1 files changed, 192 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch
new file mode 100644
index 0000000000..54d69fbe3f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch
@@ -0,0 +1,192 @@
+From 2b45c0cc5f94a4aab25e80580db73c5da1152030 Mon Sep 17 00:00:00 2001
+From: Sam Bull <git@sambull.org>
+Date: Wed, 9 Jul 2025 19:55:22 +0100
+Subject: [PATCH] Add trailer parsing logic (#11269) (#11287)
+CVE: CVE-2025-53643
+Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a]
+Dropped changes to the test and changelog from the original commit.
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ aiohttp/http_parser.py | 70 ++++++++++++++++++++++--------------------
+ aiohttp/multipart.py   |  2 +-
+ 2 files changed, 38 insertions(+), 34 deletions(-)
+diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
+index 7a552458e..0a80c5c6d 100644
+--- a/aiohttp/http_parser.py
+++ b/aiohttp/http_parser.py
+@@ -142,8 +142,8 @@ class HeadersParser:
+         # note: "raw" does not mean inclusion of OWS before/after the field value
+         raw_headers = []
+ 
+-        lines_idx = 1
+-        line = lines[1]
+        lines_idx = 0
+        line = lines[lines_idx]
+         line_count = len(lines)
+ 
+         while line:
+@@ -397,6 +397,7 @@ class HttpParser(abc.ABC, Generic[_MsgT]):
+                                 response_with_body=self.response_with_body,
+                                 auto_decompress=self._auto_decompress,
+                                 lax=self.lax,
+                                headers_parser=self._headers_parser,
+                             )
+                             if not payload_parser.done:
+                                 self._payload_parser = payload_parser
+@@ -416,6 +417,7 @@ class HttpParser(abc.ABC, Generic[_MsgT]):
+                                 readall=True,
+                                 auto_decompress=self._auto_decompress,
+                                 lax=self.lax,
+                                headers_parser=self._headers_parser,
+                             )
+                         elif not empty_body and length is None and self.read_until_eof:
+                             payload = StreamReader(
+@@ -435,6 +437,7 @@ class HttpParser(abc.ABC, Generic[_MsgT]):
+                                 response_with_body=self.response_with_body,
+                                 auto_decompress=self._auto_decompress,
+                                 lax=self.lax,
+                                headers_parser=self._headers_parser,
+                             )
+                             if not payload_parser.done:
+                                 self._payload_parser = payload_parser
+@@ -471,6 +474,10 @@ class HttpParser(abc.ABC, Generic[_MsgT]):
+ 
+                     eof = True
+                     data = b""
+                    if isinstance(
+                        underlying_exc, (InvalidHeader, TransferEncodingError)
+                    ):
+                        raise
+ 
+                 if eof:
+                     start_pos = 0
+@@ -635,7 +642,7 @@ class HttpRequestParser(HttpParser[RawRequestMessage]):
+             compression,
+             upgrade,
+             chunked,
+-        ) = self.parse_headers(lines)
+        ) = self.parse_headers(lines[1:])
+ 
+         if close is None:  # then the headers weren't set in the request
+             if version_o <= HttpVersion10:  # HTTP 1.0 must asks to not close
+@@ -715,7 +722,7 @@ class HttpResponseParser(HttpParser[RawResponseMessage]):
+             compression,
+             upgrade,
+             chunked,
+-        ) = self.parse_headers(lines)
+        ) = self.parse_headers(lines[1:])
+ 
+         if close is None:
+             if version_o <= HttpVersion10:
+@@ -755,6 +762,8 @@ class HttpPayloadParser:
+         response_with_body: bool = True,
+         auto_decompress: bool = True,
+         lax: bool = False,
+        *,
+        headers_parser: HeadersParser,
+     ) -> None:
+         self._length = 0
+         self._type = ParseState.PARSE_NONE
+@@ -763,6 +772,8 @@ class HttpPayloadParser:
+         self._chunk_tail = b""
+         self._auto_decompress = auto_decompress
+         self._lax = lax
+        self._headers_parser = headers_parser
+        self._trailer_lines: list[bytes] = []
+         self.done = False
+ 
+         # payload decompression wrapper
+@@ -850,7 +861,7 @@ class HttpPayloadParser:
+                             size_b = chunk[:i]  # strip chunk-extensions
+                             # Verify no LF in the chunk-extension
+                             if b"\n" in (ext := chunk[i:pos]):
