Add missing changelog entry

CVE-2024-52804-avoid-quadratic-cookie-parsing.patch

@@ -21,11 +21,11 @@ Thanks to github.com/kexinoh for the report.
  tornado/test/httputil_test.py | 46 +++++++++++++++++++++++++++++++++++
  2 files changed, 56 insertions(+), 28 deletions(-)
 
-diff --git a/tornado/httputil.py b/tornado/httputil.py
-index 9ce992d82b..ebdc8059c1 100644
---- a/tornado/httputil.py
-+++ b/tornado/httputil.py
-@@ -1057,15 +1057,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr]]) -> Iterable[Tuple[str, AnyStr]]:
+Index: tornado-6.3.2/tornado/httputil.py
+===================================================================
+--- tornado-6.3.2.orig/tornado/httputil.py
++++ tornado-6.3.2/tornado/httputil.py
+@@ -1055,15 +1055,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr]
              yield (k, v)
  
  
@@ -50,7 +50,7 @@ index 9ce992d82b..ebdc8059c1 100644
      library (http.cookies._unquote) so we don't have to depend on
      non-public interfaces.
      """
-@@ -1086,30 +1091,7 @@ def _unquote_cookie(s: str) -> str:
+@@ -1084,30 +1089,7 @@ def _unquote_cookie(s: str) -> str:
      #    \012 --> \n
      #    \"   --> "
      #
@@ -82,11 +82,11 @@ index 9ce992d82b..ebdc8059c1 100644
  
  
  def parse_cookie(cookie: str) -> Dict[str, str]:
-diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py
-index 6d618839e0..975900aa9c 100644
---- a/tornado/test/httputil_test.py
-+++ b/tornado/test/httputil_test.py
-@@ -560,3 +560,49 @@ def test_invalid_cookies(self):
+Index: tornado-6.3.2/tornado/test/httputil_test.py
+===================================================================
+--- tornado-6.3.2.orig/tornado/test/httputil_test.py
++++ tornado-6.3.2/tornado/test/httputil_test.py
+@@ -519,3 +519,49 @@ class ParseCookieTest(unittest.TestCase)
          self.assertEqual(
              parse_cookie("  =  b  ;  ;  =  ;   c  =  ;  "), {"": "b", "c": ""}
          )

