From 2462a96623dd70dc4a3a53782d855945078b71b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 8 Jan 2026 16:21:47 +0100 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 python-tornado6 revision b037578920bc5dc6817ecbb9c67cef34 --- CVE-2025-67724.patch | 118 ++++++++++++++++++++++++++++++++++++++ CVE-2025-67725.patch | 124 ++++++++++++++++++++++++++++++++++++++++ CVE-2025-67726.patch | 94 ++++++++++++++++++++++++++++++ python-tornado6.changes | 8 +++ python-tornado6.spec | 6 ++ 5 files changed, 350 insertions(+) create mode 100644 CVE-2025-67724.patch create mode 100644 CVE-2025-67725.patch create mode 100644 CVE-2025-67726.patch diff --git a/CVE-2025-67724.patch b/CVE-2025-67724.patch new file mode 100644 index 0000000..261397f --- /dev/null +++ b/CVE-2025-67724.patch @@ -0,0 +1,118 @@ +From 9c163aebeaad9e6e7d28bac1f33580eb00b0e421 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Wed, 10 Dec 2025 15:15:25 -0500 +Subject: [PATCH] web: Harden against invalid HTTP reason phrases + +We allow applications to set custom reason phrases for the HTTP status +line (to support custom status codes), but if this were exposed to +untrusted data it could be exploited in various ways. This commit +guards against invalid reason phrases in both HTTP headers and in +error pages. +--- + tornado/test/web_test.py | 15 ++++++++++++++- + tornado/web.py | 25 +++++++++++++++++++------ + 2 files changed, 33 insertions(+), 7 deletions(-) + +Index: tornado-6.4/tornado/test/web_test.py +=================================================================== +--- tornado-6.4.orig/tornado/test/web_test.py ++++ tornado-6.4/tornado/test/web_test.py +@@ -1712,7 +1712,7 @@ class StatusReasonTest(SimpleHandlerTest + class Handler(RequestHandler): + def get(self): + reason = self.request.arguments.get("reason", []) +- self.set_status( ++ raise HTTPError( + int(self.get_argument("code")), + reason=to_unicode(reason[0]) if reason else None, + ) +@@ -1735,6 +1735,19 @@ class StatusReasonTest(SimpleHandlerTest + self.assertEqual(response.code, 682) + self.assertEqual(response.reason, "Unknown") + ++ def test_header_injection(self): ++ response = self.fetch("/?code=200&reason=OK%0D%0AX-Injection:injected") ++ self.assertEqual(response.code, 200) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn("X-Injection", response.headers) ++ ++ def test_reason_xss(self): ++ response = self.fetch("/?code=400&reason=") ++ self.assertEqual(response.code, 400) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn(b"script", response.body) ++ self.assertIn(b"Unknown", response.body) ++ + + class DateHeaderTest(SimpleHandlerTestCase): + class Handler(RequestHandler): +Index: tornado-6.4/tornado/web.py +=================================================================== +--- tornado-6.4.orig/tornado/web.py ++++ tornado-6.4/tornado/web.py +@@ -350,8 +350,10 @@ class RequestHandler(object): + + :arg int status_code: Response status code. + :arg str reason: Human-readable reason phrase describing the status +- code. If ``None``, it will be filled in from +- `http.client.responses` or "Unknown". ++ code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``). ++ Normally determined automatically from `http.client.responses`; this ++ argument should only be used if you need to use a non-standard ++ status code. + + .. versionchanged:: 5.0 + +@@ -360,6 +362,19 @@ class RequestHandler(object): + """ + self._status_code = status_code + if reason is not None: ++ # RFC 5234 (ABNF) ++ VCHAR = re.compile(r"[\x21-\x7E]") ++ # RFC 9110 (HTTP Semantics) ++ obs_text = re.compile(r"[\x80-\xFF]") ++ reason_phrase = re.compile(rf"(?:[\t ]|{VCHAR.pattern}|{obs_text.pattern})+") ++ if "<" in reason or not reason_phrase.fullmatch(reason): ++ # Logically this would be better as an exception, but this method ++ # is called on error-handling