rpms/python-urllib3
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Security fixes for CVE-2025-66471 and CVE-2025-66418

Browse Source
This commit is contained in:
Miro Hrončok 2025-12-16 18:50:16 +01:00
parent 18da90f602
commit 27011bd9ff
3 changed files with 1436 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
CVE-2025-66418.patch Normal file
View File

@ -0,0 +1,75 @@
From a5505e56f5bc1761beba7685309e6d7314a9588c Mon Sep 17 00:00:00 2001
From: Illia Volochii <illia.volochii@gmail.com>
Date: Fri, 5 Dec 2025 16:41:33 +0200
Subject: [PATCH] Security fix for CVE-2025-66418
* Add a hard-coded limit for the decompression chain
* Reuse new list
(cherry picked from commit 24d7b67eac89f94e11003424bcf0d8f7b72222a8)
---
changelog/GHSA-gm62-xv2j-4w53.security.rst | 4 ++++
src/urllib3/response.py | 12 +++++++++++-
test/test_response.py | 10 ++++++++++
3 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst
new file mode 100644
index 00000000..6646eaa3
--- /dev/null
+++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst
@@ -0,0 +1,4 @@
+Fixed a security issue where an attacker could compose an HTTP response with
+virtually unlimited links in the ``Content-Encoding`` header, potentially
+leading to a denial of service (DoS) attack by exhausting system resources
+during decoding. The number of allowed chained encodings is now limited to 5.
diff --git a/src/urllib3/response.py b/src/urllib3/response.py
index d0665533..f945c41c 100644
--- a/src/urllib3/response.py
+++ b/src/urllib3/response.py
@@ -224,8 +224,18 @@ class MultiDecoder(object):
they were applied.
"""
+ # Maximum allowed number of chained HTTP encodings in the
+ # Content-Encoding header.
+ max_decode_links = 5
+
def __init__(self, modes):
- self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
+ encodings = [m.strip() for m in modes.split(",")]
+ if len(encodings) > self.max_decode_links:
+ raise DecodeError(
+ "Too many content encodings in the chain: "
+ f"{len(encodings)} > {self.max_decode_links}"
+ )
+ self._decoders = [_get_decoder(e) for e in encodings]
def flush(self):
return self._decoders[0].flush()
diff --git a/test/test_response.py b/test/test_response.py
index f949b2b1..33f570c4 100644
--- a/test/test_response.py
+++ b/test/test_response.py
@@ -543,6 +543,16 @@ class TestResponse(object):
assert r.read(9 * 37) == b"foobarbaz" * 37
assert r.read() == b""
+ def test_read_multi_decoding_too_many_links(self):
+ fp = BytesIO(b"foo")
+ with pytest.raises(
+ DecodeError, match="Too many content encodings in the chain: 6 > 5"
+ ):
+ HTTPResponse(
+ fp,
+ headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
+ )
+
def test_body_blob(self):
resp = HTTPResponse(b"foo")
assert resp.data == b"foo"
--
2.52.0

1352
CVE-2025-66471.patch Normal file
View File

File diff suppressed because it is too large Load Diff

11
python-urllib3.spec
View File

@ -10,13 +10,15 @@
Name: python-urllib3 Name: python-urllib3
Version: 1.26.19 Version: 1.26.19
Release: 2%{?dist} Release: 3%{?dist}
Summary: HTTP library with thread-safe connection pooling, file post, and more Summary: HTTP library with thread-safe connection pooling, file post, and more
# SPDX # SPDX
License: MIT License: MIT
URL: https://github.com/urllib3/urllib3 URL: https://github.com/urllib3/urllib3
Source: %{url}/archive/%{version}/urllib3-%{version}.tar.gz Source: %{url}/archive/%{version}/urllib3-%{version}.tar.gz
Patch: CVE-2025-66471.patch
Patch: CVE-2025-66418.patch
BuildArch: noarch BuildArch: noarch
@ -97,7 +99,7 @@ Recommends: python3-urllib3+socks
%prep %prep
%autosetup -n urllib3-%{version} %autosetup -p1 -n urllib3-%{version}
# Make sure that the RECENT_DATE value doesn't get too far behind what the current date is. # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
# RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
# (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either, # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either,
@ -168,6 +170,11 @@ ignore="${ignore-} --ignore=test/test_no_ssl.py"
%changelog %changelog
* Tue Jan 27 2026 Miro Hrončok <mhroncok@redhat.com> - 1.26.19-3
- Security fix for CVE-2025-66471
- Security fix for CVE-2025-66418
Resolves: RHEL-142737, RHEL-137215
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.26.19-2 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.26.19-2
- Bump release for October 2024 mass rebuild: - Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018 Resolves: RHEL-64018