CVE-2025-67724.patch

@@ -0,0 +1,113 @@
+From 9c163aebeaad9e6e7d28bac1f33580eb00b0e421 Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Wed, 10 Dec 2025 15:15:25 -0500
+Subject: [PATCH] web: Harden against invalid HTTP reason phrases
+
+We allow applications to set custom reason phrases for the HTTP status
+line (to support custom status codes), but if this were exposed to
+untrusted data it could be exploited in various ways. This commit
+guards against invalid reason phrases in both HTTP headers and in
+error pages.
+---
+ tornado/test/web_test.py | 15 ++++++++++++++-
+ tornado/web.py           | 25 +++++++++++++++++++------
+ 2 files changed, 33 insertions(+), 7 deletions(-)
+
+Index: tornado-6.3.2/tornado/test/web_test.py
+===================================================================
+--- tornado-6.3.2.orig/tornado/test/web_test.py
++++ tornado-6.3.2/tornado/test/web_test.py
+@@ -1666,7 +1666,7 @@ class StatusReasonTest(SimpleHandlerTest
+     class Handler(RequestHandler):
+         def get(self):
+             reason = self.request.arguments.get("reason", [])
+-            self.set_status(
++            raise HTTPError(
+                 int(self.get_argument("code")),
+                 reason=to_unicode(reason[0]) if reason else None,
+             )
+@@ -1689,6 +1689,19 @@ class StatusReasonTest(SimpleHandlerTest
+         self.assertEqual(response.code, 682)
+         self.assertEqual(response.reason, "Unknown")
+ 
++    def test_header_injection(self):
++        response = self.fetch("/?code=200&reason=OK%0D%0AX-Injection:injected")
++        self.assertEqual(response.code, 200)
++        self.assertEqual(response.reason, "Unknown")
++        self.assertNotIn("X-Injection", response.headers)
++
++    def test_reason_xss(self):
++        response = self.fetch("/?code=400&reason=<script>alert(1)</script>")
++        self.assertEqual(response.code, 400)
++        self.assertEqual(response.reason, "Unknown")
++        self.assertNotIn(b"script", response.body)
++        self.assertIn(b"Unknown", response.body)
++
+ 
+ class DateHeaderTest(SimpleHandlerTestCase):
+     class Handler(RequestHandler):
+Index: tornado-6.3.2/tornado/web.py
+===================================================================
+--- tornado-6.3.2.orig/tornado/web.py
++++ tornado-6.3.2/tornado/web.py
+@@ -350,8 +350,10 @@ class RequestHandler(object):
+ 
+         :arg int status_code: Response status code.
+         :arg str reason: Human-readable reason phrase describing the status
+-            code. If ``None``, it will be filled in from
+-            `http.client.responses` or "Unknown".
++            code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``).
++            Normally determined automatically from `http.client.responses`; this
++            argument should only be used if you need to use a non-standard
++            status code.
+ 
+         .. versionchanged:: 5.0
+ 
+@@ -360,6 +362,14 @@ class RequestHandler(object):
+         """
+         self._status_code = status_code
+         if reason is not None:
++            if "<" in reason or not httputil._ABNF.reason_phrase.fullmatch(reason):
++                # Logically this would be better as an exception, but this method
++                # is called on error-handling paths that would need some refactoring
++                # to tolerate internal errors cleanly.
++                #
++                # The check for "<" is a defense-in-depth against XSS attacks (we also
++                # escape the reason when rendering error pages).
++                reason = "Unknown"
+             self._reason = escape.native_str(reason)
+         else:
+             self._reason = httputil.responses.get(status_code, "Unknown")
+@@ -1291,7 +1301,8 @@ class RequestHandler(object):
+                 reason = exception.reason
+         self.set_status(status_code, reason=reason)
+         try:
+-            self.write_error(status_code, **kwargs)
++            if status_code != 304:
++                self.write_error(status_code, **kwargs)
+         except Exception:
+             app_log.error("Uncaught exception in write_error", exc_info=True)
+         if not self._finished:
+@@ -1319,7 +1330,7 @@ class RequestHandler(object):
+             self.finish(
+                 "<html><title>%(code)d: %(message)s</title>"
+                 "<body>%(code)d: %(message)s</body></html>"
+-                % {"code": status_code, "message": self._reason}
++                % {"code": status_code, "message": escape.xhtml_escape(self._reason)}
+             )
+ 
+     @property
+@@ -2465,9 +2476,11 @@ class HTTPError(Exception):
+         mode).  May contain ``%s``-style placeholders, which will be filled
+         in with remaining positional parameters.
+     :arg str reason: Keyword-only argument.  The HTTP "reason" phrase
+-        to pass in the status line along with ``status_code``.  Normally
++        to pass in the status line along with ``status_code`` (for example,
++        the "Not Found" in ``HTTP/1.1 404 Not Found``).  Normally
+         determined automatically from ``status_code``, but can be used
+-        to use a non-standard numeric code.
++        to use a non-standard numeric code. This is not a general-purpose
++        error message.
+     """
+ 
+     def __init__(

