Assigning to Python stack maintainers.

Assignee: bugsquad => python

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Tornado has HTTP cookie parsing DoS vulnerability. (CVE-2024-52804)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KECEA6QVDQMKX34TWO73YYIDDQZZ476N/
========================

Updated packages in core/updates_testing:
========================
python3-tornado-6.3.2-1.1.mga9
python3-tornado-doc-6.3.2-1.1.mga9

from SRPM:
python-tornado-6.3.2-1.1.mga9.src.rpm

Assignee: python => qa-bugs
Version: Cauldron => 9
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 6.4.2 => (none)
Source RPM: python-tornado-6.4.1-1.mga10.src.rpm, python-tornado-6.3.2-1.mga9.src.rpm => python-tornado-6.3.2-1.mga9.src.rpm

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Tried to follow Len on bug 32033, got mopidy running, but the website  displays just some text:

Web clients

Web clients which are installed as Mopidy extensions will automatically appear here.
Len indicates iris as webclient, but I have no idea where he got that from.
Anyway mopidy runs.

CC: (none) => herman.viaene

@Len can give an eye to this looks too much for me

CC: (none) => tarazed25

@katnatek sorry for leaving so much to you.  It is time I got back on board.  Should not give in to old age.  Tomorrow anyway.

mga9, x64

Well, made a start on this and hit snags.
Could not find any trail leading to a PoC for the DOS vulnerability.
Before updating had a look at the examples on board.

$ pwd
/usr/share/doc/python3-tornado-doc/demos/helloworld

$ python helloworld.py
[I 250212 00:12:22 web:2344] 200 GET / (127.0.0.1) 0.52ms
[W 250212 00:12:22 web:2344] 404 GET /favicon.ico (127.0.0.1) 0.28ms

In Firefox at localhost:8888/ the message "Hello, world" appears.

$ cd ..
$ ls
blog/  facebook/     helloworld/  tcpecho/  websocket/
chat/  file_upload/  s3server/    twitter/  webspider/

No connections with Twitter or Facebook.
Tried chat which posted a text input field on a web page at port 8888 and the tab is "Tornado Chat Demo". Typed in something random and hit the Post button.  The text is echoed above in the same Firefox window.  Not much idea what is going on here.
$ python chatdemo.py
[I 250212 00:21:47 web:2344] 200 GET / (127.0.0.1) 1.42ms
[I 250212 00:21:47 web:2344] 200 GET /static/chat.css?v=b8867475c98b3780ab6230b6ea29771ae71b788b59c4713829ba4754de5201f8dbe05b0fe33ccfeffec42940597a2c9d101661e000b866a5f3a0cb814d0401c4 (127.0.0.1) 4.36ms
[I 250212 00:21:47 web:2344] 200 GET /static/chat.js?v=df1b8262685063ebbd1a7e70acfe7e4211f6b6cc28b5b9e713a8deeba3d10f8f73b94b9b4286606adc3fb4560186ee730b0787f21800e52c17c0c810c5d0ec26 (127.0.0.1) 0.46ms
[I 250212 00:22:42 web:2344] 200 POST /a/message/new (127.0.0.1) 0.68ms
[I 250212 00:22:42 web:2344] 200 POST /a/message/updates (127.0.0.1) 54659.60ms
[I 250212 00:

Closed the session with 'q'.

