diff --git a/CVE-2024-52804-avoid-quadratic-cookie-parsing.patch b/CVE-2024-52804-avoid-quadratic-cookie-parsing.patch index 226f807..09b0cf1 100644 --- a/CVE-2024-52804-avoid-quadratic-cookie-parsing.patch +++ b/CVE-2024-52804-avoid-quadratic-cookie-parsing.patch @@ -21,11 +21,11 @@ Thanks to github.com/kexinoh for the report. tornado/test/httputil_test.py | 46 +++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 28 deletions(-) -diff --git a/tornado/httputil.py b/tornado/httputil.py -index 9ce992d82b..ebdc8059c1 100644 ---- a/tornado/httputil.py -+++ b/tornado/httputil.py -@@ -1057,15 +1057,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr]]) -> Iterable[Tuple[str, AnyStr]]: +Index: tornado-6.3.2/tornado/httputil.py +=================================================================== +--- tornado-6.3.2.orig/tornado/httputil.py ++++ tornado-6.3.2/tornado/httputil.py +@@ -1055,15 +1055,20 @@ def qs_to_qsl(qs: Dict[str, List[AnyStr] yield (k, v) @@ -50,7 +50,7 @@ index 9ce992d82b..ebdc8059c1 100644 library (http.cookies._unquote) so we don't have to depend on non-public interfaces. """ -@@ -1086,30 +1091,7 @@ def _unquote_cookie(s: str) -> str: +@@ -1084,30 +1089,7 @@ def _unquote_cookie(s: str) -> str: # \012 --> \n # \" --> " # @@ -82,11 +82,11 @@ index 9ce992d82b..ebdc8059c1 100644 def parse_cookie(cookie: str) -> Dict[str, str]: -diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py -index 6d618839e0..975900aa9c 100644 ---- a/tornado/test/httputil_test.py -+++ b/tornado/test/httputil_test.py -@@ -560,3 +560,49 @@ def test_invalid_cookies(self): +Index: tornado-6.3.2/tornado/test/httputil_test.py +=================================================================== +--- tornado-6.3.2.orig/tornado/test/httputil_test.py ++++ tornado-6.3.2/tornado/test/httputil_test.py +@@ -519,3 +519,49 @@ class ParseCookieTest(unittest.TestCase) self.assertEqual( parse_cookie(" = b ; ; = ; c = ; "), {"": "b", "c": ""} ) diff --git a/CVE-2025-67724.patch b/CVE-2025-67724.patch new file mode 100644 index 0000000..2e8d5cd --- /dev/null +++ b/CVE-2025-67724.patch @@ -0,0 +1,113 @@ +From 9c163aebeaad9e6e7d28bac1f33580eb00b0e421 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Wed, 10 Dec 2025 15:15:25 -0500 +Subject: [PATCH] web: Harden against invalid HTTP reason phrases + +We allow applications to set custom reason phrases for the HTTP status +line (to support custom status codes), but if this were exposed to +untrusted data it could be exploited in various ways. This commit +guards against invalid reason phrases in both HTTP headers and in +error pages. +--- + tornado/test/web_test.py | 15 ++++++++++++++- + tornado/web.py | 25 +++++++++++++++++++------ + 2 files changed, 33 insertions(+), 7 deletions(-) + +Index: tornado-6.3.2/tornado/test/web_test.py +=================================================================== +--- tornado-6.3.2.orig/tornado/test/web_test.py ++++ tornado-6.3.2/tornado/test/web_test.py +@@ -1666,7 +1666,7 @@ class StatusReasonTest(SimpleHandlerTest + class Handler(RequestHandler): + def get(self): + reason = self.request.arguments.get("reason", []) +- self.set_status( ++ raise HTTPError( + int(self.get_argument("code")), + reason=to_unicode(reason[0]) if reason else None, + ) +@@ -1689,6 +1689,19 @@ class StatusReasonTest(SimpleHandlerTest + self.assertEqual(response.code, 682) + self.assertEqual(response.reason, "Unknown") + ++ def test_header_injection(self): ++ response = self.fetch("/?code=200&reason=OK%0D%0AX-Injection:injected") ++ self.assertEqual(response.code, 200) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn("X-Injection", response.headers) ++ ++ def test_reason_xss(self): ++ response = self.fetch("/?code=400&reason=") ++ self.assertEqual(response.code, 400) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn(b"script", response.body) ++ self.assertIn(b"Unknown", response.body) ++ + + class DateHeaderTest(SimpleHandlerTestCase): + class Handler(RequestHandler): +Index: tornado-6.3.2/tornado/web.py +=================================================================== +--- tornado-6.3.2.orig/tornado/web.py ++++ tornado-6.3.2/tornado/web.py +@@ -350,8 +350,10 @@ class RequestHandler(object): + + :arg int status_code: Response status code. + :arg str reason: Human-readable reason phrase describing the status +- code. If ``None``, it will be filled in from +- `http.client.responses` or "Unknown". ++ code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``). ++ Normally determined automatically from `http.client.responses`; this ++ argument should only be used if you need to use a non-standard ++ status code. + + .. versionchanged:: 5.0 + +@@ -360,6 +362,14 @@ class RequestHandler(object): + """ + self._status_code = status_code + if reason is not None: ++ if "<" in reason or not httputil._ABNF.reason_phrase.fullmatch(reason): ++ # Logically this would be better as an exception, but this method ++ # is called on error-handling paths that would need some refactoring ++ # to tolerate internal errors cleanly. ++ # ++ # The check for "<" is a defense-in-depth against XSS attacks (we also ++ # escape the reason when rendering error pages). ++ reason = "Unknown" + self._reason = escape.native_str(reason) + else: + self._reason = httputil.responses.get(status_code, "Unknown") +@@ -1291,7 +1301,8 @@ class RequestHandler(object): + reason = exception.reason + self.set_status(status_code, reason=reason) + try: +- self.write_error(status_code, **kwargs) ++ if status_code != 304: ++ self.write_error(status_code, **kwargs) + except Exception: + app_log.error("Uncaught exception in write_error", exc_info=True) + if not self._finished: +@@ -1319,7 +1330,7 @@ class RequestHandler(object): + self.finish( + "%(code)d: %(message)s" + "%(code)d: %(message)s" +- % {"code": status_code, "message": self._reason} ++ % {"code": status_code, "message": escape.xhtml_escape(self._reason)} + ) + + @property +@@ -2465,9 +2476,11 @@ class HTTPError(Exception): + mode). May contain ``%s``-style placeholders, which will be filled + in with remaining positional parameters. + :arg str reason: Keyword-only argument. The HTTP "reason" phrase +- to pass in the status line along with ``status_code``. Normally ++ to pass in the status line along with ``status_code`` (for example, ++ the "Not Found" in ``HTTP/1.1 404 Not Found``). Normally + determined automatically from ``status_code``, but can be used +- to use a non-standard numeric code. ++ to use a non-standard numeric code. This is not a general-purpose ++ error message. + """ + + def __init__( diff --git a/CVE-2025-67725.patch b/CVE-2025-67725.patch new file mode 100644 index 0000000..3f423af --- /dev/null +++ b/CVE-2025-67725.patch @@ -0,0 +1,124 @@ +From 68e81b4a3385161877408a7a49c7ed12b45a614d Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Tue, 9 Dec 2025 13:27:27 -0500 +Subject: [PATCH] httputil: Fix quadratic performance of repeated header lines + +Previouisly, when many header lines with the same name were found +in an HTTP request or response, repeated string concatenation would +result in quadratic performance. This change does the concatenation +lazily (with a cache) so that repeated headers can be processed +efficiently. + +Security: The previous behavior allowed a denial of service attack +via a maliciously crafted HTTP message, but only if the +max_header_size was increased from its default of 64kB. +--- + tornado/httputil.py | 36 ++++++++++++++++++++++++----------- + tornado/test/httputil_test.py | 15 +++++++++++++++ + 2 files changed, 40 insertions(+), 11 deletions(-) + +Index: tornado-6.3.2/tornado/httputil.py +=================================================================== +--- tornado-6.3.2.orig/tornado/httputil.py ++++ tornado-6.3.2/tornado/httputil.py +@@ -118,8 +118,14 @@ class HTTPHeaders(collections.abc.Mutabl + pass + + def __init__(self, *args: typing.Any, **kwargs: str) -> None: # noqa: F811 +- self._dict = {} # type: typing.Dict[str, str] +- self._as_list = {} # type: typing.Dict[str, typing.List[str]] ++ # Formally, HTTP headers are a mapping from a field name to a "combined field value", ++ # which may be constructed from multiple field lines by joining them with commas. ++ # In practice, however, some headers (notably Set-Cookie) do not follow this convention, ++ # so we maintain a mapping from field name to a list of field lines in self._as_list. ++ # self._combined_cache is a cache of the combined field values derived from self._as_list ++ # on demand (and cleared whenever the list is modified). ++ self._as_list: dict[str, list[str]] = {} ++ self._combined_cache: dict[str, str] = {} + self._last_key = None # type: Optional[str] + if len(args) == 1 and len(kwargs) == 0 and isinstance(args[0], HTTPHeaders): + # Copy constructor +@@ -136,9 +142,7 @@ class HTTPHeaders(collections.abc.Mutabl + norm_name = _normalize_header(name) + self._last_key = norm_name + if norm_name in self: +- self._dict[norm_name] = ( +- native_str(self[norm_name]) + "," + native_str(value) +- ) ++ self._combined_cache.pop(norm_name, None) + self._as_list[norm_name].append(value) + else: + self[norm_name] = value +@@ -172,7 +176,7 @@ class HTTPHeaders(collections.abc.Mutabl + raise HTTPInputError("first header line cannot start with whitespace") + new_part = " " + line.lstrip() + self._as_list[self._last_key][-1] += new_part +- self._dict[self._last_key] += new_part ++ self._combined_cache.pop(self._last_key, None) + else: + try: + name, value = line.split(":", 1) +@@ -208,22 +212,32 @@ class HTTPHeaders(collections.abc.Mutabl + + def __setitem__(self, name: str, value: str) -> None: + norm_name = _normalize_header(name) +- self._dict[norm_name] = value ++ self._combined_cache[norm_name] = value + self._as_list[norm_name] = [value] + ++ def __contains__(self, name: object) -> bool: ++ # This is an important optimization to avoid the expensive concatenation ++ # in __getitem__ when it's not needed. ++ if not isinstance(name, str): ++ return False ++ return name in self._as_list ++ + def __getitem__(self, name: str) -> str: +- return self._dict[_normalize_header(name)] ++ header = _normalize_header(name) ++ if header not in self._combined_cache: ++ self._combined_cache[header] = ",".join(self._as_list[header]) ++ return self._combined_cache[header] + + def __delitem__(self, name: str) -> None: + norm_name = _normalize_header(name) +- del self._dict[norm_name] ++ del self._combined_cache[norm_name] + del self._as_list[norm_name] + + def __len__(self) -> int: +- return len(self._dict) ++ return len(self._as_list) + + def __iter__(self) -> Iterator[typing.Any]: +- return iter(self._dict) ++ return iter(self._as_list) + + def copy(self) -> "HTTPHeaders": + # defined in dict but not in MutableMapping. +Index: tornado-6.3.2/tornado/test/httputil_test.py +=================================================================== +--- tornado-6.3.2.orig/tornado/test/httputil_test.py ++++ tornado-6.3.2/tornado/test/httputil_test.py +@@ -451,6 +451,21 @@ class ParseRequestStartLineTest(unittest + self.assertEqual(parsed_start_line.path, self.PATH) + self.assertEqual(parsed_start_line.version, self.VERSION) + ++ def test_linear_performance(self): ++ def f(n): ++ start = time.time() ++ headers = HTTPHeaders() ++ for i in range(n): ++ headers.add("X-Foo", "bar") ++ return time.time() - start ++ ++ # This runs under 50ms on my laptop as of 2025-12-09. ++ d1 = f(10_000) ++ d2 = f(100_000) ++ if d2 / d1 > 20: ++ # d2 should be about 10x d1 but allow a wide margin for variability. ++ self.fail(f"HTTPHeaders.add() does not scale linearly: {d1=} vs {d2=}") ++ + + class ParseCookieTest(unittest.TestCase): + # These