Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:python-multipart User: [email protected] Usertags: pu
hi Stable release managers, [ Reason ] python-multipart in trixie was affected by CVE-2026-24486 fixed in unstable a while back, TTBOMK no regressions reports. [ Impact ] Arbitrary file writes, but via non-default configuration. So this did not warrant a DSA. But it would still be good to make a fix in trixie. If we are too late for the next one, the one after is fine as well. [ Tests ] Additional testing by taking advantage of debusine in https://debusine.debian.net/debian/developers/work-request/491634/ The unstable upload did not expose a problem. I *did* not explicitly test once again the poc manually as the test case is included. [ Risks ] Should be low, the fix is targeted to the problem and has a test case added upstream to verify the change. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Extracts just the basename to avoid the traversal. [ Other info ] None, but again the upload is quite late for the point release, so feel free to not accept it and consider it for the next point release after. Regards, Salvatore
diff -Nru python-multipart-0.0.20/debian/changelog python-multipart-0.0.20/debian/changelog --- python-multipart-0.0.20/debian/changelog 2025-03-14 06:14:13.000000000 +0100 +++ python-multipart-0.0.20/debian/changelog 2026-03-08 19:08:51.000000000 +0100 @@ -1,3 +1,18 @@ +python-multipart (0.0.20-1.1~deb13u1) trixie; urgency=medium + + * Rebuild for trixie + + -- Salvatore Bonaccorso <[email protected]> Sun, 08 Mar 2026 19:08:51 +0100 + +python-multipart (0.0.20-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Arbitrary file write via a non-default configuration (CVE-2026-24486) + (Closes: #1126557) + * chore: add return type on test + + -- Salvatore Bonaccorso <[email protected]> Sun, 01 Feb 2026 16:22:52 +0100 + python-multipart (0.0.20-1) unstable; urgency=medium * New upstream release diff -Nru python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch --- python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch 2026-03-08 19:08:14.000000000 +0100 @@ -0,0 +1,63 @@ +From: Marcelo Trylesinski <[email protected]> +Date: Sun, 25 Jan 2026 10:37:09 +0100 +Subject: Merge commit from fork +Origin: https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4 +Bug-Debian: https://bugs.debian.org/1126557 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-24486 + +--- + python_multipart/multipart.py | 4 +++- + tests/test_file.py | 26 ++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + create mode 100644 tests/test_file.py + +diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py +index 0cc4c82ebdf6..1489b7afd55d 100644 +--- a/python_multipart/multipart.py ++++ b/python_multipart/multipart.py +@@ -375,7 +375,9 @@ class File: + + # Split the extension from the filename. + if file_name is not None: +- base, ext = os.path.splitext(file_name) ++ # Extract just the basename to avoid directory traversal ++ basename = os.path.basename(file_name) ++ base, ext = os.path.splitext(basename) + self._file_base = base + self._ext = ext + +diff --git a/tests/test_file.py b/tests/test_file.py +new file mode 100644 +index 000000000000..4d65232e1ad3 +--- /dev/null ++++ b/tests/test_file.py +@@ -0,0 +1,26 @@ ++from pathlib import Path ++ ++from python_multipart.multipart import File ++ ++ ++def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path): ++ upload_dir = tmp_path / "upload" ++ upload_dir.mkdir() ++ ++ # When the file_name provided has a leading slash, we should only use the basename. ++ # This is to avoid directory traversal. ++ to_upload = tmp_path / "foo.txt" ++ ++ file = File( ++ bytes(to_upload), ++ config={ ++ "UPLOAD_DIR": bytes(upload_dir), ++ "UPLOAD_KEEP_FILENAME": True, ++ "UPLOAD_KEEP_EXTENSIONS": True, ++ "MAX_MEMORY_FILE_SIZE": 10, ++ }, ++ ) ++ file.write(b"123456789012") ++ assert not file.in_memory ++ assert Path(upload_dir / "foo.txt").exists() ++ assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012" +-- +2.51.0 + diff -Nru python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch --- python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch 2026-03-08 19:08:14.000000000 +0100 @@ -0,0 +1,25 @@ +From: Marcelo Trylesinski <[email protected]> +Date: Sun, 25 Jan 2026 10:41:09 +0100 +Subject: chore: add return type on test (#221) +Origin: https://github.com/Kludex/python-multipart/commit/0fb59a9df0f273bfde99740b302ccb2ae45e2b8a + +--- + tests/test_file.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_file.py b/tests/test_file.py +index 4d65232e1ad3..a2aa1348afdf 100644 +--- a/tests/test_file.py ++++ b/tests/test_file.py +@@ -3,7 +3,7 @@ from pathlib import Path + from python_multipart.multipart import File + + +-def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path): ++def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path) -> None: + upload_dir = tmp_path / "upload" + upload_dir.mkdir() + +-- +2.51.0 + diff -Nru python-multipart-0.0.20/debian/patches/series python-multipart-0.0.20/debian/patches/series --- python-multipart-0.0.20/debian/patches/series 2025-03-14 06:14:13.000000000 +0100 +++ python-multipart-0.0.20/debian/patches/series 2026-03-08 19:08:14.000000000 +0100 @@ -1 +1,3 @@ install-only-python_multipart.patch +CVE-2026-24486.patch +chore-add-return-type-on-test-221.patch