+-                                exc = BadHttpMessage(
+                                exc = TransferEncodingError(
+                                     f"Unexpected LF in chunk-extension: {ext!r}"
+                                 )
+                                 set_exception(self.payload, exc)
+@@ -871,7 +882,7 @@ class HttpPayloadParser:
+ 
+                         chunk = chunk[pos + len(SEP) :]
+                         if size == 0:  # eof marker
+-                            self._chunk = ChunkState.PARSE_MAYBE_TRAILERS
+                            self._chunk = ChunkState.PARSE_TRAILERS
+                             if self._lax and chunk.startswith(b"\r"):
+                                 chunk = chunk[1:]
+                         else:
+@@ -909,38 +920,31 @@ class HttpPayloadParser:
+                         self._chunk_tail = chunk
+                         return False, b""
+ 
+-                # if stream does not contain trailer, after 0\r\n
+-                # we should get another \r\n otherwise
+-                # trailers needs to be skipped until \r\n\r\n
+-                if self._chunk == ChunkState.PARSE_MAYBE_TRAILERS:
+-                    head = chunk[: len(SEP)]
+-                    if head == SEP:
+-                        # end of stream
+-                        self.payload.feed_eof()
+-                        return True, chunk[len(SEP) :]
+-                    # Both CR and LF, or only LF may not be received yet. It is
+-                    # expected that CRLF or LF will be shown at the very first
+-                    # byte next time, otherwise trailers should come. The last
+-                    # CRLF which marks the end of response might not be
+-                    # contained in the same TCP segment which delivered the
+-                    # size indicator.
+-                    if not head:
+-                        return False, b""
+-                    if head == SEP[:1]:
+-                        self._chunk_tail = head
+-                        return False, b""
+-                    self._chunk = ChunkState.PARSE_TRAILERS
+-
+-                # read and discard trailer up to the CRLF terminator
+                 if self._chunk == ChunkState.PARSE_TRAILERS:
+                     pos = chunk.find(SEP)
+-                    if pos >= 0:
+-                        chunk = chunk[pos + len(SEP) :]
+-                        self._chunk = ChunkState.PARSE_MAYBE_TRAILERS
+-                    else:
+                    if pos < 0:  # No line found
+                         self._chunk_tail = chunk
+                         return False, b""
+ 
+                    line = chunk[:pos]
+                    chunk = chunk[pos + len(SEP) :]
+                    if SEP == b"\n":  # For lax response parsing
+                        line = line.rstrip(b"\r")
+                    self._trailer_lines.append(line)
+
+                    # \r\n\r\n found, end of stream
+                    if self._trailer_lines[-1] == b"":
+                        # Headers and trailers are defined the same way,
+                        # so we reuse the HeadersParser here.
+                        try:
+                            trailers, raw_trailers = self._headers_parser.parse_headers(
+                                self._trailer_lines
+                            )
+                        finally:
+                            self._trailer_lines.clear()
+                        self.payload.feed_eof()
+                        return True, chunk
+
+         # Read all bytes until eof
+         elif self._type == ParseState.PARSE_UNTIL_EOF:
+             self.payload.feed_data(chunk, len(chunk))
+diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
+index 71fc2654a..520ee539e 100644
+--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
+@@ -723,7 +723,7 @@ class MultipartReader:
+             raise ValueError(f"Invalid boundary {chunk!r}, expected {self._boundary!r}")
+ 
+     async def _read_headers(self) -> "CIMultiDictProxy[str]":
+-        lines = [b""]
+        lines = []
+         while True:
+             chunk = await self._content.readline()
+             chunk = chunk.strip()

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch new file mode 100644 index 0000000000..54d69fbe3f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-53643.patch
@@ -0,0 +1,192 @@
	1	From 2b45c0cc5f94a4aab25e80580db73c5da1152030 Mon Sep 17 00:00:00 2001
	2	From: Sam Bull <git@sambull.org>
	3	Date: Wed, 9 Jul 2025 19:55:22 +0100
	4	Subject: [PATCH] Add trailer parsing logic (#11269) (#11287)
	5
	6	CVE: CVE-2025-53643
	7	Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a]
	8
	9	Dropped changes to the test and changelog from the original commit.
	10
	11	Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
	12	---
	13	aiohttp/http_parser.py \| 70 ++++++++++++++++++++++--------------------
	14	aiohttp/multipart.py \| 2 +-
	15	2 files changed, 38 insertions(+), 34 deletions(-)
	16
	17	diff --git a/aiohttp/http_parser.py b/aiohttp/http_parser.py
	18	index 7a552458e..0a80c5c6d 100644
	19	--- a/aiohttp/http_parser.py
	20	+++ b/aiohttp/http_parser.py
	21	@@ -142,8 +142,8 @@ class HeadersParser:
	22	# note: "raw" does not mean inclusion of OWS before/after the field value
	23	raw_headers = []
	24
	25	- lines_idx = 1
	26	- line = lines[1]
	27	+ lines_idx = 0
	28	+ line = lines[lines_idx]
	29	line_count = len(lines)
	30
	31	while line:
	32	@@ -397,6 +397,7 @@ class HttpParser(abc.ABC, Generic[_MsgT]):
	33	response_with_body=self.response_with_body,
	34	auto_decompress=self._auto_decompress,
	35	lax=self.lax,
	36	+ headers_parser=self._headers_parser,
	37	)
	38	if not payload_parser.done:
	39	self._payload_parser = payload_parser
	40	@@ -416,6 +417,7 @@ class HttpParser(abc.ABC, Generic[_MsgT]):
	41	readall=True,
	42	auto_decompress=self._auto_decompress,
	43	lax=self.lax,
	44	+ headers_parser=self._headers_parser,
	45	)
	46	elif not empty_body and length is None and self.read_until_eof:
	47	payload = StreamReader(
	48	@@ -435,6 +437,7 @@ class HttpParser(abc.ABC, Generic[_MsgT]):
	49	response_with_body=self.response_with_body,
	50	auto_decompress=self._auto_decompress,
	51	lax=self.lax,
	52	+ headers_parser=self._headers_parser,
	53	)
	54	if not payload_parser.done:
	55	self._payload_parser = payload_parser
	56	@@ -471,6 +474,10 @@ class HttpParser(abc.ABC, Generic[_MsgT]):
	57
	58	eof = True
	59	data = b""
	60	+ if isinstance(
	61	+ underlying_exc, (InvalidHeader, TransferEncodingError)
	62	+ ):
	63	+ raise
	64
	65	if eof:
	66	start_pos = 0
	67	@@ -635,7 +642,7 @@ class HttpRequestParser(HttpParser[RawRequestMessage]):
	68	compression,
	69	upgrade,
	70	chunked,
	71	- ) = self.parse_headers(lines)
	72	+ ) = self.parse_headers(lines[1:])
	73
	74	if close is None: # then the headers weren't set in the request
	75	if version_o <= HttpVersion10: # HTTP 1.0 must asks to not close
	76	@@ -715,7 +722,7 @@ class HttpResponseParser(HttpParser[RawResponseMessage]):
	77	compression,
	78	upgrade,
	79	chunked,
	80	- ) = self.parse_headers(lines)
	81	+ ) = self.parse_headers(lines[1:])
	82
	83	if close is None:
	84	if version_o <= HttpVersion10:
	85	@@ -755,6 +762,8 @@ class HttpPayloadParser:
	86	response_with_body: bool = True,
	87	auto_decompress: bool = True,
	88	lax: bool = False,
	89	+ *,
	90	+ headers_parser: HeadersParser,
	91	) -> None:
	92	self._length = 0
	93	self._type = ParseState.PARSE_NONE
	94	@@ -763,6 +772,8 @@ class HttpPayloadParser:
	95	self._chunk_tail = b""
	96	self._auto_decompress = auto_decompress
	97	self._lax = lax
	98	+ self._headers_parser = headers_parser
	99	+ self._trailer_lines: list[bytes] = []
	100	self.done = False
	101
	102	# payload decompression wrapper
	103	@@ -850,7 +861,7 @@ class HttpPayloadParser:
	104	size_b = chunk[:i] # strip chunk-extensions
