2 files changed, 66 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch
new file mode 100644
index 0000000000..dadec31f3a
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch
@@ -0,0 +1,65 @@
+From e19cb50fb529bbe75cc4f1b68eeb0a3f631ad0d0 Mon Sep 17 00:00:00 2001
+From: "J. Nick Koston" <nick@koston.org>
+Date: Thu, 8 Aug 2024 11:19:28 -0500
+Subject: [PATCH] Do not follow symlinks for compressed file variants (#8652)
+CVE: CVE-2024-42367
+Upstream-Status: Backport
+[https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f]
+Co-authored-by: Steve Repsher <steverep@users.noreply.github.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ CHANGES/8652.bugfix.rst     |  1 +
+ aiohttp/web_fileresponse.py | 26 ++++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+ create mode 100644 CHANGES/8652.bugfix.rst
+diff --git a/CHANGES/8652.bugfix.rst b/CHANGES/8652.bugfix.rst
+new file mode 100644
+index 000000000..3a1003e50
+--- /dev/null
+++ b/CHANGES/8652.bugfix.rst
+@@ -0,0 +1 @@
+Fixed incorrectly following symlinks for compressed file variants -- by :user:`steverep`.
+diff --git a/aiohttp/web_fileresponse.py b/aiohttp/web_fileresponse.py
+index f41ed3fd0..35dbd41e1 100644
+--- a/aiohttp/web_fileresponse.py
+++ b/aiohttp/web_fileresponse.py
+@@ -127,6 +127,32 @@ class FileResponse(StreamResponse):
+         self.content_length = 0
+         return await super().prepare(request)
+ 
+    def _get_file_path_stat_encoding(
+        self, accept_encoding: str
+    ) -> Tuple[pathlib.Path, os.stat_result, Optional[str]]:
+        """Return the file path, stat result, and encoding.
+
+        If an uncompressed file is returned, the encoding is set to
+        :py:data:`None`.
+
+        This method should be called from a thread executor
+        since it calls os.stat which may block.
+        """
+        file_path = self._path
+        for file_extension, file_encoding in ENCODING_EXTENSIONS.items():
+            if file_encoding not in accept_encoding:
+                continue
+
+            compressed_path = file_path.with_suffix(file_path.suffix + file_extension)
+            with suppress(OSError):
+                # Do not follow symlinks and ignore any non-regular files.
+                st = compressed_path.lstat()
+                if S_ISREG(st.st_mode):
+                    return compressed_path, st, file_encoding
+
+        # Fallback to the uncompressed file
+        return file_path, file_path.stat(), None
+
+     async def prepare(self, request: "BaseRequest") -> Optional[AbstractStreamWriter]:
+         filepath = self._path
+ 
+-- 
+2.34.1
diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
index 479c2f2064..fdecf9ef4c 100644
--- a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
+++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://CVE-2024-23334.patch \
            file://CVE-2024-52304.patch \
            file://CVE-2023-49082.patch \
            file://CVE-2024-27306.patch \
+            file://CVE-2024-42367.patch \
           "
 SRC_URI[sha256sum] = "b0cf2a4501bff9330a8a5248b4ce951851e415bdcce9dc158e76cfd55e15085c"

diff --git a/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch new file mode 100644 index 0000000000..dadec31f3a --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-aiohttp/CVE-2024-42367.patch
@@ -0,0 +1,65 @@
		1	From e19cb50fb529bbe75cc4f1b68eeb0a3f631ad0d0 Mon Sep 17 00:00:00 2001
		2	From: "J. Nick Koston" <nick@koston.org>
		3	Date: Thu, 8 Aug 2024 11:19:28 -0500
		4	Subject: [PATCH] Do not follow symlinks for compressed file variants (#8652)
		5
		6	CVE: CVE-2024-42367
		7
		8	Upstream-Status: Backport
		9	[https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f]
		10
		11	Co-authored-by: Steve Repsher <steverep@users.noreply.github.com>
		12	Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
		13	---
		14	CHANGES/8652.bugfix.rst \| 1 +
		15	aiohttp/web_fileresponse.py \| 26 ++++++++++++++++++++++++++
		16	2 files changed, 27 insertions(+)
		17	create mode 100644 CHANGES/8652.bugfix.rst
		18
		19	diff --git a/CHANGES/8652.bugfix.rst b/CHANGES/8652.bugfix.rst
		20	new file mode 100644
		21	index 000000000..3a1003e50
		22	--- /dev/null
		23	+++ b/CHANGES/8652.bugfix.rst
		24	@@ -0,0 +1 @@
		25	+Fixed incorrectly following symlinks for compressed file variants -- by :user:`steverep`.
		26	diff --git a/aiohttp/web_fileresponse.py b/aiohttp/web_fileresponse.py
		27	index f41ed3fd0..35dbd41e1 100644
		28	--- a/aiohttp/web_fileresponse.py
		29	+++ b/aiohttp/web_fileresponse.py
		30	@@ -127,6 +127,32 @@ class FileResponse(StreamResponse):
		31	self.content_length = 0
		32	return await super().prepare(request)
		33
		34	+ def _get_file_path_stat_encoding(
		35	+ self, accept_encoding: str
		36	+ ) -> Tuple[pathlib.Path, os.stat_result, Optional[str]]:
		37	+ """Return the file path, stat result, and encoding.
		38	+
		39	+ If an uncompressed file is returned, the encoding is set to
		40	+ :py:data:`None`.
		41	+
		42	+ This method should be called from a thread executor
		43	+ since it calls os.stat which may block.
		44	+ """
		45	+ file_path = self._path
		46	+ for file_extension, file_encoding in ENCODING_EXTENSIONS.items():
		47	+ if file_encoding not in accept_encoding:
		48	+ continue
		49	+
		50	+ compressed_path = file_path.with_suffix(file_path.suffix + file_extension)
		51	+ with suppress(OSError):
		52	+ # Do not follow symlinks and ignore any non-regular files.
		53	+ st = compressed_path.lstat()
		54	+ if S_ISREG(st.st_mode):
		55	+ return compressed_path, st, file_encoding
		56	+
		57	+ # Fallback to the uncompressed file
		58	+ return file_path, file_path.stat(), None
		59	+
		60	async def prepare(self, request: "BaseRequest") -> Optional[AbstractStreamWriter]:
		61	filepath = self._path
		62
		63	--
		64	2.34.1
		65


diff --git a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb index 479c2f2064..fdecf9ef4c 100644 --- a/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb +++ b/meta-python/recipes-devtools/python/python3-aiohttp_3.8.6.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://CVE-2024-23334.patch \
10	file://CVE-2024-52304.patch \	10	file://CVE-2024-52304.patch \
11	file://CVE-2023-49082.patch \	11	file://CVE-2023-49082.patch \
12	file://CVE-2024-27306.patch \	12	file://CVE-2024-27306.patch \
		13	file://CVE-2024-42367.patch \
13	"	14	"
14		15
15	SRC_URI[sha256sum] = "b0cf2a4501bff9330a8a5248b4ce951851e415bdcce9dc158e76cfd55e15085c"	16	SRC_URI[sha256sum] = "b0cf2a4501bff9330a8a5248b4ce951851e415bdcce9dc158e76cfd55e15085c"