Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:python-pyramid
User: [email protected]
Usertags: pu

[ Reason ]
Fix CVE-2023-40587, a path traversal vulnerability affecting Pyramid
when running on Python 3.11.

[ Impact ]
The issue is limited in scope and only affects deployments using
filesystem-backed static views on vulnerable Python versions.

[ Tests ]
The package builds successfully and the upstream test suite passes.

[ Risks ]
Low. The update consists of the upstream fix for rejecting paths
containing NUL bytes during static path handling.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Add upstream patch to fix CVE-2023-40587

[ Other info ]
The upload will be sponsored by Colin Watson.
diff -Nru python-pyramid-2.0+dfsg/debian/changelog 
python-pyramid-2.0+dfsg/debian/changelog
--- python-pyramid-2.0+dfsg/debian/changelog    2022-12-25 18:24:55.000000000 
+0000
+++ python-pyramid-2.0+dfsg/debian/changelog    2026-06-03 14:04:50.000000000 
+0000
@@ -1,3 +1,12 @@
+python-pyramid (2.0+dfsg-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * d/patches: (Closes: #1050740)
+    - CVE-2023-40587: Import and backport upstream patch
+      (Information disclosure via null-byte path traversal)
+
+ -- Matheus Polkorny <[email protected]>  Wed, 03 Jun 2026 11:04:50 -0300
+
 python-pyramid (2.0+dfsg-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch 
python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch
--- python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch 1970-01-01 
00:00:00.000000000 +0000
+++ python-pyramid-2.0+dfsg/debian/patches/CVE-2023-40587.patch 2026-06-03 
14:04:50.000000000 +0000
@@ -0,0 +1,75 @@
+From: Tres Seaver <[email protected]>
+Date: Mon, 21 Aug 2023 14:43:12 -0400
+Subject: fix: reject NUL character as path element
+
+See: https://github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8
+
+Origin: upstream, 
https://github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85
+---
+ src/pyramid/static.py     | 10 +++++-----
+ tests/fixtures/index.html |  1 +
+ tests/test_static.py      | 13 +++++++++++++
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+ create mode 100644 tests/fixtures/index.html
+
+diff --git a/src/pyramid/static.py b/src/pyramid/static.py
+index 8b19c7b..4cabf1d 100644
+--- a/src/pyramid/static.py
++++ b/src/pyramid/static.py
+@@ -260,12 +260,12 @@ def _add_vary(response, option):
+     response.vary = vary
+ 
+ 
+-_seps = {'/', os.sep}
++_invalid_element_chars = {'/', os.sep, '\x00'}
+ 
+ 
+-def _contains_slash(item):
+-    for sep in _seps:
+-        if sep in item:
++def _contains_invalid_element_char(item):
++    for invalid_element_char in _invalid_element_chars:
++        if invalid_element_char in item:
+             return True
+ 
+ 
+@@ -279,7 +279,7 @@ def _secure_path(path_tuple):
+         # unless someone screws up the traversal_path code
+         # (request.subpath is computed via traversal_path too)
+         return None
+-    if any([_contains_slash(item) for item in path_tuple]):
++    if any([_contains_invalid_element_char(item) for item in path_tuple]):
+         return None
+     encoded = '/'.join(path_tuple)  # will be unicode
+     return encoded
+diff --git a/tests/fixtures/index.html b/tests/fixtures/index.html
+new file mode 100644
+index 0000000..a37df57
+--- /dev/null
++++ b/tests/fixtures/index.html
+@@ -0,0 +1 @@
++<h1>DON'T GO HERE</h1>
+diff --git a/tests/test_static.py b/tests/test_static.py
+index 3fc6586..29de0b8 100644
+--- a/tests/test_static.py
++++ b/tests/test_static.py
+@@ -104,6 +104,19 @@ class 
Test_static_view_use_subpath_False(unittest.TestCase):
+ 
+         self.assertRaises(HTTPNotFound, inst, context, request)
+ 
++    def test_oob_nul_char(self):
++        import os
++
++        inst = self._makeOne(f'{os.getcwd()}/tests/fixtures/static')
++        dds = '..\x00/'
++        request = self._makeRequest(
++            {'PATH_INFO': f'/{dds}'}
++        )
++        context = DummyContext()
++        from pyramid.httpexceptions import HTTPNotFound
++
++        self.assertRaises(HTTPNotFound, inst, context, request)
++
+     def test_resource_doesnt_exist(self):
+         inst = self._makeOne('tests:fixtures/static')
+         request = self._makeRequest({'PATH_INFO': '/notthere'})
diff -Nru python-pyramid-2.0+dfsg/debian/patches/series 
python-pyramid-2.0+dfsg/debian/patches/series
--- python-pyramid-2.0+dfsg/debian/patches/series       2022-12-25 
18:24:55.000000000 +0000
+++ python-pyramid-2.0+dfsg/debian/patches/series       2026-06-03 
14:04:50.000000000 +0000
@@ -1 +1,2 @@
 python-3.11
+CVE-2023-40587.patch

Reply via email to