Next file upload:
Opened 8888 at localhost in Firefox.
Started the file_receiver script
 python file_receiver.py
[W 250212 00:40:22 web:2344] 405 GET / (127.0.0.1) 0.36ms

then moved to another teminal to run the POST command using file_uploader.
Initially the browser displayed "405: Method Not Allowed" which is probably a complaint about lack of payload.
$ python file_uploader.py Erased Erased.jpg
<failed>

$ python file_uploader.py --put Erased Erased.jpg
<failed>

$ python file_uploader.py "Erased Erased.jpg"
<failed>

Whatever is tried the same complaint comes back:
Traceback (most recent call last):
  File "/usr/share/doc/python3-tornado-doc/demos/file_upload/file_uploader.py", line 114, in <module>
    asyncio.run(method(filenames))
  File "/usr/lib64/python3.10/asyncio/runners.py", line 37, in run
    raise ValueError("a coroutine was expected, got {!r}".format(main))
ValueError: a coroutine was expected, got <Future pending cb=[coroutine.<locals>.wrapper.<locals>.<lambda>() at /usr/lib64/python3.10/site-packages/tornado/gen.py:251]>

Not much idea what is going on.  The test code contains four coroutines to PUT, POST, write chunks and get the data as far as I can make out so there may be something wrong with the way the file names are presented.  The error refers to this line:
filenames = options.parse_command_line()

Shall try these primitive tests again after the update.

Still in the demos directory:
Tried tcpecho, which worked.
$ python server.py &
$ [I 250212 09:14:47 server:33] Listening on TCP port 9888
< -> another terminal >
$ python client.py
Sent to server: ping
Response from server: ping

At the server end:
$ [I 250212 09:21:43 server:20] Received bytes: b'ping\n'
[W 250212 09:21:43 server:25] Lost client at host 127.0.0.1

Looks OK.

Tried webspider, which generated an endless series of messages like :-
fetching http://www.tornadoweb.org/en/stable/_modules/tornado/process.html
fetched http://www.tornadoweb.org/en/stable/_modules/tornado/gen.html
fetching http://www.tornadoweb.org/en/stable/_sources/caresresolver.rst.txt
fetched http://www.tornadoweb.org/en/stable/_modules/tornado/queues.html
fetching http://www.tornadoweb.org/en/stable/_sources/log.rst.txt
fetched http://www.tornadoweb.org/en/stable/_sources/queues.rst.txt

Looks like it works.  So three of the tests are OK.

Updated the packages with qarepo and drakrpm-update.

Opened port 8888 in a browser
$ python helloworld.py
[I 250212 10:08:03 web:2344] 200 GET / (127.0.0.1) 0.64ms

"Hello, world" message appeared in browser.

$ python file_receiver.py
seems to work but the uploader fails with localhost:9888 open in a browser
$ python file_uploader Fever checksum
Traceback (most recent call last):
  File "/home/lcl/file_uploader.py", line 114, in <module>
    asyncio.run(method(filenames))
  File "/usr/lib64/python3.10/asyncio/runners.py", line 37, in run
    raise ValueError("a coroutine was expected, got {!r}".format(main))
ValueError: a coroutine was expected, got <Future pending cb=[coroutine.<locals>.wrapper.<locals>.<lambda>() at /usr/lib64/python3.10/site-packages/tornado/gen.py:251]>

Same as before.

$ python webspider.py
fetching http://www.tornadoweb.org/en/stable/
fetched http://www.tornadoweb.org/en/stable/
fetching http://www.tornadoweb.org/en/stable/releases.html
fetching http://www.tornadoweb.org/en/stable/_sources/index.rst.txt
fetching http://www.tornadoweb.org/en/stable/guide.html
...

OK.

Cannot get the chatdemo to work now.

Have to give up on this now.  Lack of knowledge of python and have maybe misinterpreted how to run the demonstration scripts.
Anybody else?

For me as the examples that works still works and the ones that not still not works
The Len's test are good to give OK

@Thomas please give your view about it

CC: (none) => andrewsfarm

(In reply to katnatek from comment #8)
> For me as the examples that works still works and the ones that not still
> not works
> The Len's test are good to give OK
> 
> @Thomas please give your view about it

Len got a lot farther with it than I would have, but then that frequently happens. What little I can understand appears to be working, and I think Len's assessment at the end of comment 7 is probably accurate. Looks like one of those things that needs someone with more experience to really test.

Let's send it on. Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0060.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED