packages/python-waitress
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 1.4.4 for fix cves and add patches for CVE-2024-49769

Browse Source
This commit is contained in:
starlet-dx 2025-04-14 17:55:55 +08:00
parent c7f0dbfad7
commit fdb530af64
8 changed files with 194 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
CVE-2024-49769-0001-Remove-test-for-getpeername.patch Normal file
View File

@ -0,0 +1,34 @@
From 75a9894ad98be6573f265859b2ea635644392a42 Mon Sep 17 00:00:00 2001
From: Delta Regeer <bertjw@regeer.org>
Date: Sun, 3 Mar 2024 16:23:33 -0700
Subject: Remove test for getpeername()
---
tests/test_wasyncore.py | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/tests/test_wasyncore.py b/tests/test_wasyncore.py
index 9c23509..a49bad4 100644
--- a/tests/test_wasyncore.py
+++ b/tests/test_wasyncore.py
@@ -1416,17 +1416,6 @@ class Test_dispatcher(unittest.TestCase):
return dispatcher(sock=sock, map=map)
- def test_unexpected_getpeername_exc(self):
- sock = dummysocket()
-
- def getpeername():
- raise socket.error(errno.EBADF)
-
- map = {}
- sock.getpeername = getpeername
- self.assertRaises(socket.error, self._makeOne, sock=sock, map=map)
- self.assertEqual(map, {})
-
def test___repr__accepting(self):
sock = dummysocket()
map = {}
--
2.30.2

40
CVE-2024-49769-0002-When-closing-the-socket-set-it-to-None.patch Normal file
View File

@ -0,0 +1,40 @@
From f78ec341ac037256474220371e0163b8b308c32a Mon Sep 17 00:00:00 2001
From: Delta Regeer <bertjw@regeer.org>
Date: Sun, 3 Mar 2024 16:37:12 -0700
Subject: When closing the socket, set it to None
This avoids calling close() twice on the same socket if self.close() or
self.handle_close() is called multiple times
---
src/waitress/wasyncore.py | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/waitress/wasyncore.py b/src/waitress/wasyncore.py
index 09bcafa..f683b23 100644
--- a/src/waitress/wasyncore.py
+++ b/src/waitress/wasyncore.py
@@ -471,6 +471,8 @@ class dispatcher:
if why.args[0] not in (ENOTCONN, EBADF):
raise
+ self.socket = None
+
# log and log_info may be overridden to provide more sophisticated
# logging and warning methods. In general, log is for 'hit' logging
# and 'log_info' is for informational, warning and error logging.
@@ -521,7 +523,11 @@ class dispatcher:
# handle_expt_event() is called if there might be an error on the
# socket, or if there is OOB data
# check for the error condition first
- err = self.socket.getsockopt(socket.SOL_SOCKET, socket.SO_ERROR)
+ err = (
+ self.socket.getsockopt(socket.SOL_SOCKET, socket.SO_ERROR)
+ if self.socket is not None
+ else 1
+ )
if err != 0:
# we can get here when select.select() says that there is an
# exceptional condition on the socket
--
2.30.2

28
CVE-2024-49769-0003-Don-t-exit-handle_write-early-even-if-socket-is-not-.patch Normal file
View File

@ -0,0 +1,28 @@
From b2c6691a88a61df7f6f65ef16da374c40000176c Mon Sep 17 00:00:00 2001
From: Delta Regeer <bertjw@regeer.org>
Date: Sun, 3 Mar 2024 16:26:22 -0700
Subject: Don't exit handle_write early -- even if socket is not connected
Calling handle_close() multiple times does not hurt anything, and is
safe.
---
src/waitress/channel.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/waitress/channel.py b/src/waitress/channel.py
index bc9a2bb..4a5ce3a 100644
--- a/src/waitress/channel.py
+++ b/src/waitress/channel.py
@@ -90,9 +90,6 @@ class HTTPChannel(wasyncore.dispatcher, object):
def handle_write(self):
# Precondition: there's data in the out buffer to be sent, or
# there's a pending will_close request
- if not self.connected:
- # we dont want to close the channel twice
- return
# try to flush any pending output
if not self.requests:
--
2.30.2

