From c7e8cb17df87c3cb12731cc3387dd47e08aa6107 Mon Sep 17 00:00:00 2001 From: hdliu Date: Thu, 23 Oct 2025 15:38:03 +0800 Subject: [PATCH 1/2] Fix-CVE-2025-62611 Signed-off-by: hdliu --- 0001-Fix-CVE-2025-62611.patch | 107 ++++++++++++++++++++++++++++++++++ python-aiomysql.spec | 7 ++- 2 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 0001-Fix-CVE-2025-62611.patch diff --git a/0001-Fix-CVE-2025-62611.patch b/0001-Fix-CVE-2025-62611.patch new file mode 100644 index 0000000..3962642 --- /dev/null +++ b/0001-Fix-CVE-2025-62611.patch @@ -0,0 +1,107 @@ +From d2b801d4d1a3228f6acca59495c709ecb889f643 Mon Sep 17 00:00:00 2001 +From: hdliu +Date: Thu, 23 Oct 2025 15:17:48 +0800 +Subject: [PATCH] Fix arbitrary file access vulnerability when connecting to + malicious servers + +Signed-off-by: hdliu +--- + CHANGES.txt | 5 +++++ + aiomysql/connection.py | 7 ++++++- + tests/test_load_local.py | 34 ++++++++++++++++++++++++++++++++++ + 3 files changed, 45 insertions(+), 1 deletion(-) + +diff --git a/CHANGES.txt b/CHANGES.txt +index d0f6b60..284f1c0 100644 +--- a/CHANGES.txt ++++ b/CHANGES.txt +@@ -1,6 +1,11 @@ + Changes + ------- + ++* | Properly check whether loading of local files is enabled #1044 ++ | Loading local data now requires using the `local_infile` parameter, passing just the client flag through `client_flag` is no longer supported. ++ | Fixes `GHSA-r397-ff8c-wv2g `_ ++ | Thanks to @KonstantAnxiety for reporting this. ++ + 0.0.21 (2020-11-26) + ^^^^^^^^^^^^^^^^^^^ + +diff --git a/aiomysql/connection.py b/aiomysql/connection.py +index 8bf5cbf..fc81394 100644 +--- a/aiomysql/connection.py ++++ b/aiomysql/connection.py +@@ -205,7 +205,8 @@ class Connection: + + self._encoding = charset_by_name(self._charset).encoding + +- if local_infile: ++ self._local_infile = bool(local_infile) ++ if self._local_infile: + client_flag |= CLIENT.LOCAL_FILES + + client_flag |= CLIENT.CAPABILITIES +@@ -1145,6 +1146,10 @@ class MySQLResult: + self.has_next = ok_packet.has_next + + async def _read_load_local_packet(self, first_packet): ++ if not self.connection._local_infile: ++ raise RuntimeError( ++ "**WARN**: Received LOAD_LOCAL packet but local_infile option is false." ++ ) + load_packet = LoadLocalPacketWrapper(first_packet) + sender = LoadLocalFile(load_packet.filename, self.connection) + try: +diff --git a/tests/test_load_local.py b/tests/test_load_local.py +index aa3b45c..65878f0 100644 +--- a/tests/test_load_local.py ++++ b/tests/test_load_local.py +@@ -2,7 +2,9 @@ import builtins + import os + from unittest.mock import patch, MagicMock + ++import aiomysql + import pytest ++from pymysql.constants import CLIENT + from pymysql.err import OperationalError + + +@@ -81,3 +83,35 @@ async def test_load_warnings(cursor, table_local_file): + with warnings.catch_warnings(record=True) as w: + await cursor.execute(sql) + assert "Incorrect integer value" in str(w[-1].message) ++ ++ ++ ++ ++@pytest.mark.run_loop ++async def test_load_local_disabled(mysql_params, table_local_file): ++ # By setting the client flag, the server will be informed that we support ++ # loading local files. This validates that the client side check catches ++ # the server attempting to read files from us without having this ++ # explicitly enabled on the connection. The local_infile parameter sets ++ # the client flag, but not the other way round. ++ params = mysql_params.copy() ++ params["local_infile"] = False ++ if "client_flag" in params: ++ params["client_flag"] |= CLIENT.LOCAL_FILES ++ else: ++ params["client_flag"] = CLIENT.LOCAL_FILES ++ ++ async with aiomysql.connect(**params) as conn: ++ async with conn.cursor() as cursor: ++ # Test load local infile with a valid file ++ filename = os.path.join(os.path.dirname(os.path.realpath(__file__)), ++ 'fixtures', ++ 'load_local_data.txt') ++ with pytest.raises( ++ RuntimeError, ++ match="Received LOAD_LOCAL packet but local_infile option is false", ++ ): ++ await cursor.execute( ++ ("LOAD DATA LOCAL INFILE '{0}' INTO TABLE " + ++ "test_load_local FIELDS TERMINATED BY ','").format(filename) ++ ) +-- +2.33.0 + diff --git a/python-aiomysql.spec b/python-aiomysql.spec index 136997a..fd1ae0f 100644 --- a/python-aiomysql.spec +++ b/python-aiomysql.spec @@ -1,11 +1,13 @@ %global _empty_manifest_terminate_build 0 Name: python-aiomysql Version: 0.0.21 -Release: 1 +Release: 2 Summary: MySQL driver for asyncio. License: MIT URL: https://github.com/aio-libs/aiomysql Source0: https://files.pythonhosted.org/packages/a9/7f/d5a409cc0bb8349d6475ee4ea42ac2a5664646fe8a85e81ce3d91f63c474/aiomysql-0.0.21.tar.gz +Patch0001: 0001-Fix-CVE-2025-62611.patch + BuildArch: noarch Requires: python3-PyMySQL @@ -78,6 +80,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Oct Thu 23 2025 hdliu - 0.0.21-2 +- Fix-CVE-2025-62611 + * Thu Jul 22 2021 Xu Jin - 0.0.21-1 - Update package to 0.0.21 -- Gitee From 0b91b3a71a1aa87c520ce48100e7a0d79c12ada0 Mon Sep 17 00:00:00 2001 From: hdliu Date: Thu, 23 Oct 2025 16:32:01 +0800 Subject: [PATCH 2/2] Fix-CVE-2025-62611 Signed-off-by: hdliu --- python-aiomysql.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-aiomysql.spec b/python-aiomysql.spec index fd1ae0f..2b206d3 100644 --- a/python-aiomysql.spec +++ b/python-aiomysql.spec @@ -80,7 +80,7 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog -* Oct Thu 23 2025 hdliu - 0.0.21-2 +* Thu Oct 23 2025 hdliu - 0.0.21-2 - Fix-CVE-2025-62611 * Thu Jul 22 2021 Xu Jin - 0.0.21-1 -- Gitee