python3-urllib3: patch CVE-2025-66418

Pick patch per [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-66418 (From OE-Core rev: 469fcdd5f07635fa9e308c968126807c1ca09647) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Peter Marko <peter.marko@siemens.com> 2026-01-20 14:52:43 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-01-26 09:49:25 +0000
commit: 4c8419bebefe1b686166ab08d891cdc4d29257d5 (patch)
tree: 0bd01ac1e075145da25b62b393ea3d47e282971c /meta/recipes-devtools
parent: 842275784a3a960d701319fd33415cfd8f1ad43c (diff)
download: poky-4c8419bebefe1b686166ab08d891cdc4d29257d5.tar.gz
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch
new file mode 100644
index 0000000000..b490019d87
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch
@@ -0,0 +1,74 @@
+From 24d7b67eac89f94e11003424bcf0d8f7b72222a8 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Fri, 5 Dec 2025 16:41:33 +0200
+Subject: [PATCH] Merge commit from fork
+* Add a hard-coded limit for the decompression chain
+* Reuse new list
+CVE: CVE-2025-66418
+Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ changelog/GHSA-gm62-xv2j-4w53.security.rst |  4 ++++
+ src/urllib3/response.py                    | 12 +++++++++++-
+ test/test_response.py                      | 10 ++++++++++
+ 3 files changed, 25 insertions(+), 1 deletion(-)
+ create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
+diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst
+new file mode 100644
+index 00000000..6646eaa3
+--- /dev/null
+++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst
+@@ -0,0 +1,4 @@
+Fixed a security issue where an attacker could compose an HTTP response with
+virtually unlimited links in the ``Content-Encoding`` header, potentially
+leading to a denial of service (DoS) attack by exhausting system resources
+during decoding. The number of allowed chained encodings is now limited to 5.
+diff --git a/src/urllib3/response.py b/src/urllib3/response.py
+index 4ba42136..069f726c 100644
+--- a/src/urllib3/response.py
+++ b/src/urllib3/response.py
+@@ -135,8 +135,18 @@ class MultiDecoder(object):
+         they were applied.
+     """
+ 
+    # Maximum allowed number of chained HTTP encodings in the
+    # Content-Encoding header.
+    max_decode_links = 5
+
+     def __init__(self, modes):
+-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
+        encodings = [m.strip() for m in modes.split(",")]
+        if len(encodings) > self.max_decode_links:
+            raise DecodeError(
+                "Too many content encodings in the chain: "
+                f"{len(encodings)} > {self.max_decode_links}"
+            )
+        self._decoders = [_get_decoder(e) for e in encodings]
+ 
+     def flush(self):
+         return self._decoders[0].flush()
+diff --git a/test/test_response.py b/test/test_response.py
+index 9592fdd9..d824ae70 100644
+--- a/test/test_response.py
+++ b/test/test_response.py
+@@ -295,6 +295,16 @@ class TestResponse(object):
+ 
+         assert r.data == b"foo"
+ 
+    def test_read_multi_decoding_too_many_links(self) -> None:
+        fp = BytesIO(b"foo")
+        with pytest.raises(
+            DecodeError, match="Too many content encodings in the chain: 6 > 5"
+        ):
+            HTTPResponse(
+                fp,
+                headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
+            )
+
+     def test_body_blob(self):
+         resp = HTTPResponse(b"foo")
+         assert resp.data == b"foo"
diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.20.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.20.bb
index 58988e4205..1f1132d5b5 100644
--- a/meta/recipes-devtools/python/python3-urllib3_1.26.20.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_1.26.20.bb
@@ -9,6 +9,7 @@ inherit pypi setuptools3
 SRC_URI += " \
    file://CVE-2025-50181.patch \
+    file://CVE-2025-66418.patch \
 "
 RDEPENDS:${PN} += "\
author	Peter Marko <peter.marko@siemens.com>	2026-01-20 14:52:43 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-01-26 09:49:25 +0000
commit	4c8419bebefe1b686166ab08d891cdc4d29257d5 (patch)
tree	0bd01ac1e075145da25b62b393ea3d47e282971c /meta/recipes-devtools
parent	842275784a3a960d701319fd33415cfd8f1ad43c (diff)
download	poky-4c8419bebefe1b686166ab08d891cdc4d29257d5.tar.gz

diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch new file mode 100644 index 0000000000..b490019d87 --- /dev/null +++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-66418.patch
@@ -0,0 +1,74 @@
		1	From 24d7b67eac89f94e11003424bcf0d8f7b72222a8 Mon Sep 17 00:00:00 2001
		2	From: Illia Volochii <illia.volochii@gmail.com>
		3	Date: Fri, 5 Dec 2025 16:41:33 +0200
		4	Subject: [PATCH] Merge commit from fork
		5
		6	* Add a hard-coded limit for the decompression chain
		7
		8	* Reuse new list
		9
		10	CVE: CVE-2025-66418
		11	Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/24d7b67eac89f94e11003424bcf0d8f7b72222a8]
		12	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		13	---
		14	changelog/GHSA-gm62-xv2j-4w53.security.rst \| 4 ++++
		15	src/urllib3/response.py \| 12 +++++++++++-
		16	test/test_response.py \| 10 ++++++++++
		17	3 files changed, 25 insertions(+), 1 deletion(-)
		18	create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
		19
		20	diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst
		21	new file mode 100644
		22	index 00000000..6646eaa3
		23	--- /dev/null
		24	+++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst
		25	@@ -0,0 +1,4 @@
		26	+Fixed a security issue where an attacker could compose an HTTP response with
		27	+virtually unlimited links in the ``Content-Encoding`` header, potentially
		28	+leading to a denial of service (DoS) attack by exhausting system resources
		29	+during decoding. The number of allowed chained encodings is now limited to 5.
		30	diff --git a/src/urllib3/response.py b/src/urllib3/response.py
		31	index 4ba42136..069f726c 100644
		32	--- a/src/urllib3/response.py
		33	+++ b/src/urllib3/response.py
		34	@@ -135,8 +135,18 @@ class MultiDecoder(object):
		35	they were applied.
		36	"""
		37
		38	+ # Maximum allowed number of chained HTTP encodings in the
		39	+ # Content-Encoding header.
		40	+ max_decode_links = 5
		41	+
		42	def __init__(self, modes):
		43	- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
		44	+ encodings = [m.strip() for m in modes.split(",")]
		45	+ if len(encodings) > self.max_decode_links:
		46	+ raise DecodeError(
		47	+ "Too many content encodings in the chain: "
		48	+ f"{len(encodings)} > {self.max_decode_links}"
		49	+ )
		50	+ self._decoders = [_get_decoder(e) for e in encodings]
		51
		52	def flush(self):
		53	return self._decoders[0].flush()
		54	diff --git a/test/test_response.py b/test/test_response.py
		55	index 9592fdd9..d824ae70 100644
		56	--- a/test/test_response.py
		57	+++ b/test/test_response.py
		58	@@ -295,6 +295,16 @@ class TestResponse(object):
		59
		60	assert r.data == b"foo"
		61
		62	+ def test_read_multi_decoding_too_many_links(self) -> None:
		63	+ fp = BytesIO(b"foo")
		64	+ with pytest.raises(
		65	+ DecodeError, match="Too many content encodings in the chain: 6 > 5"
		66	+ ):
		67	+ HTTPResponse(
		68	+ fp,
		69	+ headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
		70	+ )
		71	+
		72	def test_body_blob(self):
		73	resp = HTTPResponse(b"foo")
		74	assert resp.data == b"foo"


diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.20.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.20.bb index 58988e4205..1f1132d5b5 100644 --- a/meta/recipes-devtools/python/python3-urllib3_1.26.20.bb +++ b/meta/recipes-devtools/python/python3-urllib3_1.26.20.bb
@@ -9,6 +9,7 @@ inherit pypi setuptools3
9		9
10	SRC_URI += " \	10	SRC_URI += " \
11	file://CVE-2025-50181.patch \	11	file://CVE-2025-50181.patch \
		12	file://CVE-2025-66418.patch \
12	"	13	"
13		14
14	RDEPENDS:${PN} += "\	15	RDEPENDS:${PN} += "\