> None:
+    # K = Kelvin sign, not valid ascii.
+    text = "GET /test HTTP/1.1\r\nUpgrade: websocKet\r\n\r\n"
+    messages, upgrade, tail = parser.feed_data(text.encode())
+    assert not upgrade
+
+
+def test_request_te_chunked_with_content_length(parser: HttpRequestParser) -> None:
+     text = (
+         b"GET /test HTTP/1.1\r\n"
+         b"content-length: 1234\r\n"
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
index b6344d4c68..4341e128a5 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
@@ -4,6 +4,7 @@ HOMEPAGE = "https://github.com/aio-libs/aiohttp"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
+SRC_URI += "file://CVE-2025-69224.patch"
 SRC_URI[sha256sum] = "4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"
 inherit python_setuptools_build_meta pypi
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-02-04 17:29:16 +0100
committer	Anuj Mittal <anuj.mittal@oss.qualcomm.com>	2026-02-05 06:59:36 +0530
commit	c24b8f9ced42391891b62f3d552424bb0f29eb54 (patch)
tree	f59ceebe070489d5dc4e27cf736309c8be691ca2 /meta-python
parent	e26c5f452797be41fa33ca8b2b7882790405d813 (diff)
download	meta-openembedded-c24b8f9ced42391891b62f3d552424bb0f29eb54.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69224.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69224.patch new file mode 100644 index 0000000000..7f36e699fd --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69224.patch
@@ -0,0 +1,93 @@
		1	From 225412b13f66a76a7222d7719777e6162638faa3 Mon Sep 17 00:00:00 2001
		2	From: Sam Bull <git@sambull.org>
		3	Date: Sat, 3 Jan 2026 00:02:45 +0000
		4	Subject: [PATCH] Reject non-ascii characters in some headers (#11886) (#11902)
		5
		6	(cherry picked from commit 5affd64f86d28a16a8f8e6fea2d217c99bf7831f)
		7
		8	CVE: CVE-2025-69224
		9	Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0]
		10	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		11	---
		12	aiohttp/_http_parser.pyx \| 6 +++---
		13	aiohttp/http_parser.py \| 8 ++++++--
		14	tests/test_http_parser.py \| 16 +++++++++++++++-
		15	3 files changed, 24 insertions(+), 6 deletions(-)
		16
		17	diff --git a/aiohttp/_http_parser.pyx b/aiohttp/_http_parser.pyx
		18	index 16893f0..23f1dd1 100644
		19	--- a/aiohttp/_http_parser.pyx
		20	+++ b/aiohttp/_http_parser.pyx
		21	@@ -421,7 +421,8 @@ cdef class HttpParser:
		22	headers = CIMultiDictProxy(CIMultiDict(self._headers))
		23
		24	if self._cparser.type == cparser.HTTP_REQUEST:
		25	- allowed = upgrade and headers.get("upgrade", "").lower() in ALLOWED_UPGRADES
		26	+ h_upg = headers.get("upgrade", "")
		27	+ allowed = upgrade and h_upg.isascii() and h_upg.lower() in ALLOWED_UPGRADES
		28	if allowed or self._cparser.method == cparser.HTTP_CONNECT:
		29	self._upgraded = True
		30	else:
		31	@@ -436,8 +437,7 @@ cdef class HttpParser:
		32	enc = self._content_encoding
		33	if enc is not None:
		34	self._content_encoding = None
		35	- enc = enc.lower()
		36	- if enc in ('gzip', 'deflate', 'br'):
		37	+ if enc.isascii() and enc.lower() in {"gzip", "deflate", "br"}:
		38	encoding = enc
		39
		40	if self._cparser.type == cparser.HTTP_REQUEST:
		41	diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
		42	index 9f864b2..bc8f7da 100644
		43	--- a/aiohttp/http_parser.py
		44	+++ b/aiohttp/http_parser.py
		45	@@ -232,7 +232,9 @@ class HeadersParser:
		46
		47	def _is_supported_upgrade(headers: CIMultiDictProxy[str]) -> bool:
		48	"""Check if the upgrade header is supported."""
		49	- return headers.get(hdrs.UPGRADE, "").lower() in {"tcp", "websocket"}
		50	+ u = headers.get(hdrs.UPGRADE, "")
		51	+ # .lower() can transform non-ascii characters.
		52	+ return u.isascii() and u.lower() in {"tcp", "websocket"}
		53
		54
		55	class HttpParser(abc.ABC, Generic[_MsgT]):
		56	@@ -664,7 +666,9 @@ class HttpRequestParser(HttpParser[RawRequestMessage]):
		57	)
		58
		59	def _is_chunked_te(self, te: str) -> bool:
		60	- if te.rsplit(",", maxsplit=1)[-1].strip(" \t").lower() == "chunked":
		61	+ te = te.rsplit(",", maxsplit=1)[-1].strip(" \t")
		62	+ # .lower() transforms some non-ascii chars, so must check first.
		63	+ if te.isascii() and te.lower() == "chunked":
		64	return True
		65	# https://www.rfc-editor.org/rfc/rfc9112#section-6.3-2.4.3
		66	raise BadHttpMessage("Request has invalid `Transfer-Encoding`")
		67	diff --git a/tests/test_http_parser.py b/tests/test_http_parser.py
		68	index 385452c..d4c1768 100644
		69	--- a/tests/test_http_parser.py
		70	+++ b/tests/test_http_parser.py
		71	@@ -468,7 +468,21 @@ def test_request_chunked(parser) -> None:
		72	assert isinstance(payload, streams.StreamReader)
		73
		74
		75	-def test_request_te_chunked_with_content_length(parser: Any) -> None:
		76	+def test_te_header_non_ascii(parser: HttpRequestParser) -> None:
		77	+ # K = Kelvin sign, not valid ascii.
		78	+ text = "GET /test HTTP/1.1\r\nTransfer-Encoding: chunKed\r\n\r\n"
		79	+ with pytest.raises(http_exceptions.BadHttpMessage):
		80	+ parser.feed_data(text.encode())
		81	+
		82	+
		83	+def test_upgrade_header_non_ascii(parser: HttpRequestParser) -> None:
		84	+ # K = Kelvin sign, not valid ascii.
		85	+ text = "GET /test HTTP/1.1\r\nUpgrade: websocKet\r\n\r\n"
		86	+ messages, upgrade, tail = parser.feed_data(text.encode())
		87	+ assert not upgrade
		88	+
		89	+
		90	+def test_request_te_chunked_with_content_length(parser: HttpRequestParser) -> None:
		91	text = (
		92	b"GET /test HTTP/1.1\r\n"
		93	b"content-length: 1234\r\n"


diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb index b6344d4c68..4341e128a5 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
@@ -4,6 +4,7 @@ HOMEPAGE = "https://github.com/aio-libs/aiohttp"
4	LICENSE = "Apache-2.0"	4	LICENSE = "Apache-2.0"
5	LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"	5	LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
6		6
		7	SRC_URI += "file://CVE-2025-69224.patch"
7	SRC_URI[sha256sum] = "4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"	8	SRC_URI[sha256sum] = "4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"
8		9
9	inherit python_setuptools_build_meta pypi	10	inherit python_setuptools_build_meta pypi