commit python-multipart for openSUSE:Factory

Fri, 13 Mar 2026 13:22:43 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package python-multipart for 
openSUSE:Factory checked in at 2026-03-13 21:17:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-multipart (Old)
 and      /work/SRC/openSUSE:Factory/.python-multipart.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python-multipart"

Fri Mar 13 21:17:40 2026 rev:4 rq:1338644 version:1.3.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/python-multipart/python-multipart.changes        
2025-11-18 15:40:34.049293881 +0100
+++ 
/work/SRC/openSUSE:Factory/.python-multipart.new.8177/python-multipart.changes  
    2026-03-13 21:21:44.713570877 +0100
@@ -1,0 +2,10 @@
+Fri Mar 13 09:08:01 UTC 2026 - Daniel Garcia <[email protected]>
+
+- CVE-2026-28356: exponential backtracking (ReDoS), bsc#1259610
+- update to 1.3.1:
+  * This release contains security fixes. See
+    
https://github.com/defnull/multipart/security/advisories/GHSA-p2m9-wcp5-6qw3
+  * **Full Changelog**:
+    https://github.com/defnull/multipart/compare/v1.3.0...v1.3.1
+
+-------------------------------------------------------------------

Old:
----
  multipart-1.3.0.tar.gz

New:
----
  multipart-1.3.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python-multipart.spec ++++++
--- /var/tmp/diff_new_pack.GVeqsL/_old  2026-03-13 21:21:45.357597444 +0100
+++ /var/tmp/diff_new_pack.GVeqsL/_new  2026-03-13 21:21:45.361597609 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package python-multipart
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           python-multipart
-Version:        1.3.0
+Version:        1.3.1
 Release:        0
 Summary:        Parser for multipart/form-data
 License:        MIT

++++++ multipart-1.3.0.tar.gz -> multipart-1.3.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/multipart-1.3.0/PKG-INFO new/multipart-1.3.1/PKG-INFO
--- old/multipart-1.3.0/PKG-INFO        1970-01-01 01:00:00.000000000 +0100
+++ new/multipart-1.3.1/PKG-INFO        1970-01-01 01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: multipart
-Version: 1.3.0
+Version: 1.3.1
 Summary: Parser for multipart/form-data
 Author-email: Marcel Hellkamp <[email protected]>
 Requires-Python: >=3.8
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/multipart-1.3.0/multipart.py 
new/multipart-1.3.1/multipart.py
--- old/multipart-1.3.0/multipart.py    2025-07-26 17:05:21.991250000 +0200
+++ new/multipart-1.3.1/multipart.py    2026-02-27 11:12:52.690493300 +0100
@@ -12,7 +12,7 @@
 
 
 __author__ = "Marcel Hellkamp"
-__version__ = '1.3.0'
+__version__ = '1.3.1'
 __license__ = "MIT"
 __all__ = [
     "MultipartError",
@@ -216,7 +216,7 @@
 _token = "[a-zA-Z0-9-!#$%&'*+.^_`|~]+"
 _re_token = re.compile("^%s$" % _token, re.ASCII)
 # A token or quoted-string (simple qs | token | slow qs)
-_value = r'"[^\\"]*"|%s|"(?:\\.|[^"])*"' % _token
+_value = r'"[^\\"]*"|%s|"(?:\\.|[^\\"])*"' % _token
 # A "; key=value" pair from content-disposition header
 _option = r"; *(%s) *= *(%s)" % (_token, _value)
 _re_option = re.compile(_option)
@@ -307,7 +307,8 @@
 ################################## SansIO Parser #############################
 ##############################################################################
 
-
+# Constants used by the parser
+_HEADER_EXPECTED = frozenset(["Content-Disposition", "Content-Type", 
"Content-Length"])
 # Parser states as constants
 _PREAMBLE = "PREAMBLE"
 _HEADER = "HEADER"
@@ -720,8 +721,9 @@
             name = name.strip()
             if not col or not name:
                 raise ParserError("Malformed segment header")
-            if " " in name or not name.isascii() or not name.isprintable():
-                raise ParserError("Invalid segment header name")
+            if name not in _HEADER_EXPECTED:
+                if " " in name or not name.isascii() or not name.isprintable():
+                    raise ParserError("Invalid segment header name")
         except UnicodeDecodeError as err:
             raise ParserError("Segment header failed to decode", err)
 
@@ -748,8 +750,14 @@
             elif h == "Content-Type":
                 self.content_type, args = parse_options_header(v)
                 self.charset = args.get("charset")
-            elif h == "Content-Length" and v.isdecimal():
-                self._clen = int(v)
+            elif h == "Content-Length":
+                try:
+                    content_length = int(v)
+                    if content_length < 0 or str(content_length) != v:
+                        raise ValueError("Not an unsigned ASCII decimal")
+                    self._clen = content_length
+                except ValueError:
+                    pass # Will be an error in 1.4
 
         if self.name is None:
             raise ParserError("Missing Content-Disposition segment header")

Reply via email to