CVE-2025-67725.patch

@@ -0,0 +1,124 @@
+From 68e81b4a3385161877408a7a49c7ed12b45a614d Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Tue, 9 Dec 2025 13:27:27 -0500
+Subject: [PATCH] httputil: Fix quadratic performance of repeated header lines
+
+Previouisly, when many header lines with the same name were found
+in an HTTP request or response, repeated string concatenation would
+result in quadratic performance. This change does the concatenation
+lazily (with a cache) so that repeated headers can be processed
+efficiently.
+
+Security: The previous behavior allowed a denial of service attack
+via a maliciously crafted HTTP message, but only if the
+max_header_size was increased from its default of 64kB.
+---
+ tornado/httputil.py           | 36 ++++++++++++++++++++++++-----------
+ tornado/test/httputil_test.py | 15 +++++++++++++++
+ 2 files changed, 40 insertions(+), 11 deletions(-)
+
+Index: tornado-6.3.2/tornado/httputil.py
+===================================================================
+--- tornado-6.3.2.orig/tornado/httputil.py
++++ tornado-6.3.2/tornado/httputil.py
+@@ -118,8 +118,14 @@ class HTTPHeaders(collections.abc.Mutabl
+         pass
+ 
+     def __init__(self, *args: typing.Any, **kwargs: str) -> None:  # noqa: F811
+-        self._dict = {}  # type: typing.Dict[str, str]
+-        self._as_list = {}  # type: typing.Dict[str, typing.List[str]]
++        # Formally, HTTP headers are a mapping from a field name to a "combined field value",
++        # which may be constructed from multiple field lines by joining them with commas.
++        # In practice, however, some headers (notably Set-Cookie) do not follow this convention,
++        # so we maintain a mapping from field name to a list of field lines in self._as_list.
++        # self._combined_cache is a cache of the combined field values derived from self._as_list
++        # on demand (and cleared whenever the list is modified).
++        self._as_list: dict[str, list[str]] = {}
++        self._combined_cache: dict[str, str] = {}
+         self._last_key = None  # type: Optional[str]
+         if len(args) == 1 and len(kwargs) == 0 and isinstance(args[0], HTTPHeaders):
+             # Copy constructor
+@@ -136,9 +142,7 @@ class HTTPHeaders(collections.abc.Mutabl
+         norm_name = _normalize_header(name)
+         self._last_key = norm_name
+         if norm_name in self:
+-            self._dict[norm_name] = (
+-                native_str(self[norm_name]) + "," + native_str(value)
+-            )
++            self._combined_cache.pop(norm_name, None)
+             self._as_list[norm_name].append(value)
+         else:
+             self[norm_name] = value
+@@ -172,7 +176,7 @@ class HTTPHeaders(collections.abc.Mutabl
+                 raise HTTPInputError("first header line cannot start with whitespace")
+             new_part = " " + line.lstrip()
+             self._as_list[self._last_key][-1] += new_part
+-            self._dict[self._last_key] += new_part
++            self._combined_cache.pop(self._last_key, None)
+         else:
+             try:
+                 name, value = line.split(":", 1)
+@@ -208,22 +212,32 @@ class HTTPHeaders(collections.abc.Mutabl
+ 
+     def __setitem__(self, name: str, value: str) -> None:
+         norm_name = _normalize_header(name)
+-        self._dict[norm_name] = value
++        self._combined_cache[norm_name] = value
+         self._as_list[norm_name] = [value]
+ 
++    def __contains__(self, name: object) -> bool:
++        # This is an important optimization to avoid the expensive concatenation
++        # in __getitem__ when it's not needed.
++        if not isinstance(name, str):
++            return False
++        return name in self._as_list
++
+     def __getitem__(self, name: str) -> str:
+-        return self._dict[_normalize_header(name)]
++        header = _normalize_header(name)
++        if header not in self._combined_cache:
++            self._combined_cache[header] = ",".join(self._as_list[header])
++        return self._combined_cache[header]
+ 
+     def __delitem__(self, name: str) -> None:
+         norm_name = _normalize_header(name)
+-        del self._dict[norm_name]
++        del self._combined_cache[norm_name]
+         del self._as_list[norm_name]
+ 
+     def __len__(self) -> int:
+-        return len(self._dict)
++        return len(self._as_list)
+ 
+     def __iter__(self) -> Iterator[typing.Any]:
+-        return iter(self._dict)
++        return iter(self._as_list)
+ 
+     def copy(self) -> "HTTPHeaders":
+         # defined in dict but not in MutableMapping.
+Index: tornado-6.3.2/tornado/test/httputil_test.py
+===================================================================
+--- tornado-6.3.2.orig/tornado/test/httputil_test.py
++++ tornado-6.3.2/tornado/test/httputil_test.py
+@@ -451,6 +451,21 @@ class ParseRequestStartLineTest(unittest
+         self.assertEqual(parsed_start_line.path, self.PATH)
+         self.assertEqual(parsed_start_line.version, self.VERSION)
+ 
++    def test_linear_performance(self):
++        def f(n):
++            start = time.time()
++            headers = HTTPHeaders()
++            for i in range(n):
++                headers.add("X-Foo", "bar")
++            return time.time() - start
++
++        # This runs under 50ms on my laptop as of 2025-12-09.
++        d1 = f(10_000)
++        d2 = f(100_000)
++        if d2 / d1 > 20:
++            # d2 should be about 10x d1 but allow a wide margin for variability.
++            self.fail(f"HTTPHeaders.add() does not scale linearly: {d1=} vs {d2=}")
++
+ 
+ class ParseCookieTest(unittest.TestCase):
+     # These tests copied from Django:

