From a381cf89971fe3f3851adb2a185744bcf94235a2 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Mon, 15 Dec 2025 15:56:44 +0800 Subject: [PATCH] Fix CVE-2025-67724, CVE-2025-67725 and CVE-2025-67726 (cherry picked from commit 25dbbbbe17b0e8a834e90bd06e2c820d93e15907) --- CVE-2025-67724.patch | 115 ++++++++++++++++++++++++++++ CVE-2025-67725_CVE-2025-67726.patch | 96 +++++++++++++++++++++++ python-tornado.spec | 7 +- 3 files changed, 217 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-67724.patch create mode 100644 CVE-2025-67725_CVE-2025-67726.patch diff --git a/CVE-2025-67724.patch b/CVE-2025-67724.patch new file mode 100644 index 0000000..8a3139b --- /dev/null +++ b/CVE-2025-67724.patch @@ -0,0 +1,115 @@ +From 9c163aebeaad9e6e7d28bac1f33580eb00b0e421 Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Wed, 10 Dec 2025 15:15:25 -0500 +Subject: [PATCH] web: Harden against invalid HTTP reason phrases + +We allow applications to set custom reason phrases for the HTTP status +line (to support custom status codes), but if this were exposed to +untrusted data it could be exploited in various ways. This commit +guards against invalid reason phrases in both HTTP headers and in +error pages. + +Origin: https://github.com/tornadoweb/tornado/commit/9c163aebeaad9e6e7d28bac1f33580eb00b0e421 +--- + tornado/test/web_test.py | 15 ++++++++++++++- + tornado/web.py | 25 +++++++++++++++++++------ + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py +index a514e2a4ca..d609473d7c 100644 +--- a/tornado/test/web_test.py ++++ b/tornado/test/web_test.py +@@ -1746,7 +1746,7 @@ class StatusReasonTest(SimpleHandlerTestCase): + class Handler(RequestHandler): + def get(self): + reason = self.request.arguments.get("reason", []) +- self.set_status( ++ raise HTTPError( + int(self.get_argument("code")), + reason=to_unicode(reason[0]) if reason else None, + ) +@@ -1769,6 +1769,19 @@ def test_status(self): + self.assertEqual(response.code, 682) + self.assertEqual(response.reason, "Unknown") + ++ def test_header_injection(self): ++ response = self.fetch("/?code=200&reason=OK%0D%0AX-Injection:injected") ++ self.assertEqual(response.code, 200) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn("X-Injection", response.headers) ++ ++ def test_reason_xss(self): ++ response = self.fetch("/?code=400&reason=") ++ self.assertEqual(response.code, 400) ++ self.assertEqual(response.reason, "Unknown") ++ self.assertNotIn(b"script", response.body) ++ self.assertIn(b"Unknown", response.body) ++ + + class DateHeaderTest(SimpleHandlerTestCase): + class Handler(RequestHandler): +diff --git a/tornado/web.py b/tornado/web.py +index 2f702d6480..2351afdbe2 100644 +--- a/tornado/web.py ++++ b/tornado/web.py +@@ -359,8 +359,10 @@ def set_status(self, status_code: int, reason: Optional[str] = None) -> None: + + :arg int status_code: Response status code. + :arg str reason: Human-readable reason phrase describing the status +- code. If ``None``, it will be filled in from +- `http.client.responses` or "Unknown". ++ code (for example, the "Not Found" in ``HTTP/1.1 404 Not Found``). ++ Normally determined automatically from `http.client.responses`; this ++ argument should only be used if you need to use a non-standard ++ status code. + + .. versionchanged:: 5.0 + +@@ -369,6 +371,14 @@ def set_status(self, status_code: int, reason: Optional[str] = None) -> None: + """ + self._status_code = status_code + if reason is not None: ++ if "<" in reason or not httputil._ABNF.reason_phrase.fullmatch(reason): ++ # Logically this would be better as an exception, but this method ++ # is called on error-handling paths that would need some refactoring ++ # to tolerate internal errors cleanly. ++ # ++ # The check for "<" is a defense-in-depth against XSS attacks (we also ++ # escape the reason when rendering error pages). ++ reason = "Unknown" + self._reason = escape.native_str(reason) + else: + self._reason = httputil.responses.get(status_code, "Unknown") +@@ -1345,7 +1355,8 @@ def send_error(self, status_code: int = 500, **kwargs: Any) -> None: + reason = exception.reason + self.set_status(status_code, reason=reason) + try: +- self.write_error(status_code, **kwargs) ++ if status_code != 304: ++ self.write_error(status_code, **kwargs) + except Exception: + app_log.error("Uncaught exception in write_error", exc_info=True) + if not self._finished: +@@ -1373,7 +1384,7 @@ def write_error(self, status_code: int, **kwargs: Any) -> None: + self.finish( + "%(code)d: %(message)s" + "%(code)d: %(message)s" +- % {"code": status_code, "message": self._reason} ++ % {"code": status_code, "message": escape.xhtml_escape(self._reason)} + ) + + @property +@@ -2520,9 +2531,11 @@ class HTTPError(Exception): + mode). May contain ``%s``-style placeholders, which will be filled + in with remaining positional parameters. + :arg str reason: Keyword-only argument. The HTTP "reason" phrase +- to pass in the status line along with ``status_code``. Normally ++ to pass in the status line along with ``status_code`` (for example, ++ the "Not Found" in ``HTTP/1.1 404 Not Found``). Normally + determined automatically from ``status_code``, but can be used +- to use a non-standard numeric code. ++ to use a non-standard numeric code. This is not a general-purpose ++ error message. + """ + + def __init__( diff --git a/CVE-2025-67725_CVE-2025-67726.patch b/CVE-2025-67725_CVE-2025-67726.patch new file mode 100644 index 0000000..158a17f --- /dev/null +++ b/CVE-2025-67725_CVE-2025-67726.patch @@ -0,0 +1,96 @@ +From 771472cfdaeebc0d89a9cc46e249f8891a6b29cd Mon Sep 17 00:00:00 2001 +From: Ben Darnell +Date: Wed, 10 Dec 2025 10:55:02 -0500 +Subject: [PATCH] httputil: Fix quadratic behavior in _parseparam + +Prior to this change, _parseparam had O(n^2) behavior when parsing +certain inputs, which could be a DoS vector. This change adapts +logic from the equivalent function in the python standard library +in https://github.com/python/cpython/pull/136072/files + +Origin: https://github.com/tornadoweb/tornado/commit/771472cfdaeebc0d89a9cc46e249f8891a6b29cd +--- + tornado/httputil.py | 29 ++++++++++++++++++++++------- + tornado/test/httputil_test.py | 23 +++++++++++++++++++++++ + 2 files changed, 45 insertions(+), 7 deletions(-) + +diff --git a/tornado/httputil.py b/tornado/httputil.py +index 1c48db414..7fa30975d 100644 +--- a/tornado/httputil.py ++++ b/tornado/httputil.py +@@ -1094,19 +1094,34 @@ def parse_response_start_line(line: str) -> ResponseStartLine: + # It has also been modified to support valueless parameters as seen in + # websocket extension negotiations, and to support non-ascii values in + # RFC 2231/5987 format. ++# ++# _parseparam has been further modified with the logic from ++# https://github.com/python/cpython/pull/136072/files ++# to avoid quadratic behavior when parsing semicolons in quoted strings. ++# ++# TODO: See if we can switch to email.message.Message for this functionality. ++# This is the suggested replacement for the cgi.py module now that cgi has ++# been removed from recent versions of Python. We need to verify that ++# the email module is consistent with our existing behavior (and all relevant ++# RFCs for multipart/form-data) before making this change. + + + def _parseparam(s: str) -> Generator[str, None, None]: +- while s[:1] == ";": +- s = s[1:] +- end = s.find(";") +- while end > 0 and (s.count('"', 0, end) - s.count('\\"', 0, end)) % 2: +- end = s.find(";", end + 1) ++ start = 0 ++ while s.find(";", start) == start: ++ start += 1 ++ end = s.find(";", start) ++ ind, diff = start, 0 ++ while end > 0: ++ diff += s.count('"', ind, end) - s.count('\\"', ind, end) ++ if diff % 2 == 0: ++ break ++ end, ind = ind, s.find(";", end + 1) + if end < 0: + end = len(s) +- f = s[:end] ++ f = s[start:end] + yield f.strip() +- s = s[end:] ++ start = end + + + def _parse_header(line: str) -> Tuple[str, Dict[str, str]]: +diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py +index dbe072f10..70ccbe1d0 100644 +--- a/tornado/test/httputil_test.py ++++ b/tornado/test/httputil_test.py +@@ -279,6 +279,29 @@ def test_data_after_final_boundary(self): + self.assertEqual(file["filename"], "ab.txt") + self.assertEqual(file["body"], b"Foo") + ++ def test_disposition_param_linear_performance(self): ++ # This is a regression test for performance of parsing parameters ++ # to the content-disposition header, specifically for semicolons within ++ # quoted strings. ++ def f(n): ++ start = time.time() ++ message = ( ++ b"--1234\r\nContent-Disposition: form-data; " ++ + b'x="' ++ + b";" * n ++ + b'"; ' ++ + b'name="files"; filename="a.txt"\r\n\r\nFoo\r\n--1234--\r\n' ++ ) ++ args: dict[str, list[bytes]] = {} ++ files: dict[str, list[HTTPFile]] = {} ++ parse_multipart_form_data(b"1234", message, args, files) ++ return time.time() - start ++ ++ d1 = f(1_000) ++ d2 = f(10_000) ++ if d2 / d1 > 20: ++ self.fail(f"Disposition param parsing is not linear: {d1=} vs {d2=}") ++ + + class HTTPHeadersTest(unittest.TestCase): + def test_multi_line(self): diff --git a/python-tornado.spec b/python-tornado.spec index c7041b9..fbcdc92 100644 --- a/python-tornado.spec +++ b/python-tornado.spec @@ -1,11 +1,13 @@ %global _empty_manifest_terminate_build 0 Name: python-tornado Version: 6.5 -Release: 1 +Release: 2 Summary: Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. License: Apache-2.0 URL: http://www.tornadoweb.org/ Source0: https://files.pythonhosted.org/packages/source/t/tornado/tornado-%{version}.tar.gz +Patch0: CVE-2025-67724.patch +Patch1: CVE-2025-67725_CVE-2025-67726.patch %description Tornado is an open source version of the scalable, non-blocking web server and tools. @@ -72,6 +74,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon Dec 15 2025 yaoxin <1024769339@qq.com> - 6.5-2 +- Fix CVE-2025-67724, CVE-2025-67725 and CVE-2025-67726 + * Tue May 20 2025 lijunhen - 6.5-1 - Update to 6.5 for fix CVE-2025-47287 -- Gitee