Security fixes for CVE-2025-66471 and CVE-2025-66418

2025-12-16 18:50:16 +01:00 · 2025-12-16 18:50:16 +01:00 · 7a3387da14
commit 7a3387da14
parent d4d2c84039
3 changed files with 1436 additions and 2 deletions
--- a/CVE-2025-66418.patch
+++ b/CVE-2025-66418.patch
@ -0,0 +1,75 @@
+From a5505e56f5bc1761beba7685309e6d7314a9588c Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Fri, 5 Dec 2025 16:41:33 +0200
+Subject: [PATCH] Security fix for CVE-2025-66418
+
+* Add a hard-coded limit for the decompression chain
+
+* Reuse new list
+
+(cherry picked from commit 24d7b67eac89f94e11003424bcf0d8f7b72222a8)
+---
+ changelog/GHSA-gm62-xv2j-4w53.security.rst |  4 ++++
+ src/urllib3/response.py                    | 12 +++++++++++-
+ test/test_response.py                      | 10 ++++++++++
+ 3 files changed, 25 insertions(+), 1 deletion(-)
+ create mode 100644 changelog/GHSA-gm62-xv2j-4w53.security.rst
+
+diff --git a/changelog/GHSA-gm62-xv2j-4w53.security.rst b/changelog/GHSA-gm62-xv2j-4w53.security.rst
+new file mode 100644
+index 00000000..6646eaa3
+--- /dev/null
+++ b/changelog/GHSA-gm62-xv2j-4w53.security.rst
+@@ -0,0 +1,4 @@
+Fixed a security issue where an attacker could compose an HTTP response with
+virtually unlimited links in the ``Content-Encoding`` header, potentially
+leading to a denial of service (DoS) attack by exhausting system resources
+during decoding. The number of allowed chained encodings is now limited to 5.
+diff --git a/src/urllib3/response.py b/src/urllib3/response.py
+index d0665533..f945c41c 100644
+--- a/src/urllib3/response.py
+++ b/src/urllib3/response.py
+@@ -224,8 +224,18 @@ class MultiDecoder(object):
+         they were applied.
+     """
+ 
+    # Maximum allowed number of chained HTTP encodings in the
+    # Content-Encoding header.
+    max_decode_links = 5
+
+     def __init__(self, modes):
+-        self._decoders = [_get_decoder(m.strip()) for m in modes.split(",")]
+        encodings = [m.strip() for m in modes.split(",")]
+        if len(encodings) > self.max_decode_links:
+            raise DecodeError(
+                "Too many content encodings in the chain: "
+                f"{len(encodings)} > {self.max_decode_links}"
+            )
+        self._decoders = [_get_decoder(e) for e in encodings]
+ 
+     def flush(self):
+         return self._decoders[0].flush()
+diff --git a/test/test_response.py b/test/test_response.py
+index f949b2b1..33f570c4 100644
+--- a/test/test_response.py
+++ b/test/test_response.py
+@@ -543,6 +543,16 @@ class TestResponse(object):
+         assert r.read(9 * 37) == b"foobarbaz" * 37
+         assert r.read() == b""
+ 
+    def test_read_multi_decoding_too_many_links(self):
+        fp = BytesIO(b"foo")
+        with pytest.raises(
+            DecodeError, match="Too many content encodings in the chain: 6 > 5"
+        ):
+            HTTPResponse(
+                fp,
+                headers={"content-encoding": "gzip, deflate, br, zstd, gzip, deflate"},
+            )
+
+     def test_body_blob(self):
+         resp = HTTPResponse(b"foo")
+         assert resp.data == b"foo"
+-- 
+2.52.0
+
--- a/CVE-2025-66471.patch
+++ b/CVE-2025-66471.patch
--- a/python3.12-urllib3.spec
+++ b/python3.12-urllib3.spec
@ -6,13 +6,15 @@

 Name:           python%{python3_pkgversion}-urllib3
 Version:        1.26.19
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        HTTP library with thread-safe connection pooling, file post, and more

 # SPDX
 License:        MIT
 URL:            https://github.com/urllib3/urllib3
 Source:         %{url}/archive/%{version}/urllib3-%{version}.tar.gz
+Patch1:         CVE-2025-66471.patch
+Patch2:         CVE-2025-66418.patch

 BuildArch:      noarch

@ -72,7 +74,7 @@ many critical features that are missing from the Python standard libraries:


 %prep
-%autosetup -n urllib3-%{version}
+%autosetup -p1 -n urllib3-%{version}
 # Make sure that the RECENT_DATE value doesn't get too far behind what the current date is.
 # RECENT_DATE must not be older that 2 years from the build time, or else test_recent_date
 # (from test/test_connection.py) would fail. However, it shouldn't be to close to the build time either,
@ -130,6 +132,11 @@ ignore="${ignore-} --ignore=test/test_no_ssl.py"


 %changelog
+* Tue Jan 27 2026 Miro Hrončok <mhroncok@redhat.com> - 1.26.19-2
+- Security fix for CVE-2025-66471
+- Security fix for CVE-2025-66418
+Resolves: RHEL-142909, RHEL-139399
+
 * Wed Sep 25 2024 Lumír Balhar <lbalhar@redhat.com> - 1.26.19-1
 - Rebase to 1.26.19 to fix CVE-2024-37891
 Resolves: RHEL-59998