1 files changed, 46 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch
new file mode 100644
index 0000000000..a76968c6ca
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch
@@ -0,0 +1,46 @@
+From 27b9925ad3ac716a6db3a3d1214b3fe2a260c5c8 Mon Sep 17 00:00:00 2001
+From: "J. Nick Koston" <nick@koston.org>
+Date: Wed, 13 Nov 2024 08:50:36 -0600
+Subject: [PATCH] Fix incorrect parsing of chunk extensions with the pure
+ Python parser (#9853)
+Upstream-Status: Backport
+[https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71]
+CVE: CVE-2024-52304
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ CHANGES/9851.bugfix.rst | 1 +
+ aiohttp/http_parser.py  | 7 +++++++
+ 2 files changed, 8 insertions(+)
+ create mode 100644 CHANGES/9851.bugfix.rst
+diff --git a/CHANGES/9851.bugfix.rst b/CHANGES/9851.bugfix.rst
+new file mode 100644
+index 0000000..02541a9
+--- /dev/null
+++ b/CHANGES/9851.bugfix.rst
+@@ -0,0 +1 @@
+Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:`bdraco`.
+diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
+index 91e01f4..1ee1269 100644
+--- a/aiohttp/http_parser.py
+++ b/aiohttp/http_parser.py
+@@ -820,6 +820,13 @@ class HttpPayloadParser:
+                         i = chunk.find(CHUNK_EXT, 0, pos)
+                         if i >= 0:
+                             size_b = chunk[:i]  # strip chunk-extensions
+                            # Verify no LF in the chunk-extension
+                            if b"\n" in (ext := chunk[i:pos]):
+                                exc = BadHttpMessage(
+                                    f"Unexpected LF in chunk-extension: {ext!r}"
+                                )
+                                set_exception(self.payload, exc)
+                                raise exc
+                         else:
+                             size_b = chunk[:pos]
+ 
+-- 
+2.25.1

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch new file mode 100644 index 0000000000..a76968c6ca --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-52304.patch
@@ -0,0 +1,46 @@
	1	From 27b9925ad3ac716a6db3a3d1214b3fe2a260c5c8 Mon Sep 17 00:00:00 2001
	2	From: "J. Nick Koston" <nick@koston.org>
	3	Date: Wed, 13 Nov 2024 08:50:36 -0600
	4	Subject: [PATCH] Fix incorrect parsing of chunk extensions with the pure
	5	Python parser (#9853)
	6
	7	Upstream-Status: Backport
	8	[https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71]
	9
	10	CVE: CVE-2024-52304
	11
	12	Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
	13	---
	14	CHANGES/9851.bugfix.rst \| 1 +
	15	aiohttp/http_parser.py \| 7 +++++++
	16	2 files changed, 8 insertions(+)
	17	create mode 100644 CHANGES/9851.bugfix.rst
	18
	19	diff --git a/CHANGES/9851.bugfix.rst b/CHANGES/9851.bugfix.rst
	20	new file mode 100644
	21	index 0000000..02541a9
	22	--- /dev/null
	23	+++ b/CHANGES/9851.bugfix.rst
	24	@@ -0,0 +1 @@
	25	+Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:`bdraco`.
	26	diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
	27	index 91e01f4..1ee1269 100644
	28	--- a/aiohttp/http_parser.py
	29	+++ b/aiohttp/http_parser.py
	30	@@ -820,6 +820,13 @@ class HttpPayloadParser:
	31	i = chunk.find(CHUNK_EXT, 0, pos)
	32	if i >= 0:
	33	size_b = chunk[:i] # strip chunk-extensions
	34	+ # Verify no LF in the chunk-extension
	35	+ if b"\n" in (ext := chunk[i:pos]):
	36	+ exc = BadHttpMessage(
	37	+ f"Unexpected LF in chunk-extension: {ext!r}"
	38	+ )
	39	+ set_exception(self.payload, exc)
	40	+ raise exc
	41	else:
	42	size_b = chunk[:pos]
	43
	44	--
	45	2.25.1
	46