Overview

File CVE-2025-62706.patch of Package python-Authlib.41293

From 4b5b5703394608124cd39e547cc7829feda05a13 Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Wed, 24 Sep 2025 21:38:45 +0900
Subject: [PATCH] fix(jose): add max size for JWE zip=DEF decompression

---
 authlib/jose/rfc7518/jwe_zips.py | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

Index: authlib-1.3.1/authlib/jose/rfc7518/jwe_zips.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7518/jwe_zips.py
+++ authlib-1.3.1/authlib/jose/rfc7518/jwe_zips.py
@@ -1,6 +1,9 @@
 import zlib
 from ..rfc7516 import JWEZipAlgorithm, JsonWebEncryption
 
+GZIP_HEAD = bytes([120, 156])
+MAX_SIZE = 250 * 1024
+
 
 class DeflateZipAlgorithm(JWEZipAlgorithm):
     name = 'DEF'
@@ -14,7 +17,14 @@ class DeflateZipAlgorithm(JWEZipAlgorith
 
     def decompress(self, s):
         """Decompress DEFLATE bytes data."""
-        return zlib.decompress(s, -zlib.MAX_WBITS)
+        if s.startswith(GZIP_HEAD):
+            decompressor = zlib.decompressobj()
+        else:
+            decompressor = zlib.decompressobj(-zlib.MAX_WBITS)
+        value = decompressor.decompress(s, MAX_SIZE)
+        if decompressor.unconsumed_tail:
+            raise ValueError(f"Decompressed string exceeds {MAX_SIZE} bytes")
+        return value
 
 
 def register_jwe_rfc7518():
openSUSE Build Service is sponsored by
Places