From aaebc2230a9b7555c8949d57749994391feceef2 Mon Sep 17 00:00:00 2001
From: yujingbo <yujingbo@kylinos.cn>
Date: Thu, 23 Oct 2025 13:31:42 +0800
Subject: [PATCH] fix CVE-2025-62706

---
 backport-CVE-2025-62706.patch | 51 +++++++++++++++++++++++++++++++++++
 python-Authlib.spec           |  5 +++-
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-62706.patch

diff --git a/backport-CVE-2025-62706.patch b/backport-CVE-2025-62706.patch
new file mode 100644
index 0000000..e7910d7
--- /dev/null
+++ b/backport-CVE-2025-62706.patch
@@ -0,0 +1,51 @@
+From 4b5b5703394608124cd39e547cc7829feda05a13 Mon Sep 17 00:00:00 2001
+From: Hsiaoming Yang <me@lepture.com>
+Date: Wed, 24 Sep 2025 21:38:45 +0900
+Subject: [PATCH] fix(jose): add max size for JWE zip=DEF decompression
+
+---
+ authlib/jose/rfc7518/jwe_zips.py | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/authlib/jose/rfc7518/jwe_zips.py b/authlib/jose/rfc7518/jwe_zips.py
+index 2396861..0eb4871 100644
+--- a/authlib/jose/rfc7518/jwe_zips.py
++++ b/authlib/jose/rfc7518/jwe_zips.py
+@@ -1,20 +1,30 @@
+ import zlib
+ from ..rfc7516 import JWEZipAlgorithm, JsonWebEncryption
+ 
++GZIP_HEAD = bytes([120, 156])
++MAX_SIZE = 250 * 1024
+ 
+ class DeflateZipAlgorithm(JWEZipAlgorithm):
+     name = 'DEF'
+     description = 'DEFLATE'
+ 
+-    def compress(self, s):
++    def compress(self, s: bytes) -> bytes:
+         """Compress bytes data with DEFLATE algorithm."""
+         data = zlib.compress(s)
+-        # drop gzip headers and tail
++        # https://datatracker.ietf.org/doc/html/rfc1951
++        # since DEF is always gzip, we can drop gzip headers and tail
+         return data[2:-4]
+ 
+-    def decompress(self, s):
++    def decompress(self, s: bytes) -> bytes:
+         """Decompress DEFLATE bytes data."""
+-        return zlib.decompress(s, -zlib.MAX_WBITS)
++        if s.startswith(GZIP_HEAD):
++            decompressor = zlib.decompressobj()
++        else:
++            decompressor = zlib.decompressobj(-zlib.MAX_WBITS)
++        value = decompressor.decompress(s, MAX_SIZE)
++        if decompressor.unconsumed_tail:
++            raise ValueError(f"Decompressed string exceeds {MAX_SIZE} bytes")
++        return value
+ 
+ 
+ def register_jwe_rfc7518():
+-- 
+2.33.0
+
diff --git a/python-Authlib.spec b/python-Authlib.spec
index 10380a2..a7173e7 100644
--- a/python-Authlib.spec
+++ b/python-Authlib.spec
@@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-Authlib
 Version:	1.2.0
-Release:	3
+Release:	4
 Summary:	The ultimate Python library in building OAuth and OpenID Connect servers and clients.
 License:	BSD 3-Clause License
 URL:		https://authlib.org/
@@ -9,6 +9,7 @@ Source0:	https://files.pythonhosted.org/packages/1e/84/3c82d181a04053fefa456dcb1
 BuildArch:	noarch
 
 Patch0001:	backport-fix-prevent-OctKey-to-import-ssh-rsa-pem-keys.patch
+Patch0002:	backport-CVE-2025-62706.patch
 
 Requires:	python3-cryptography
 
@@ -74,6 +75,8 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Thu Oct 23 2025 yujingbo <yujingbo@kylinos.cn> - 1.2.0-4
+- fix CVE-2025-62706
 
 * Wed Jun 26 2024 wangziliang <wangziliang@kylinos.cn> - 1.2.0-2
 - fix CVE-2024-37568
-- 
Gitee