diff mbox series

[meta-python,whinlatter,2/7] python3-aiohttp: patch CVE-2025-69225

Message ID 20260204162924.3042284-2-skandigraun@gmail.com
State New
Headers show
Series [meta-python,whinlatter,1/7] python3-aiohttp: patch CVE-2025-69224 | expand

Commit Message

Gyorgy Sarvari Feb. 4, 2026, 4:29 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69225

Backport the patch that is referenced by the NVD report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../python3-aiohttp/CVE-2025-69225.patch      | 49 +++++++++++++++++++
 .../python/python3-aiohttp_3.12.15.bb         |  4 +-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch
new file mode 100644
index 0000000000..77b39d22dc
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch
@@ -0,0 +1,49 @@ 
+From a4be27fe28e6cd833fa3045cca10404472d6878d Mon Sep 17 00:00:00 2001
+From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
+Date: Sat, 3 Jan 2026 00:39:41 +0000
+Subject: [PATCH] Reject non-ascii digits in Range header (#11903)
+
+**This is a backport of PR #11887 as merged into master
+(7a067d1905e1eeb921a50010dd0004990dbb3bf0).**
+
+Co-authored-by: Sam Bull <git@sambull.org>
+
+CVE: CVE-2025-69225
+Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ aiohttp/web_request.py    | 2 +-
+ tests/test_web_request.py | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/aiohttp/web_request.py b/aiohttp/web_request.py
+index 0bc69b7..6e09027 100644
+--- a/aiohttp/web_request.py
++++ b/aiohttp/web_request.py
+@@ -607,7 +607,7 @@ class BaseRequest(MutableMapping[str, Any], HeadersMixin):
+         if rng is not None:
+             try:
+                 pattern = r"^bytes=(\d*)-(\d*)$"
+-                start, end = re.findall(pattern, rng)[0]
++                start, end = re.findall(pattern, rng, re.ASCII)[0]
+             except IndexError:  # pattern was not found in header
+                 raise ValueError("range not in acceptable format")
+ 
+diff --git a/tests/test_web_request.py b/tests/test_web_request.py
+index e706e18..da80ca9 100644
+--- a/tests/test_web_request.py
++++ b/tests/test_web_request.py
+@@ -243,6 +243,13 @@ def test_range_to_slice_tail_stop() -> None:
+     assert req.content[req.http_range] == payload[-500:]
+ 
+ 
++def test_range_non_ascii() -> None:
++    # ५ = DEVANAGARI DIGIT FIVE
++    req = make_mocked_request("GET", "/", headers=CIMultiDict([("RANGE", "bytes=4-५")]))
++    with pytest.raises(ValueError, match="range not in acceptable format"):
++        req.http_range
++
++
+ def test_non_keepalive_on_http10() -> None:
+     req = make_mocked_request("GET", "/", version=HttpVersion(1, 0))
+     assert not req.keep_alive
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
index 4341e128a5..9a45eecb8c 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb
@@ -4,7 +4,9 @@  HOMEPAGE = "https://github.com/aio-libs/aiohttp"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41"
 
-SRC_URI += "file://CVE-2025-69224.patch"
+SRC_URI += "file://CVE-2025-69224.patch \
+            file://CVE-2025-69225.patch \
+"
 SRC_URI[sha256sum] = "4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2"
 
 inherit python_setuptools_build_meta pypi