Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1166552lqm; Thu, 2 May 2024 07:09:49 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU7qqbOV7hzTnYAIKDTL0Fgocg5L/MOVqJ6qRbAFAzlpa4Qx4j+SdKAoCM05LPjMf4dXQB3NEI6Lcd4JRFJ60qKVI8CTs4s4GpS0qj4sg== X-Google-Smtp-Source: AGHT+IGk75x8+CJhkMlDuhcYweNxj2lBZuT7fjX0BZkx2bATBKXLEFQhrMDFQIV12Jf3i+K3Bvxh X-Received: by 2002:a05:622a:14cf:b0:43a:ef91:7213 with SMTP id u15-20020a05622a14cf00b0043aef917213mr6867837qtx.29.1714658988690; Thu, 02 May 2024 07:09:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714658988; cv=none; d=google.com; s=arc-20160816; b=BnqrblnEJYjaTquTG8JwVE8wMRCRV+8nsEIhkzOagirqQwQDAp3ioTEBmohBxPcHL+ uZQlr1udcQQLR8uB9itiQCHyGkbhBHm/FGw+DvpPagiZyi9ccOOSmWzkGX+1ITKcSr3K 0qa4c3AAVU3e5Gf3HfoV2ao9zxnpmVgKtTett21m4pIQcWY0/WuVy8New9LLu7zI9s7Z Jv6PU0MPFTNI8B2mYdcAMvMUAd6P8U8BUQnkGGzS3nmQW1bFU3CgF4bzmv7tFnmKe5IE YqHXm6tia0f5bjGaDjgMlRtR3a1z79vEPbCdUOtxqV0/slo9MeZ+ZET5aFFdtOccaKwD K0IQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:user-agent:date:to:from:message-id:feedback-id :dkim-signature:dkim-signature:delivered-to:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=hKil55UwiHg9bzq4PYdqq43hkxLOCsE1pDNRettuA6M=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=iZa8DDUEoKLwdpQlfVUCLcMybCSZ/cwWh+TakKOW+J5WYxGelJeckx6wqeYNeyB+5I vzAcU92bMixzNzXXoDieSGWI8ejE3QwfzrVF3IToxqe+XFk5JF/UoDrdDpDJLr/mHyo5 TLLDgbJB7nAqTWrLSHhrbF6copiKRvWerxHE2Cc9H6KifKmp+6sRnyIWPjefFTbRtYjA rQDVwoDqceZKmJ6L5RwFLeZDSkk4jb9BT1sJ51JVm6R4fLTVyzEI4p3+CiRN4FbDGtIK y+IoeKg9S6CPZloKrwIq98UNtuFBBN2HHaUJGO8W3NZ5TF90tQbgOXNshHFN+Oub/IY+ yo3A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sambull.org header.s=fm1 header.b=lLINVUBx; dkim=neutral (body hash did not verify) header.i=@messagingengine.com header.s=fm3 header.b=erXXkcbb; spf=pass (google.com: domain of oss-security-return-30111-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30111-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sambull.org Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id ay17-20020a05622a229100b0043652764875si1108936qtb.589.2024.05.02.07.09.48 for ; Thu, 02 May 2024 07:09:48 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30111-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sambull.org header.s=fm1 header.b=lLINVUBx; dkim=neutral (body hash did not verify) header.i=@messagingengine.com header.s=fm3 header.b=erXXkcbb; spf=pass (google.com: domain of oss-security-return-30111-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30111-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sambull.org Received: (qmail 25972 invoked by uid 550); 2 May 2024 14:09:20 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 20245 invoked from network); 2 May 2024 13:48:44 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sambull.org; h= cc:content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:subject:subject:to:to; s=fm1; t=1714657714; x=1714744114; bh=GLlNqyHdNB5vWIwlrZWJo82KrCZgavv2 XhMV2ldWjBs=; b=lLINVUBxoB1gE6dNIXoCBh/23Q9ZqzxV+rXoraYvgTfNNTSE ujmwkA2HmzN7RQj3OzL+wdvJ/TIAIDM2ecb+juI2WKHmnWkXFIMl3J37U48jKXrD ujPHLzmoQ7E/vMBjcdQY37T2JV0/VsoWB+/LhmXmpIIOQKr14+SkQHSufzD7sIrI tC5KSLH2YB96KC8eBGuzzocTmFqXRY2cVkweL+q2x8sH52ZucxpVDpRgV+NLCtOE bBqcwVkkAfzO3503O8v/JkFBysMJ5MHr4GPpGbsjATtft5qxSSKJBnED0MdDZvZv