Details: https://nvd.nist.gov/vuln/detail/CVE-2026-24486
Pick the patch that is referenced by the NVD advisory. Ptests passed successfully: Testsuite summary TOTAL: 121 PASS: 121 SKIP: 0 XFAIL: 0 FAIL: 0 XPASS: 0 ERROR: 0 DURATION: 2 Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../CVE-2026-24486.patch | 61 +++++++++++++++++++ .../python/python3-python-multipart_0.0.20.bb | 1 + 2 files changed, 62 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch diff --git a/meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch b/meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch new file mode 100644 index 0000000000..110737a761 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-python-multipart/CVE-2026-24486.patch @@ -0,0 +1,61 @@ +From 1194f169d7f6db3b518c40ef703135ffc4015ebe Mon Sep 17 00:00:00 2001 +From: Marcelo Trylesinski <[email protected]> +Date: Sun, 25 Jan 2026 10:37:09 +0100 +Subject: [PATCH] Merge commit from fork + +CVE: CVE-2026-24486 +Upstream-Status: Backport [https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + python_multipart/multipart.py | 4 +++- + tests/test_file.py | 26 ++++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + create mode 100644 tests/test_file.py + +diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py +index f26a815..7168c96 100644 +--- a/python_multipart/multipart.py ++++ b/python_multipart/multipart.py +@@ -376,7 +376,9 @@ class File: + + # Split the extension from the filename. + if file_name is not None: +- base, ext = os.path.splitext(file_name) ++ # Extract just the basename to avoid directory traversal ++ basename = os.path.basename(file_name) ++ base, ext = os.path.splitext(basename) + self._file_base = base + self._ext = ext + +diff --git a/tests/test_file.py b/tests/test_file.py +new file mode 100644 +index 0000000..4d65232 +--- /dev/null ++++ b/tests/test_file.py +@@ -0,0 +1,26 @@ ++from pathlib import Path ++ ++from python_multipart.multipart import File ++ ++ ++def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path): ++ upload_dir = tmp_path / "upload" ++ upload_dir.mkdir() ++ ++ # When the file_name provided has a leading slash, we should only use the basename. ++ # This is to avoid directory traversal. ++ to_upload = tmp_path / "foo.txt" ++ ++ file = File( ++ bytes(to_upload), ++ config={ ++ "UPLOAD_DIR": bytes(upload_dir), ++ "UPLOAD_KEEP_FILENAME": True, ++ "UPLOAD_KEEP_EXTENSIONS": True, ++ "MAX_MEMORY_FILE_SIZE": 10, ++ }, ++ ) ++ file.write(b"123456789012") ++ assert not file.in_memory ++ assert Path(upload_dir / "foo.txt").exists() ++ assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012" diff --git a/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb b/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb index 71f9674ec8..fcb04bac04 100644 --- a/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb +++ b/meta-python/recipes-devtools/python/python3-python-multipart_0.0.20.bb @@ -2,6 +2,7 @@ SUMMARY = "A streaming multipart parser for Python" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3d98f0d58b28321924a89ab60c82410e" +SRC_URI += "file://CVE-2026-24486.patch" SRC_URI[sha256sum] = "8dd0cab45b8e23064ae09147625994d090fa46f5b0d1e13af944c331a7fa9d13" inherit pypi python_hatchling ptest-python-pytest
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124210): https://lists.openembedded.org/g/openembedded-devel/message/124210 Mute This Topic: https://lists.openembedded.org/mt/117651953/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