51
CVE-2024-49769-0004-Assume-socket-is-not-connected-when-passed-to-wasync.patch Normal file
View File

@ -0,0 +1,51 @@
From ccef33f7726247a7b79e8b7e7920dd2014c58f64 Mon Sep 17 00:00:00 2001
From: Delta Regeer <bertjw@regeer.org>
Date: Sun, 3 Mar 2024 16:16:48 -0700
Subject: Assume socket is not connected when passed to wasyncore.dispatcher
No longer call getpeername() on the remote socket either, as it is not
necessary for any of the places where waitress requires that self.addr
in a subclass of the dispatcher needs it.
This removes a race condition when setting up a HTTPChannel where we
accepted the socket, and know the remote address, yet call getpeername()
again which would have the unintended side effect of potentially setting
self.connected to False because the remote has already shut down part of
the socket.
This issue was uncovered in #418, where the server would go into a hard
loop because self.connected was used in various parts of the code base.
---
src/waitress/wasyncore.py | 16 ----------------
1 file changed, 16 deletions(-)
diff --git a/src/waitress/wasyncore.py b/src/waitress/wasyncore.py
index f683b23..dfd38dd 100644
--- a/src/waitress/wasyncore.py
+++ b/src/waitress/wasyncore.py
@@ -300,22 +300,6 @@ class dispatcher:
# get a socket from a blocking source.
sock.setblocking(0)
self.set_socket(sock, map)
- self.connected = True
- # The constructor no longer requires that the socket
- # passed be connected.
- try:
- self.addr = sock.getpeername()
- except socket.error as err:
- if err.args[0] in (ENOTCONN, EINVAL):
- # To handle the case where we got an unconnected
- # socket.
- self.connected = False
- else:
- # The socket is broken in some unknown way, alert
- # the user and remove it from the map (to prevent
- # polling of broken sockets).
- self.del_channel(map)
- raise
else:
self.socket = None
--
2.30.2

27
CVE-2024-49769-0005-HTTPChannel-is-always-created-from-accept-explicitly.patch Normal file
View File

@ -0,0 +1,27 @@
From ad198816fb728ea0aec2c20b2c87396e862004e8 Mon Sep 17 00:00:00 2001
From: Delta Regeer <bertjw@regeer.org>
Date: Sun, 3 Mar 2024 16:15:51 -0700
Subject: HTTPChannel is always created from accept, explicitly set
self.connected to True
---
src/waitress/channel.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/waitress/channel.py b/src/waitress/channel.py
index 4a5ce3a..62ca9fa 100644
--- a/src/waitress/channel.py
+++ b/src/waitress/channel.py
@@ -77,8 +77,7 @@ class HTTPChannel(wasyncore.dispatcher, object):
self.outbuf_lock = threading.Condition()
wasyncore.dispatcher.__init__(self, sock, map=map)
-
- # Don't let wasyncore.dispatcher throttle self.addr on us.
+ self.connected = True
self.addr = addr
def writable(self):
--
2.30.2

18
python-waitress.spec
View File

@ -1,12 +1,18 @@
%global _docdir_fmt %{name}
Name: python-waitress
Version: 1.1.0
Release: 5
Version: 1.4.4
Release: 1
Summary: A WSGI server for Python 2 and 3
License: ZPLv2.1
License: ZPL-2.1
URL: https://github.com/Pylons/waitress
Source0: https://github.com/Pylons/waitress/archive/v%{version}/waitress-%{version}.tar.gz
# https://lists.debian.org/debian-lts-announce/2024/11/msg00012.html
Patch0: CVE-2024-49769-0001-Remove-test-for-getpeername.patch
Patch1: CVE-2024-49769-0002-When-closing-the-socket-set-it-to-None.patch
Patch2: CVE-2024-49769-0003-Don-t-exit-handle_write-early-even-if-socket-is-not-.patch
Patch3: CVE-2024-49769-0004-Assume-socket-is-not-connected-when-passed-to-wasync.patch
Patch4: CVE-2024-49769-0005-HTTPChannel-is-always-created-from-accept-explicitly.patch
BuildArch: noarch
%description
@ -41,7 +47,7 @@ and Windows under Python 2.7+ and Python 3.5+. It is also known to run
on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1.
%prep
%autosetup -n waitress-%{version}
%autosetup -n waitress-%{version} -p1
%build
%py2_build
@ -63,5 +69,9 @@ on PyPy 1.6.0+ on UNIX. It supports HTTP/1.0 and HTTP/1.1.
%{python3_sitelib}/*
%changelog
* Tue Apr 15 2025 yaoxin <1024769339@qq.com> - 1.4.4-1
- Update to 1.4.4 for fix CVE-2019-16785,CVE-2019-16786,CVE-2019-16789 and CVE-2019-16792
- Add patches for CVE-2024-49769: DoS due to resource exhaustion
* Thu Feb 13 2020 Ruijun Ge <geruijun@huawei.com> - 1.1.0-5
- init package

BIN
waitress-1.1.0.tar.gz
View File

Binary file not shown.

BIN
waitress-1.4.4.tar.gz Normal file
View File

Binary file not shown.