CVE-2025-67726.patch

@@ -0,0 +1,94 @@
+From 771472cfdaeebc0d89a9cc46e249f8891a6b29cd Mon Sep 17 00:00:00 2001
+From: Ben Darnell <ben@bendarnell.com>
+Date: Wed, 10 Dec 2025 10:55:02 -0500
+Subject: [PATCH] httputil: Fix quadratic behavior in _parseparam
+
+Prior to this change, _parseparam had O(n^2) behavior when parsing
+certain inputs, which could be a DoS vector. This change adapts
+logic from the equivalent function in the python standard library
+in https://github.com/python/cpython/pull/136072/files
+---
+ tornado/httputil.py           | 29 ++++++++++++++++++++++-------
+ tornado/test/httputil_test.py | 23 +++++++++++++++++++++++
+ 2 files changed, 45 insertions(+), 7 deletions(-)
+
+Index: tornado-6.3.2/tornado/httputil.py
+===================================================================
+--- tornado-6.3.2.orig/tornado/httputil.py
++++ tornado-6.3.2/tornado/httputil.py
+@@ -936,19 +936,34 @@ def parse_response_start_line(line: str)
+ # It has also been modified to support valueless parameters as seen in
+ # websocket extension negotiations, and to support non-ascii values in
+ # RFC 2231/5987 format.
++#
++# _parseparam has been further modified with the logic from
++# https://github.com/python/cpython/pull/136072/files
++# to avoid quadratic behavior when parsing semicolons in quoted strings.
++#
++# TODO: See if we can switch to email.message.Message for this functionality.
++# This is the suggested replacement for the cgi.py module now that cgi has
++# been removed from recent versions of Python.  We need to verify that
++# the email module is consistent with our existing behavior (and all relevant
++# RFCs for multipart/form-data) before making this change.
+ 
+ 
+ def _parseparam(s: str) -> Generator[str, None, None]:
+-    while s[:1] == ";":
+-        s = s[1:]
+-        end = s.find(";")
+-        while end > 0 and (s.count('"', 0, end) - s.count('\\"', 0, end)) % 2:
+-            end = s.find(";", end + 1)
++    start = 0
++    while s.find(";", start) == start:
++        start += 1
++        end = s.find(";", start)
++        ind, diff = start, 0
++        while end > 0:
++            diff += s.count('"', ind, end) - s.count('\\"', ind, end)
++            if diff % 2 == 0:
++                break
++            end, ind = ind, s.find(";", end + 1)
+         if end < 0:
+             end = len(s)
+-        f = s[:end]
++        f = s[start:end]
+         yield f.strip()
+-        s = s[end:]
++        start = end
+ 
+ 
+ def _parse_header(line: str) -> Tuple[str, Dict[str, str]]:
+Index: tornado-6.3.2/tornado/test/httputil_test.py
+===================================================================
+--- tornado-6.3.2.orig/tornado/test/httputil_test.py
++++ tornado-6.3.2/tornado/test/httputil_test.py
+@@ -261,6 +261,29 @@ Foo
+         self.assertEqual(file["filename"], "ab.txt")
+         self.assertEqual(file["body"], b"Foo")
+ 
++    def test_disposition_param_linear_performance(self):
++        # This is a regression test for performance of parsing parameters
++        # to the content-disposition header, specifically for semicolons within
++        # quoted strings.
++        def f(n):
++            start = time.time()
++            message = (
++                b"--1234\r\nContent-Disposition: form-data; "
++                + b'x="'
++                + b";" * n
++                + b'"; '
++                + b'name="files"; filename="a.txt"\r\n\r\nFoo\r\n--1234--\r\n'
++            )
++            args: dict[str, list[bytes]] = {}
++            files: dict[str, list[HTTPFile]] = {}
++            parse_multipart_form_data(b"1234", message, args, files)
++            return time.time() - start
++
++        d1 = f(1_000)
++        d2 = f(10_000)
++        if d2 / d1 > 20:
++            self.fail(f"Disposition param parsing is not linear: {d1=} vs {d2=}")
++
+ 
+ class HTTPHeadersTest(unittest.TestCase):
+     def test_multi_line(self):

fix-wheel-cp.patch

@@ -1,6 +1,8 @@
---- a/setup.py
-+++ b/setup.py
-@@ -63,7 +63,7 @@
+Index: tornado-6.3.2/setup.py
+===================================================================
+--- tornado-6.3.2.orig/setup.py
++++ tornado-6.3.2/setup.py
+@@ -63,7 +63,7 @@ if wheel is not None:
              python, abi, plat = super().get_tag()
  
              if python.startswith("cp"):

ignore-resourcewarning-doctests.patch

@@ -1,8 +1,8 @@
-Index: tornado-6.0.4/tornado/util.py
+Index: tornado-6.3.2/tornado/util.py
 ===================================================================
---- tornado-6.0.4.orig/tornado/util.py	2020-03-11 11:42:49.610254636 +0100
-+++ tornado-6.0.4/tornado/util.py	2020-03-11 11:43:51.470603323 +0100
-@@ -468,5 +468,7 @@ else:
+--- tornado-6.3.2.orig/tornado/util.py
++++ tornado-6.3.2/tornado/util.py
+@@ -458,5 +458,7 @@ else:
  def doctests():
      # type: () -> unittest.TestSuite
      import doctest
@@ -10,11 +10,11 @@ Index: tornado-6.0.4/tornado/util.py
 +    warnings.simplefilter("ignore", ResourceWarning)
  
