From 5c4b61d38a86de2c26f4ce5e57aaa169643ac211 Mon Sep 17 00:00:00 2001
From: Soumya Sambu <soumya.sambu@windriver.com>
Date: Wed, 23 Apr 2025 04:59:35 +0000
Subject: python3-twisted: Fix CVE-2024-41671

Twisted is an event-based framework for internet applications, supporting Python 3.6+.
The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP
requests out-of-order, possibly resulting in information disclosure. This vulnerability
is fixed in 24.7.0rc1.

References:
https://nvd.nist.gov/vuln/detail/CVE-2024-41671
https://ubuntu.com/security/CVE-2024-41671

Upstream patches:
https://github.com/twisted/twisted/commit/f1cb4e616e9f23b4dd044a6db44365060950c64f
https://github.com/twisted/twisted/commit/ef2c755e9e9d57d58132af790bd2fd2b957b3fb1

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../python3-twisted/CVE-2024-41671-0001.patch      | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch

(limited to 'meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch')

diff --git a/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch
new file mode 100644
index 0000000000..a5bffbd5a5
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-twisted/CVE-2024-41671-0001.patch
@@ -0,0 +1,33 @@
+From f1cb4e616e9f23b4dd044a6db44365060950c64f Mon Sep 17 00:00:00 2001
+From: Tom Most <twm@freecog.net>
+Date: Mon, 22 Jul 2024 22:21:10 -0700
+Subject: [PATCH] Use chunking in the pipelining tests
+
+CVE: CVE-2024-41671
+
+Upstream-Status: Backport [https://github.com/twisted/twisted/commit/f1cb4e616e9f23b4dd044a6db44365060950c64f]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/twisted/web/test/test_http.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/twisted/web/test/test_http.py b/src/twisted/web/test/test_http.py
+index 7ffea4e..5d88ff1 100644
+--- a/src/twisted/web/test/test_http.py
++++ b/src/twisted/web/test/test_http.py
+@@ -575,9 +575,11 @@ class PipeliningBodyTests(unittest.TestCase, ResponseTestMixin):
+         b"Content-Length: 10\r\n"
+         b"\r\n"
+         b"0123456789POST / HTTP/1.1\r\n"
+-        b"Content-Length: 10\r\n"
++        b"Transfer-Encoding: chunked\r\n"
+         b"\r\n"
++        b"a\r\n"
+         b"0123456789"
++        b"0\r\n"
+     )
+
+     expectedResponses = [
+--
+2.40.0
-- 
cgit v1.2.3-54-g00ecf