Backport fix to address CVE-2026-21441

- Add CVE-2026-21441.patch to fix excessive resource consumption during decompression of data in HTTP redirect responses (bsc#1256331, CVE-2026-21441)
2026-01-13 11:08:08 +01:00
3 changed files with 98 additions and 0 deletions
--- a/CVE-2026-21441.patch
+++ b/CVE-2026-21441.patch
@@ -0,0 +1,88 @@
+From f3ef966d0c717099d2f4a1697bd661b48c703efd Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 7 Jan 2026 18:07:30 +0200
+Subject: [PATCH] Merge commit from fork
+
+* Stop decoding response content during redirects needlessly
+
+* Rename the new query parameter
+
+* Add a changelog entry
+---
+ dummyserver/app.py                           |  8 +++++++-
+ src/urllib3/response.py                      |  6 +++++-
+ test/with_dummyserver/test_connectionpool.py | 19 +++++++++++++++++++
+ 3 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/dummyserver/app.py b/dummyserver/app.py
+index 0eeb93f7..5b82e932 100644
+--- a/dummyserver/app.py
+++ b/dummyserver/app.py
+@@ -233,10 +233,16 @@ async def redirect() -> ResponseReturnValue:
+     values = await request.values
+     target = values.get("target", "/")
+     status = values.get("status", "303 See Other")
+    compressed = values.get("compressed") == "true"
+     status_code = status.split(" ")[0]
+ 
+     headers = [("Location", target)]
+-    return await make_response("", status_code, headers)
+    if compressed:
+        headers.append(("Content-Encoding", "gzip"))
+        data = gzip.compress(b"foo")
+    else:
+        data = b""
+    return await make_response(data, status_code, headers)
+ 
+ 
+ @hypercorn_app.route("/redirect_after")
+diff --git a/src/urllib3/response.py b/src/urllib3/response.py
+index 5632dab3..720fbf26 100644
+--- a/src/urllib3/response.py
+++ b/src/urllib3/response.py
+@@ -677,7 +677,11 @@ class HTTPResponse(BaseHTTPResponse):
+         Unread data in the HTTPResponse connection blocks the connection from being released back to the pool.
+         """
+         try:
+-            self.read()
+            self.read(
+                # Do not spend resources decoding the content unless
+                # decoding has already been initiated.
+                decode_content=self._has_decoded_content,
+            )
+         except (HTTPError, OSError, BaseSSLError, HTTPException):
+             pass
+ 
+diff --git a/test/with_dummyserver/test_connectionpool.py b/test/with_dummyserver/test_connectionpool.py
+index ce165e24..8d6107ae 100644
+--- a/test/with_dummyserver/test_connectionpool.py
+++ b/test/with_dummyserver/test_connectionpool.py
+@@ -508,6 +508,25 @@ class TestConnectionPool(HypercornDummyServerTestCase):
+             assert r.status == 200
+             assert r.data == b"Dummy server!"
+ 
+    @mock.patch("urllib3.response.GzipDecoder.decompress")
+    def test_no_decoding_with_redirect_when_preload_disabled(
+        self, gzip_decompress: mock.MagicMock
+    ) -> None:
+        """
+        Test that urllib3 does not attempt to decode a gzipped redirect
+        response when `preload_content` is set to `False`.
+        """
+        with HTTPConnectionPool(self.host, self.port) as pool:
+            # Three requests are expected: two redirects and one final / 200 OK.
+            response = pool.request(
+                "GET",
+                "/redirect",
+                fields={"target": "/redirect?compressed=true", "compressed": "true"},
+                preload_content=False,
+            )
+        assert response.status == 200
+        gzip_decompress.assert_not_called()
+
+     def test_303_redirect_makes_request_lose_body(self) -> None:
+         with HTTPConnectionPool(self.host, self.port) as pool:
+             response = pool.request(
+-- 
+2.52.0
+
--- a/python-urllib3.changes
+++ b/python-urllib3.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jan 13 09:58:43 UTC 2026 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Add CVE-2026-21441.patch to fix excessive resource consumption
+  during decompression of data in HTTP redirect responses
+  (bsc#1256331, CVE-2026-21441)
+
 -------------------------------------------------------------------
 Mon Jun 23 02:03:12 UTC 2025 - Steve Kowalik <steven.kowalik@suse.com>

--- a/python-urllib3.spec
+++ b/python-urllib3.spec
@@ -35,6 +35,9 @@ Source:         https://files.pythonhosted.org/packages/source/u/urllib3/urllib3
 # https://github.com/urllib3/urllib3/issues/3334
 %define hypercorn_commit d1719f8c1570cbd8e6a3719ffdb14a4d72880abb
 Source1:        https://github.com/urllib3/hypercorn/archive/%{hypercorn_commit}/hypercorn-%{hypercorn_commit}.tar.gz
+# PATCH-FIX-UPSTREAM https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b
+# Stop decoding response content during redirects needlessly (CVE-2026-21441)
+Patch1:         CVE-2026-21441.patch
 BuildRequires:  %{python_module base >= 3.8}
 BuildRequires:  %{python_module hatch-vcs}
 BuildRequires:  %{python_module hatchling}