Your message dated Sat, 11 Jul 2026 10:42:31 +0000
with message-id <[email protected]>
and subject line Released in 12.15
has caused the Debian Bug report #1140575,
regarding bookworm-pu: package python-pyramid/2.0+dfsg-2+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140575: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140575
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:python-pyramid
User: [email protected]
Usertags: pu

[ Reason ]
Fix CVE-2023-40587, a path traversal vulnerability affecting Pyramid
when running on Python 3.11.

[ Impact ]
The issue is limited in scope and only affects deployments using
filesystem-backed static views on vulnerable Python versions.

[ Tests ]
The package builds successfully and the upstream test suite passes.

[ Risks ]
Low. The update consists of the upstream fix for rejecting paths
containing NUL bytes during static path handling.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Add upstream patch to fix CVE-2023-40587

[ Other info ]
The upload will be sponsored by Colin Watson.
diff -Nru python-pyramid-2.0+dfsg/debian/changelog 
python-pyramid-2.0+dfsg/debian/changelog
--- python-pyramid-2.0+dfsg/debian/changelog    2022-12-25 18:24:55.000000000 
+0000
+++ python-pyramid-2.0+dfsg/debian/changelog    2026-06-03 14:04:50.000000000 
+0000
@@ -1,3 +1,12 @@
+python-pyramid (2.0+dfsg-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * d/patches: (Closes: #1050740)
+    - CVE-2023-40587: Import and backport upstream patch
+      (Information disclosure via null-byte path traversal)
+
+ -- Matheus Polkorny <[email protected]>  Wed, 03 Jun 2026 11:04:50 -0300
+
 python-pyramid (2.0+dfsg-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch 
python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch
--- python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch 1970-01-01 
00:00:00.000000000 +0000
+++ python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch 2026-06-03 
14:04:50.000000000 +0000
@@ -0,0 +1,75 @@
+From: Tres Seaver <[email protected]>
+Date: Mon, 21 Aug 2023 14:43:12 -0400
+Subject: fix: reject NUL character as path element
+
+See: https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8
+
+Origin: upstream, 
https://github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85
+---
+ src/pyramid/static.py     | 10 +++++-----
+ tests/fixtures/index.html |  1 +
+ tests/test_static.py      | 13 +++++++++++++
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+ create mode 100644 tests/fixtures/index.html
+
+diff --git a/src/pyramid/static.py b/src/pyramid/static.py
+index 8b19c7b..4cabf1d 100644
+--- a/src/pyramid/static.py
++++ b/src/pyramid/static.py
+@@ -260,12 +260,12 @@ def _add_vary(response, option):
+     response.vary = vary
+ 
+ 
+-_seps = {'/', os.sep}
++_invalid_element_chars = {'/', os.sep, '\x00'}
+ 
+ 
+-def _contains_slash(item):
+-    for sep in _seps:
+-        if sep in item:
++def _contains_invalid_element_char(item):
++    for invalid_element_char in _invalid_element_chars:
++        if invalid_element_char in item:
+             return True
+ 
+ 
+@@ -279,7 +279,7 @@ def _secure_path(path_tuple):
+         # unless someone screws up the traversal_path code
+         # (request.subpath is computed via traversal_path too)
+         return None
+-    if any([_contains_slash(item) for item in path_tuple]):
++    if any([_contains_invalid_element_char(item) for item in path_tuple]):
+         return None
+     encoded = '/'.join(path_tuple)  # will be unicode
+     return encoded
+diff --git a/tests/fixtures/index.html b/tests/fixtures/index.html
+new file mode 100644
+index 0000000..a37df57
+--- /dev/null
++++ b/tests/fixtures/index.html
+@@ -0,0 +1 @@
++<h1>DON'T GO HERE</h1>
+diff --git a/tests/test_static.py b/tests/test_static.py
+index 3fc6586..29de0b8 100644
+--- a/tests/test_static.py
++++ b/tests/test_static.py
+@@ -104,6 +104,19 @@ class 
Test_static_view_use_subpath_False(unittest.TestCase):
+ 
+         self.assertRaises(HTTPNotFound, inst, context, request)
+ 
++    def test_oob_nul_char(self):
++        import os
++
++        inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static')
++        dds = '..\x00/'
++        request = self._makeRequest(
++            {'PATH_INFO': f'/{dds}'}
++        )
++        context = DummyContext()
++        from pyramid.httpexceptions import HTTPNotFound
++
++        self.assertRaises(HTTPNotFound, inst, context, request)
++
+     def test_resource_doesnt_exist(self):
+         inst = self._makeOne('tests:fixtures/static')
+         request = self._makeRequest({'PATH_INFO': '/notthere'})
diff -Nru python-pyramid-2.0+dfsg/debian/patches/series 
python-pyramid-2.0+dfsg/debian/patches/series
--- python-pyramid-2.0+dfsg/debian/patches/series       2022-12-25 
18:24:55.000000000 +0000
+++ python-pyramid-2.0+dfsg/debian/patches/series       2026-06-03 
14:04:50.000000000 +0000
@@ -1 +1,2 @@
 python-3.11
+CVE-2023-40587.patch

--- End Message ---
--- Begin Message ---
Version: 12.15

This update was released as part of 12.15.

--- End Message ---

Reply via email to