From 1ea440cd62d4fc1a0cd4d391bef16cc0ee894458 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Wed, 7 Jan 2026 10:27:46 +0100 Subject: python3-waitress: patch CVE-2024-49768 Details: https://nvd.nist.gov/vuln/detail/CVE-2024-49768 Pick the patch mentioned in the NVD report (which is a merge commit, and the patches here are the individual commits from that merge) Signed-off-by: Gyorgy Sarvari --- .../python/python3-waitress/CVE-2024-49768-2.patch | 89 ++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-2.patch (limited to 'meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-2.patch') diff --git a/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-2.patch b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-2.patch new file mode 100644 index 0000000000..88d6aba0e2 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-waitress/CVE-2024-49768-2.patch @@ -0,0 +1,89 @@ +From 7f40812194ebbf189692f530422204b41204eecb Mon Sep 17 00:00:00 2001 +From: Delta Regeer +Date: Sat, 26 Oct 2024 22:12:14 -0600 +Subject: [PATCH] Add a new test to validate the lookahead race condition + +CVE: CVE-2024-49768 +Upstream-Status: Backport [https://github.com/Pylons/waitress/commit/6943dcf556610ece2ff3cddb39e59a05ef110661] +Signed-off-by: Gyorgy Sarvari +--- + tests/test_channel.py | 55 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 54 insertions(+), 1 deletion(-) + +diff --git a/tests/test_channel.py b/tests/test_channel.py +index 7d677e9..d798091 100644 +--- a/tests/test_channel.py ++++ b/tests/test_channel.py +@@ -805,11 +805,12 @@ class TestHTTPChannelLookahead(TestHTTPChannel): + ) + return [body] + +- def _make_app_with_lookahead(self): ++ def _make_app_with_lookahead(self, recv_bytes=8192): + """ + Setup a channel with lookahead and store it and the socket in self + """ + adj = DummyAdjustments() ++ adj.recv_bytes = recv_bytes + adj.channel_request_lookahead = 5 + channel, sock, map = self._makeOneWithMap(adj=adj) + channel.server.application = self.app_check_disconnect +@@ -901,6 +902,58 @@ class TestHTTPChannelLookahead(TestHTTPChannel): + self.assertEqual(data.split("\r\n")[-1], "finished") + self.assertEqual(self.request_body, b"x") + ++ def test_lookahead_bad_request_drop_extra_data(self): ++ """ ++ Send two requests, the first one being bad, split on the recv_bytes ++ limit, then emulate a race that could happen whereby we read data from ++ the socket while the service thread is cleaning up due to an error ++ processing the request. ++ """ ++ ++ invalid_request = [ ++ "GET / HTTP/1.1", ++ "Host: localhost:8080", ++ "Content-length: -1", ++ "", ++ ] ++ ++ invalid_request_len = len("".join([x + "\r\n" for x in invalid_request])) ++ ++ second_request = [ ++ "POST / HTTP/1.1", ++ "Host: localhost:8080", ++ "Content-Length: 1", ++ "", ++ "x", ++ ] ++ ++ full_request = invalid_request + second_request ++ ++ self._make_app_with_lookahead(recv_bytes=invalid_request_len) ++ self._send(*full_request) ++ self.channel.handle_read() ++ self.assertEqual(len(self.channel.requests), 1) ++ self.channel.server.tasks[0].service() ++ self.assertTrue(self.channel.close_when_flushed) ++ # Read all of the next request ++ self.channel.handle_read() ++ self.channel.handle_read() ++ # Validate that there is no more data to be read ++ self.assertEqual(self.sock.remote.local_sent, b"") ++ # Validate that we dropped the data from the second read, and did not ++ # create a new request ++ self.assertEqual(len(self.channel.requests), 0) ++ data = self.sock.recv(256).decode("ascii") ++ self.assertFalse(self.channel.readable()) ++ self.assertTrue(self.channel.writable()) ++ ++ # Handle the write, which will close the socket ++ self.channel.handle_write() ++ self.assertTrue(self.sock.closed) ++ ++ data = self.sock.recv(256) ++ self.assertEqual(len(data), 0) ++ + + class DummySock: + blocking = False -- cgit v1.2.3-54-g00ecf