      return doctest.DocTestSuite()
-Index: tornado-6.0.4/tornado/httputil.py
+Index: tornado-6.3.2/tornado/httputil.py
 ===================================================================
---- tornado-6.0.4.orig/tornado/httputil.py	2020-03-11 11:42:49.610254636 +0100
-+++ tornado-6.0.4/tornado/httputil.py	2020-03-11 11:44:46.178911693 +0100
-@@ -1032,6 +1032,8 @@ def encode_username_password(
+--- tornado-6.3.2.orig/tornado/httputil.py
++++ tornado-6.3.2/tornado/httputil.py
+@@ -1019,6 +1019,8 @@ def encode_username_password(
  def doctests():
      # type: () -> unittest.TestSuite
      import doctest
@@ -23,11 +23,11 @@ Index: tornado-6.0.4/tornado/httputil.py
  
      return doctest.DocTestSuite()
  
-Index: tornado-6.0.4/tornado/iostream.py
+Index: tornado-6.3.2/tornado/iostream.py
 ===================================================================
---- tornado-6.0.4.orig/tornado/iostream.py	2020-03-11 11:42:49.610254636 +0100
-+++ tornado-6.0.4/tornado/iostream.py	2020-03-11 11:45:31.015164413 +0100
-@@ -1677,5 +1677,7 @@ class PipeIOStream(BaseIOStream):
+--- tornado-6.3.2.orig/tornado/iostream.py
++++ tornado-6.3.2/tornado/iostream.py
+@@ -1650,5 +1650,7 @@ class PipeIOStream(BaseIOStream):
  
  def doctests() -> Any:
      import doctest

saltbundlepy-tornado.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Wed Jan 14 10:48:49 UTC 2026 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
+
+- Refresh patch files to apply cleanly:
+
+- Modified:
+  * fix-wheel-cp.patch
+  * ignore-resourcewarning-doctests.patch
+  * CVE-2024-52804-avoid-quadratic-cookie-parsing.patch
+
+-------------------------------------------------------------------
+Tue Jan 13 12:30:16 UTC 2026 - Marek Czernek <marek.czernek@suse.com>
+
+- Add security patches:
+  * CVE-2025-67724.patch (bsc#1254903)
+  * CVE-2025-67725.patch (bsc#1254905)
+  * CVE-2025-67726.patch (bsc#1254904)
+
+-------------------------------------------------------------------
+Thu Oct  2 10:24:02 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
+
+- Remove explicit set of __brp_python_bytecompile macro in the spec
+
 -------------------------------------------------------------------
 Thu Jun  5 12:16:03 UTC 2025 - Victor Zhestkov <vzhestkov@suse.com>
 

saltbundlepy-tornado.spec

@@ -19,10 +19,6 @@
 %{?!saltbundlepy_module:%define saltbundlepy_module() saltbundlepy-%{**}}
 %define pythons saltbundlepy
 
-# Disable python bytecompile for all distros
-# It's called explicitly in the spec
-%global __brp_python_bytecompile %{nil}
-
 Name:           saltbundlepy-tornado
 Version:        6.3.2
 Release:        0
@@ -39,6 +35,13 @@ Patch0:         ignore-resourcewarning-doctests.patch
 Patch1:         CVE-2024-52804-avoid-quadratic-cookie-parsing.patch
 # PATCH-FIX-UPSTREAM CVE-2025-47287.patch bsc#1243268
 Patch2:         CVE-2025-47287.patch
+# https://src.suse.de/pool/python-tornado6/pulls/1
+# PATCH-FIX-UPSTREAM CVE-2025-67724.patch bsc#1254903
+Patch3:         CVE-2025-67724.patch
+# PATCH-FIX-UPSTREAM CVE-2025-67725.patch bsc#1254905
+Patch4:         CVE-2025-67725.patch
+# PATCH-FIX-UPSTREAM CVE-2025-67726.patch bsc#1254904
+Patch5:         CVE-2025-67726.patch
 # Salt bundle specific patch to avoid fails on building for Python 3.11
 Patch100:       fix-wheel-cp.patch
 BuildRequires:  saltbundlepy