paths that would need some refactoring ++ # to tolerate internal errors cleanly. ++ # ++ # The check for "<" is a defense-in-depth against XSS attacks (we also ++ # escape the reason when rendering error pages). ++ reason = "Unknown" + self._reason = escape.native_str(reason) + else: + self._reason = httputil.responses.get(status_code, "Unknown") +@@ -1295,7 +1310,8 @@ class RequestHandler(object): + reason = exception.reason + self.set_status(status_code, reason=reason) + try: +- self.write_error(status_code, **kwargs) ++ if status_code != 304: ++ self.write_error(status_code, **kwargs) + except Exception: + app_log.error("Uncaught exception in write_error", exc_info=True) + if not self._finished: +@@ -1323,7 +1339,7 @@ class RequestHandler(object): + self.finish( + "%(code)d: %(message)s" + "%(code)d: %(message)s" +- % {"code": status_code, "message": self._reason} ++ % {"code": status_code, "message": escape.xhtml_escape(self._reason)} + ) + + @property +@@ -2469,9 +2485,11 @@ class HTTPError(Exception): + mode). May contain ``%s``-style placeholders, which will be filled + in with remaining positional parameters. + :arg str reason: Keyword-only argument. The HTTP "reason" phrase +- to pass in the status line along with ``status_code``. Normally ++ to pass in the status line along with ``status_code`` (for example, ++ the "Not Found" in ``HTTP/1.1 404 Not Found``). Normally + determined automatically from ``status_code``, but can be used +- to use a non-standard numeric code. ++ to use a non-standard numeric code. This is not a general-purpose ++ error message. + """ + + def __init__( diff --git a/CVE-2025-67725.patch b/CVE-2025-67725.patch new file mode 100644 index 0000000..f69179f --- /dev/null +++ b/CVE-2025-67725.patch @@ -0,0 +1,124 @@ +From 68e81b4a3385161877408a7a49c7ed12b45a614d Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Tue, 9 Dec 2025 13:27:27 -0500 +Subject: [PATCH] httputil: Fix quadratic performance of repeated header lines + +Previouisly, when many header lines with the same name were found +in an HTTP request or response, repeated string concatenation would +result in quadratic performance. This change does the concatenation +lazily (with a cache) so that repeated headers can be processed +efficiently. + +Security: The previous behavior allowed a denial of service attack +via a maliciously crafted HTTP message, but only if the +max_header_size was increased from its default of 64kB. +--- + tornado/httputil.py | 36 ++++++++++++++++++++++++----------- + tornado/test/httputil_test.py | 15 +++++++++++++++ + 2 files changed, 40 insertions(+), 11 deletions(-) + +Index: tornado-6.4/tornado/httputil.py +=================================================================== +--- tornado-6.4.orig/tornado/httputil.py ++++ tornado-6.4/tornado/httputil.py +@@ -118,8 +118,14 @@ class HTTPHeaders(collections.abc.Mutabl + pass + + def __init__(self, *args: typing.Any, **kwargs: str) -> None: # noqa: F811 +- self._dict = {} # type: typing.Dict[str, str] +- self._as_list = {} # type: typing.Dict[str, typing.List[str]] ++ # Formally, HTTP headers are a mapping from a field name to a "combined field value", ++ # which may be constructed from multiple field lines by joining them with commas. ++ # In practice, however, some headers (notably Set-Cookie) do not follow this convention, ++ # so we maintain a mapping from field name to a list of field lines in self._as_list. ++ # self._combined_cache is a cache of the combined field values derived from self._as_list ++ # on demand (and cleared whenever the list is modified). ++ self._as_list: dict[str, list[str]] = {} ++ self._combined_cache: dict[str, str] = {} + self._last_key = None # type: Optional[str] + if len(args) == 1 and len(kwargs) == 0 and isinstance(args[0], HTTPHeaders): + # Copy constructor +@@ -136,9 +142,7 @@ class HTTPHeaders(collections.abc.Mutabl + norm_name = _normalize_header(name) + self._last_key = norm_name + if norm_name in self: +- self._dict[norm_name] = ( +- native_str(self[norm_name]) + "," + native_str(value) +- ) ++ self._combined_cache.pop(norm_name, None) + self._as_list[norm_name].append(value) + else: + self[norm_name] = value +@@ -172,7 +176,7 @@ class HTTPHeaders(collections.abc.Mutabl + raise HTTPInputError("first header line cannot start with whitespace") + new_part = " " + line.lstrip() + self._as_list[self._last_key][-1] += new_part +- self._dict[self._last_key] += new_part ++ self._combined_cache.pop(self._last_key, None) + else: + try: + name, value = line.split(":", 1) +@@ -208,22 +212,32 @@ class HTTPHeaders(collections.abc.Mutabl + + def __setitem__(self, name: str, value: str) -> None: + norm_name = _normalize_header(name) +- self._dict[norm_name] = value ++ self._combined_cache[norm_name] = value + self._as_list[norm_name] = [value] + ++ def __contains__(self, name: object) -> bool: ++ # This is an important optimization to avoid the expensive concatenation ++ # in __getitem__ when it's not needed. ++ if not isinstance(name, str): ++ return False ++ return name in self._as_list ++ + def __getitem__(self, name: str) -> str: +- return self._dict[_normalize_header(name)] ++ header = _normalize_header(name) ++ if header not in self._combined_cache: ++ self._combined_cache[header] = ",".join(self._as_list[header]) ++ return self._combined_cache[header] + + def __delitem__(self, name: str) -> None: + norm_name = _normalize_header(name) +- del self._dict[norm_name] ++ del self._combined_cache[norm_name] + del self._as_list[norm_name] + + def __len__(self) -> int: +- return len(self._dict) ++ return len(self._as_list) + + def __iter__(self) -> Iterator[typing.Any]: +- return iter(self._dict) ++ return iter(self._as_list) + + def copy(self) -> "HTTPHeaders": + # defined in dict but not in MutableMapping. +Index: tornado-6.4/tornado/test/httputil_test.py +=================================================================== +--- tornado-6.4.orig/tornado/test/httputil_test.py ++++ tornado-6.4/tornado/test/httputil_test.py +@@ -473,6 +473,21 @@ class ParseRequestStartLineTest(unittest + self.assertEqual(parsed_start_line.path, self.PATH) + self.assertEqual(parsed_start_line.version, self.VERSION) + ++ def test_linear_performance(self): ++ def f(n): ++ start = time.time() ++ headers = HTTPHeaders() ++ for i in range(n): ++ headers.add("X-Foo", "bar") ++ return time.time() - start ++ ++ # This runs under 50ms on my laptop as of 2025-12-09. ++ d1 = f(10_000) ++ d2 = f(100_000) ++ if d2 / d1 > 20: ++ # d2 should be about 10x d1 but allow a wide margin for variability. ++ self.fail(f"HTTPHeaders.add() does not scale linearly: {d1=} vs {d2=}") ++ + + class ParseCookieTest(unittest.TestCase): + # These tests copied from Django: diff --git a/CVE-2025-67726.patch b/CVE-2025-67726.patch new file mode 100644 index 0000000..bb49523 --- /dev/null +++ b/CVE-2025-67726.patch @@ -0,0 +1,94 @@ +From 771472cfdaeebc0d89a9cc46e249f8891a6b29cd Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Wed, 10 Dec 2025 10:55:02 -0500 +Subject: [PATCH] httputil: Fix quadratic behavior in _parseparam + +Prior to this change, _parseparam had O(n^2) behavior when parsing +certain inputs, which could be a DoS vector. This change adapts +logic from the equivalent function in the python standard library +in https://github.com/python/cpython/pull/136072/files +--- + tornado/httputil.py | 29 ++++++++++++++++++++++------- + tornado/test/httputil_test.py | 23 +++++++++++++++++++++++ + 2 files changed, 45 insertions(+), 7 deletions(-) + +Index: tornado-6.4/tornado/httputil.py +=================================================================== +--- tornado-6.4.orig/tornado/httputil.py ++++ tornado-6.4/tornado/httputil.py +@@ -937,19 +937,34 @@ def parse_response_start_line(line: str) + # It has also been modified to support valueless parameters as seen in + # websocket extension negotiations, and to support non-ascii values in + # RFC 2231/5987 format. ++# ++# _parseparam has been further modified with the logic from ++# https://github.com/python/cpython/pull/136072/files ++# to avoid quadratic behavior when parsing semicolons in quoted strings. ++# ++# TODO: See if we can switch to email.message.Message for this functionality. ++# This is the suggested replacement for the cgi.py module now that cgi has ++# been removed from recent versions of Python. We need to verify that ++# the email module is consistent with our existing behavior (and all relevant ++# RFCs for multipart/form-data) before making this change. + + + def _parseparam(s: str) -> Generator[str, None, None]: +- while s[:1] == ";": +- s = s[1:] +- end = s.find(";") +- while end > 0 and (s.count('"', 0, end) - s.count('\\"', 0, end)) % 2: +- end = s.find(";", end + 1) ++ start = 0 ++ while s.find(";", start) == start: ++ start += 1 ++ end = s.find(";", start) ++ ind, diff = start, 0 ++ while end > 0: ++ diff += s.count('"', ind, end) - s.count('\\"', ind, end) ++ if diff % 2 == 0: ++ break ++ end, ind = ind, s.find(";", end + 1) + if end < 0: + end = len(s) +- f = s[:end] ++ f = s[start:end] + yield f.strip() +- s = s[end:] ++ start = end + + + def _parse_header(line: str) -> Tuple[str, Dict[str, str]]: +Index: tornado-6.4/tornado/test/httputil_test.py +=================================================================== +--- tornado-6.4.orig/tornado/test/httputil_test.py ++++ tornado-6.4/tornado/test/httputil_test.py +@@ -262,6 +262,29 @@ Foo + self.assertEqual(file["filename"], "ab.txt") + self.assertEqual(file["body"], b"Foo") + ++ def test_disposition_param_linear_performance(self): ++ # This is a regression test for performance of parsing parameters ++ # to the content-disposition header, specifically for semicolons within ++ # quoted strings. ++ def f(n): ++ start = time.time() ++ message = ( ++ b"--1234\r\nContent-Disposition: form-data; " ++ + b'x="' ++ + b";" * n ++ + b'"; ' ++ + b'name="files"; filename="a.txt"\r\n\r\nFoo\r\n--1234--\r\n' ++ ) ++ args: dict[str, list[bytes]] = {} ++ files: dict[str, list[HTTPFile]] = {} ++ parse_multipart_form_data(b"1234", message, args, files) ++ return time.time() - start ++ ++ d1 = f(1_000) ++ d2 = f(10_000) ++ if d2 / d1 > 20: ++ self.fail(f"Disposition param parsing is not linear: {d1=} vs {d2=}") ++ + + class HTTPHeadersTest(unittest.TestCase): + def test_multi_line(self): diff --git a/python-tornado6.changes b/python-tornado6.changes index 09eff6b..d7f3b1e 100644 --- a/python-tornado6.changes +++ b/python-tornado6.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Dec 15 15:35:32 UTC 2025 - Nico Krapp + +- Add security patches: + * CVE-2025-67724.patch (bsc#1254903) + * CVE-2025-67725.patch (bsc#1254905) + * CVE-2025-67726.patch (bsc#1254904) + ------------------------------------------------------------------- Mon May 26 10:20:14 UTC 2025 - Daniel Garcia diff --git a/python-tornado6.spec b/python-tornado6.spec index 712b41e..be60283 100644 --- a/python-tornado6.spec +++ b/python-tornado6.spec @@ -35,6 +35,12 @@ Patch1: openssl-3.2.patch Patch2: CVE-2024-52804-avoid-quadratic-cookie-parsing.patch # PATCH-FIX-UPSTREAM CVE-2025-47287.patch bsc#1243268 Patch3: CVE-2025-47287.patch +# PATCH-FIX-UPSTREAM CVE-2025-67724.patch bsc#1254903 +Patch4: CVE-2025-67724.patch +# PATCH-FIX-UPSTREAM CVE-2025-67725.patch bsc#1254905 +Patch5: CVE-2025-67725.patch +# PATCH-FIX-UPSTREAM CVE-2025-67726.patch bsc#1254904 +Patch6: CVE-2025-67726.patch BuildRequires: %{python_module base >= 3.8} BuildRequires: %{python_module devel} BuildRequires: %{python_module pip}