tests copied from Django: diff --git a/CVE-2025-67726.patch b/CVE-2025-67726.patch new file mode 100644 index 0000000..aff4540 --- /dev/null +++ b/CVE-2025-67726.patch @@ -0,0 +1,94 @@ +From 771472cfdaeebc0d89a9cc46e249f8891a6b29cd Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Wed, 10 Dec 2025 10:55:02 -0500 +Subject: [PATCH] httputil: Fix quadratic behavior in _parseparam + +Prior to this change, _parseparam had O(n^2) behavior when parsing +certain inputs, which could be a DoS vector. This change adapts +logic from the equivalent function in the python standard library +in https://github.com/python/cpython/pull/136072/files +--- + tornado/httputil.py | 29 ++++++++++++++++++++++------- + tornado/test/httputil_test.py | 23 +++++++++++++++++++++++ + 2 files changed, 45 insertions(+), 7 deletions(-) + +Index: tornado-6.3.2/tornado/httputil.py +=================================================================== +--- tornado-6.3.2.orig/tornado/httputil.py ++++ tornado-6.3.2/tornado/httputil.py +@@ -936,19 +936,34 @@ def parse_response_start_line(line: str) + # It has also been modified to support valueless parameters as seen in + # websocket extension negotiations, and to support non-ascii values in + # RFC 2231/5987 format. ++# ++# _parseparam has been further modified with the logic from ++# https://github.com/python/cpython/pull/136072/files ++# to avoid quadratic behavior when parsing semicolons in quoted strings. ++# ++# TODO: See if we can switch to email.message.Message for this functionality. ++# This is the suggested replacement for the cgi.py module now that cgi has ++# been removed from recent versions of Python. We need to verify that ++# the email module is consistent with our existing behavior (and all relevant ++# RFCs for multipart/form-data) before making this change. + + + def _parseparam(s: str) -> Generator[str, None, None]: +- while s[:1] == ";": +- s = s[1:] +- end = s.find(";") +- while end > 0 and (s.count('"', 0, end) - s.count('\\"', 0, end)) % 2: +- end = s.find(";", end + 1) ++ start = 0 ++ while s.find(";", start) == start: ++ start += 1 ++ end = s.find(";", start) ++ ind, diff = start, 0 ++ while end > 0: ++ diff += s.count('"', ind, end) - s.count('\\"', ind, end) ++ if diff % 2 == 0: ++ break ++ end, ind = ind, s.find(";", end + 1) + if end < 0: + end = len(s) +- f = s[:end] ++ f = s[start:end] + yield f.strip() +- s = s[end:] ++ start = end + + + def _parse_header(line: str) -> Tuple[str, Dict[str, str]]: +Index: tornado-6.3.2/tornado/test/httputil_test.py +=================================================================== +--- tornado-6.3.2.orig/tornado/test/httputil_test.py ++++ tornado-6.3.2/tornado/test/httputil_test.py +@@ -261,6 +261,29 @@ Foo + self.assertEqual(file["filename"], "ab.txt") + self.assertEqual(file["body"], b"Foo") + ++ def test_disposition_param_linear_performance(self): ++ # This is a regression test for performance of parsing parameters ++ # to the content-disposition header, specifically for semicolons within ++ # quoted strings. ++ def f(n): ++ start = time.time() ++ message = ( ++ b"--1234\r\nContent-Disposition: form-data; " ++ + b'x="' ++ + b";" * n ++ + b'"; ' ++ + b'name="files"; filename="a.txt"\r\n\r\nFoo\r\n--1234--\r\n' ++ ) ++ args: dict[str, list[bytes]] = {} ++ files: dict[str, list[HTTPFile]] = {} ++ parse_multipart_form_data(b"1234", message, args, files) ++ return time.time() - start ++ ++ d1 = f(1_000) ++ d2 = f(10_000) ++ if d2 / d1 > 20: ++ self.fail(f"Disposition param parsing is not linear: {d1=} vs {d2=}") ++ + + class HTTPHeadersTest(unittest.TestCase): + def test_multi_line(self): diff --git a/fix-wheel-cp.patch b/fix-wheel-cp.patch index ead21e5..817e37c 100644 --- a/fix-wheel-cp.patch +++ b/fix-wheel-cp.patch @@ -1,6 +1,8 @@ ---- a/setup.py -+++ b/setup.py -@@ -63,7 +63,7 @@ +Index: tornado-6.3.2/setup.py +=================================================================== +--- tornado-6.3.2.orig/setup.py ++++ tornado-6.3.2/setup.py +@@ -63,7 +63,7 @@ if wheel is not None: python, abi, plat = super().get_tag() if python.startswith("cp"): diff --git a/ignore-resourcewarning-doctests.patch b/ignore-resourcewarning-doctests.patch index d25be7b..5a6f2f7 100644 --- a/ignore-resourcewarning-doctests.patch +++ b/ignore-resourcewarning-doctests.patch @@ -1,8 +1,8 @@ -Index: tornado-6.0.4/tornado/util.py +Index: tornado-6.3.2/tornado/util.py =================================================================== ---- tornado-6.0.4.orig/tornado/util.py 2020-03-11 11:42:49.610254636 +0100 -+++ tornado-6.0.4/tornado/util.py 2020-03-11 11:43:51.470603323 +0100 -@@ -468,5 +468,7 @@ else: +--- tornado-6.3.2.orig/tornado/util.py ++++ tornado-6.3.2/tornado/util.py +@@ -458,5 +458,7 @@ else: def doctests(): # type: () -> unittest.TestSuite import doctest @@ -10,11 +10,11 @@ Index: tornado-6.0.4/tornado/util.py + warnings.simplefilter("ignore", ResourceWarning) return doctest.DocTestSuite() -Index: tornado-6.0.4/tornado/httputil.py +Index: tornado-6.3.2/tornado/httputil.py =================================================================== ---- tornado-6.0.4.orig/tornado/httputil.py 2020-03-11 11:42:49.610254636 +0100 -+++ tornado-6.0.4/tornado/httputil.py 2020-03-11 11:44:46.178911693 +0100 -@@ -1032,6 +1032,8 @@ def encode_username_password( +--- tornado-6.3.2.orig/tornado/httputil.py ++++ tornado-6.3.2/tornado/httputil.py +@@ -1019,6 +1019,8 @@ def encode_username_password( def doctests(): # type: () -> unittest.TestSuite import doctest @@ -23,11 +23,11 @@ Index: tornado-6.0.4/tornado/httputil.py return doctest.DocTestSuite() -Index: tornado-6.0.4/tornado/iostream.py +Index: tornado-6.3.2/tornado/iostream.py =================================================================== ---- tornado-6.0.4.orig/tornado/iostream.py 2020-03-11 11:42:49.610254636 +0100 -+++ tornado-6.0.4/tornado/iostream.py 2020-03-11 11:45:31.015164413 +0100 -@@ -1677,5 +1677,7 @@ class PipeIOStream(BaseIOStream): +--- tornado-6.3.2.orig/tornado/iostream.py ++++ tornado-6.3.2/tornado/iostream.py +@@ -1650,5 +1650,7 @@ class PipeIOStream(BaseIOStream): def doctests() -> Any: import doctest diff --git a/saltbundlepy-tornado.changes b/saltbundlepy-tornado.changes index 6a9e342..8bb6a39 100644 --- a/saltbundlepy-tornado.changes +++ b/saltbundlepy-tornado.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Wed Jan 14 10:48:49 UTC 2026 - Pablo Suárez Hernández + +- Refresh patch files to apply cleanly: + +- Modified: + * fix-wheel-cp.patch + * ignore-resourcewarning-doctests.patch + * CVE-2024-52804-avoid-quadratic-cookie-parsing.patch + +------------------------------------------------------------------- +Tue Jan 13 12:30:16 UTC 2026 - Marek Czernek + +- Add security patches: + * CVE-2025-67724.patch (bsc#1254903) + * CVE-2025-67725.patch (bsc#1254905) + * CVE-2025-67726.patch (bsc#1254904) + ------------------------------------------------------------------- Thu Oct 2 10:24:02 UTC 2025 - Victor Zhestkov diff --git a/saltbundlepy-tornado.spec b/saltbundlepy-tornado.spec index bdd388f..ea80e8c 100644 --- a/saltbundlepy-tornado.spec +++ b/saltbundlepy-tornado.spec @@ -35,6 +35,13 @@ Patch0: ignore-resourcewarning-doctests.patch Patch1: CVE-2024-52804-avoid-quadratic-cookie-parsing.patch # PATCH-FIX-UPSTREAM CVE-2025-47287.patch bsc#1243268 Patch2: CVE-2025-47287.patch +# https://src.suse.de/pool/python-tornado6/pulls/1 +# PATCH-FIX-UPSTREAM CVE-2025-67724.patch bsc#1254903 +Patch3: CVE-2025-67724.patch +# PATCH-FIX-UPSTREAM CVE-2025-67725.patch bsc#1254905 +Patch4: CVE-2025-67725.patch +# PATCH-FIX-UPSTREAM CVE-2025-67726.patch bsc#1254904 +Patch5: CVE-2025-67726.patch # Salt bundle specific patch to avoid fails on building for Python 3.11 Patch100: fix-wheel-cp.patch BuildRequires: saltbundlepy