Public bug reported:
Ubuntu 24.04
Package: python3-pip-whl
Version: 24.0+dfsg-1ubuntu1.3+esm1
After the CVE-2025-66471 update, pip's vendored urllib3 truncates gzip-
decoded responses.
This is reproducible without network/TLS/PyPI:
raw gzip bytes: 219
expected decoded bytes: 120069
requests .content bytes: 10240
JSON FAIL: JSONDecodeError('Unterminated string starting at: line 1 column 20
(char 19)')
raw.read decoded bytes: 120069
raw.read JSON: OK
Installed wheel fingerprint:
/usr/share/python-wheels/pip-24.0-py3-none-any.whl
max_length=(amt or 0) True
class GzipDecoder True
_unconsumed_tail False
The local GzipDecoder honours max_length but does not persist the
unconsumed gzip tail / pending decoded data for the next read.
HTTPResponse.read(amt) passes max_length=(amt or 0) into _decode(), so
Response.content / iter_content() can return a truncated decoded body.
Real symptom:
python -m pip install --no-cache-dir --upgrade pip
fails while parsing https://pypi.org/simple/pip/:
json.decoder.JSONDecodeError: Unterminated string starting at: line 1
column 40853
The raw gzip response from PyPI is valid and decompresses to full valid
JSON; only requests.Response.content through pip's vendored urllib3
truncates it.
This looks like an incomplete downstream backport of the CVE-2025-66471
urllib3 fix into pip's vendored urllib3.
** Affects: python-pip (Ubuntu)
Importance: Undecided
Status: New
** Tags: regression-update
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2154576
Title:
python3-pip-whl 24.0+dfsg-1ubuntu1.3+esm1: CVE-2025-66471 backport
truncates gzip-decoded responses
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/2154576/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
