From 78afe9d40cb41f9b7691b4ec4183ca442e70fb63 Mon Sep 17 00:00:00 2001 From: Jiaying Song Date: Wed, 16 Jul 2025 15:37:58 +0800 Subject: python3-aiohttp: fix CVE-2025-53643 and drop CVE-2024-42367 patch - Fix CVE-2025-53643: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. References: https://nvd.nist.gov/vuln/detail/CVE-2025-53643 - Drop CVE-2024-42367.patch: According to upstream discussion and advisory [1][2], aiohttp 3.8.6 is not affected by CVE-2024-42367, and the patch is therefore no longer needed. [1] https://github.com/advisories/GHSA-jwhx-xcg6-8xhj [2] https://github.com/aio-libs/aiohttp/issues/11149 Signed-off-by: Jiaying Song Signed-off-by: Gyorgy Sarvari --- .../python/python3-aiohttp/CVE-2024-42367.patch | 65 ---------------------- 1 file changed, 65 deletions(-) delete mode 100644 meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch (limited to 'meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch') diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch deleted file mode 100644 index dadec31f3a..0000000000 --- a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch +++ /dev/null @@ -1,65 +0,0 @@ -From e19cb50fb529bbe75cc4f1b68eeb0a3f631ad0d0 Mon Sep 17 00:00:00 2001 -From: "J. Nick Koston" -Date: Thu, 8 Aug 2024 11:19:28 -0500 -Subject: [PATCH] Do not follow symlinks for compressed file variants (#8652) - -CVE: CVE-2024-42367 - -Upstream-Status: Backport -[https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f] - -Co-authored-by: Steve Repsher -Signed-off-by: Jiaying Song ---- - CHANGES/8652.bugfix.rst | 1 + - aiohttp/web_fileresponse.py | 26 ++++++++++++++++++++++++++ - 2 files changed, 27 insertions(+) - create mode 100644 CHANGES/8652.bugfix.rst - -diff --git a/CHANGES/8652.bugfix.rst b/CHANGES/8652.bugfix.rst -new file mode 100644 -index 000000000..3a1003e50 ---- /dev/null -+++ b/CHANGES/8652.bugfix.rst -@@ -0,0 +1 @@ -+Fixed incorrectly following symlinks for compressed file variants -- by :user:`steverep`. -diff --git a/aiohttp/web_fileresponse.py b/aiohttp/web_fileresponse.py -index f41ed3fd0..35dbd41e1 100644 ---- a/aiohttp/web_fileresponse.py -+++ b/aiohttp/web_fileresponse.py -@@ -127,6 +127,32 @@ class FileResponse(StreamResponse): - self.content_length = 0 - return await super().prepare(request) - -+ def _get_file_path_stat_encoding( -+ self, accept_encoding: str -+ ) -> Tuple[pathlib.Path, os.stat_result, Optional[str]]: -+ """Return the file path, stat result, and encoding. -+ -+ If an uncompressed file is returned, the encoding is set to -+ :py:data:`None`. -+ -+ This method should be called from a thread executor -+ since it calls os.stat which may block. -+ """ -+ file_path = self._path -+ for file_extension, file_encoding in ENCODING_EXTENSIONS.items(): -+ if file_encoding not in accept_encoding: -+ continue -+ -+ compressed_path = file_path.with_suffix(file_path.suffix + file_extension) -+ with suppress(OSError): -+ # Do not follow symlinks and ignore any non-regular files. -+ st = compressed_path.lstat() -+ if S_ISREG(st.st_mode): -+ return compressed_path, st, file_encoding -+ -+ # Fallback to the uncompressed file -+ return file_path, file_path.stat(), None -+ - async def prepare(self, request: "BaseRequest") -> Optional[AbstractStreamWriter]: - filepath = self._path - --- -2.34.1 - -- cgit v1.2.3-54-g00ecf