Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69225
Backport the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../python3-aiohttp/CVE-2025-69225.patch | 49 +++++++++++++++++++ .../python/python3-aiohttp_3.12.15.bb | 4 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch new file mode 100644 index 0000000000..77b39d22dc --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2025-69225.patch @@ -0,0 +1,49 @@ +From a4be27fe28e6cd833fa3045cca10404472d6878d Mon Sep 17 00:00:00 2001 +From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> +Date: Sat, 3 Jan 2026 00:39:41 +0000 +Subject: [PATCH] Reject non-ascii digits in Range header (#11903) + +**This is a backport of PR #11887 as merged into master +(7a067d1905e1eeb921a50010dd0004990dbb3bf0).** + +Co-authored-by: Sam Bull <[email protected]> + +CVE: CVE-2025-69225 +Upstream-Status: Backport [https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + aiohttp/web_request.py | 2 +- + tests/test_web_request.py | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/aiohttp/web_request.py b/aiohttp/web_request.py +index 0bc69b7..6e09027 100644 +--- a/aiohttp/web_request.py ++++ b/aiohttp/web_request.py +@@ -607,7 +607,7 @@ class BaseRequest(MutableMapping[str, Any], HeadersMixin): + if rng is not None: + try: + pattern = r"^bytes=(\d*)-(\d*)$" +- start, end = re.findall(pattern, rng)[0] ++ start, end = re.findall(pattern, rng, re.ASCII)[0] + except IndexError: # pattern was not found in header + raise ValueError("range not in acceptable format") + +diff --git a/tests/test_web_request.py b/tests/test_web_request.py +index e706e18..da80ca9 100644 +--- a/tests/test_web_request.py ++++ b/tests/test_web_request.py +@@ -243,6 +243,13 @@ def test_range_to_slice_tail_stop() -> None: + assert req.content[req.http_range] == payload[-500:] + + ++def test_range_non_ascii() -> None: ++ # ५ = DEVANAGARI DIGIT FIVE ++ req = make_mocked_request("GET", "/", headers=CIMultiDict([("RANGE", "bytes=4-५")])) ++ with pytest.raises(ValueError, match="range not in acceptable format"): ++ req.http_range ++ ++ + def test_non_keepalive_on_http10() -> None: + req = make_mocked_request("GET", "/", version=HttpVersion(1, 0)) + assert not req.keep_alive diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb index 4341e128a5..9a45eecb8c 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.12.15.bb @@ -4,7 +4,9 @@ HOMEPAGE = "https://github.com/aio-libs/aiohttp"; LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=748073912af33aa59430d3702aa32d41" -SRC_URI += "file://CVE-2025-69224.patch" +SRC_URI += "file://CVE-2025-69224.patch \ + file://CVE-2025-69225.patch \ +" SRC_URI[sha256sum] = "4fc61385e9c98d72fcdf47e6dd81833f47b2f77c114c29cd64a361be57a763a2" inherit python_setuptools_build_meta pypi
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124137): https://lists.openembedded.org/g/openembedded-devel/message/124137 Mute This Topic: https://lists.openembedded.org/mt/117637135/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