	105	# Verify no LF in the chunk-extension
	106	if b"\n" in (ext := chunk[i:pos]):
	107	- exc = BadHttpMessage(
	108	+ exc = TransferEncodingError(
	109	f"Unexpected LF in chunk-extension: {ext!r}"
	110	)
	111	set_exception(self.payload, exc)
	112	@@ -871,7 +882,7 @@ class HttpPayloadParser:
	113
	114	chunk = chunk[pos + len(SEP) :]
	115	if size == 0: # eof marker
	116	- self._chunk = ChunkState.PARSE_MAYBE_TRAILERS
	117	+ self._chunk = ChunkState.PARSE_TRAILERS
	118	if self._lax and chunk.startswith(b"\r"):
	119	chunk = chunk[1:]
	120	else:
	121	@@ -909,38 +920,31 @@ class HttpPayloadParser:
	122	self._chunk_tail = chunk
	123	return False, b""
	124
	125	- # if stream does not contain trailer, after 0\r\n
	126	- # we should get another \r\n otherwise
	127	- # trailers needs to be skipped until \r\n\r\n
	128	- if self._chunk == ChunkState.PARSE_MAYBE_TRAILERS:
	129	- head = chunk[: len(SEP)]
	130	- if head == SEP:
	131	- # end of stream
	132	- self.payload.feed_eof()
	133	- return True, chunk[len(SEP) :]
	134	- # Both CR and LF, or only LF may not be received yet. It is
	135	- # expected that CRLF or LF will be shown at the very first
	136	- # byte next time, otherwise trailers should come. The last
	137	- # CRLF which marks the end of response might not be
	138	- # contained in the same TCP segment which delivered the
	139	- # size indicator.
	140	- if not head:
	141	- return False, b""
	142	- if head == SEP[:1]:
	143	- self._chunk_tail = head
	144	- return False, b""
	145	- self._chunk = ChunkState.PARSE_TRAILERS
	146	-
	147	- # read and discard trailer up to the CRLF terminator
	148	if self._chunk == ChunkState.PARSE_TRAILERS:
	149	pos = chunk.find(SEP)
	150	- if pos >= 0:
	151	- chunk = chunk[pos + len(SEP) :]
	152	- self._chunk = ChunkState.PARSE_MAYBE_TRAILERS
	153	- else:
	154	+ if pos < 0: # No line found
	155	self._chunk_tail = chunk
	156	return False, b""
	157
	158	+ line = chunk[:pos]
	159	+ chunk = chunk[pos + len(SEP) :]
	160	+ if SEP == b"\n": # For lax response parsing
	161	+ line = line.rstrip(b"\r")
	162	+ self._trailer_lines.append(line)
	163	+
	164	+ # \r\n\r\n found, end of stream
	165	+ if self._trailer_lines[-1] == b"":
	166	+ # Headers and trailers are defined the same way,
	167	+ # so we reuse the HeadersParser here.
	168	+ try:
	169	+ trailers, raw_trailers = self._headers_parser.parse_headers(
	170	+ self._trailer_lines
	171	+ )
	172	+ finally:
	173	+ self._trailer_lines.clear()
	174	+ self.payload.feed_eof()
	175	+ return True, chunk
	176	+
	177	# Read all bytes until eof
	178	elif self._type == ParseState.PARSE_UNTIL_EOF:
	179	self.payload.feed_data(chunk, len(chunk))
	180	diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
	181	index 71fc2654a..520ee539e 100644
	182	--- a/aiohttp/multipart.py
	183	+++ b/aiohttp/multipart.py
	184	@@ -723,7 +723,7 @@ class MultipartReader:
	185	raise ValueError(f"Invalid boundary {chunk!r}, expected {self._boundary!r}")
	186
	187	async def _read_headers(self) -> "CIMultiDictProxy[str]":
	188	- lines = [b""]
	189	+ lines = []
	190	while True:
	191	chunk = await self._content.readline()
	192	chunk = chunk.strip()