n3yQSp+5nZPOQlSKIeTKnhB15+L7t9EYSKLVNQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1714657714; x=1714744114; bh=GLlNqyHdNB5vWIwlrZWJo82KrCZgavv2XhM V2ldWjBs=; b=erXXkcbb/fkr0hsggJZmB0Q6fQiGU4MOq6AN9nwCzHKhfS7kvV4 9l918cLlFa6TutbCpZKTxa72JihiqRcTTzwWy1I2QrlfooG6dooq5ebRkC14262Z +vr7SfbfFNBW2VPQJQZrTE99V2DwOQwhN8unY8PZ92fhatt/RBXqJSWM+eAnVCJy kNGi+RI3O6ESopyK98ktlTh3dG9wKDqDDSoSPiZVAzmTCXxW+UfUMeh4yX1lITiu Kwwl+cX5ucgdj3Zj3bK/i5JkHVSLkiFWrEPeDot5CLlTD3nrL1wRR3wivr10YNam F/z+gkFtnWjRJXWcuxEO7+n3AeD8ukCDtwA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvddukedgjedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefkuffhvffftggfggesghdtreertd erjeenucfhrhhomhepufgrmhcuuehulhhluceolehmudellehisehsrghmsghulhhlrdho rhhgqeenucggtffrrghtthgvrhhnpeeftdeludevgeeikeeiueekieefffelvdehudffgf eggfeluefgteelffdtleegheenucffohhmrghinhepghhithhhuhgsrdgtohhmpdgptgho nhhtvghnthdrrhgvrggupdgptghonhhtvghnthdrrghtnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomheplehmudellehisehsrghmsghulhhlrdho rhhg X-ME-Proxy: Feedback-ID: ie6294588:Fastmail Message-ID: <4a05754d4e8f49b8f1ce5dcacb91c2c44a8e1252.camel@sambull.org> From: Sam Bull <9m199i@sambull.org> To: oss-security@lists.openwall.com Date: Thu, 02 May 2024 14:48:19 +0100 Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-c99SIr8BiZ5NDGs3tXuw" User-Agent: Evolution 3.36.5-0ubuntu1 MIME-Version: 1.0 Subject: [oss-security] CVE-2024-30251: DoS in aiohttp --=-c99SIr8BiZ5NDGs3tXuw Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Aiohttp is an HTTP client and server-side web framework in Python. This iss= ue only affects users of the server-side web framework. We've not seen any evidence of this= being exploited in the wild yet, and fixes were already included in the 3.9.4 and= 3.9.5 releases. https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5m98-qgg9-wh84 ### Summary An attacker can send a specially crafted POST (multipart/form-data) request= . When the aiohttp server processes it, the server will enter an infinite loop and be = unable to process any further requests. ### Impact An attacker can stop the application from serving requests after sending a = single request. ------- For anyone needing to patch older versions of aiohttp, the minimum diff nee= ded to resolve the issue is (located in `_read_chunk_from_length()`): diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py index 227be605c..71fc2654a 100644 --- a/aiohttp/multipart.py +++ b/aiohttp/multipart.py @@ -338,6 +338,8 @@ class BodyPartReader: assert self._length is not None, "Content-Length required for c= hunked read" chunk_size =3D min(size, self._length - self._read_bytes) chunk =3D await self._content.read(chunk_size) + if self._content.at_eof(): + self._at_eof =3D True return chunk =20 async def _read_chunk_from_stream(self, size: int) -> bytes: This does however introduce some very minor issues with handling form data.= So, if possible, it would be recommended to also backport the changes in: https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db6301= 4bc4cf19 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4= aaeb6597 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d= 6a638866 --=-c99SIr8BiZ5NDGs3tXuw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQS7LDpjuw7VQ6ct5tdf6SjNlibOKwUCZjOZowAKCRBf6SjNlibO K4P+AKDIimVAc4kdyfd/cLcHg+f5dNAAnwCfbkyGLTyPZtxI0p1uocWpUqNnqYM= =xQTM -----END PGP SIGNATURE----- --=-c99SIr8BiZ5NDGs3tXuw--