Your message dated Sat, 14 Mar 2026 11:48:36 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1130109,
regarding trixie-pu: package python-multipart/0.0.20-1.1~deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130109
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:python-multipart
User: [email protected]
Usertags: pu
hi Stable release managers,
[ Reason ]
python-multipart in trixie was affected by CVE-2026-24486 fixed in
unstable a while back, TTBOMK no regressions reports.
[ Impact ]
Arbitrary file writes, but via non-default configuration. So this did
not warrant a DSA. But it would still be good to make a fix in trixie.
If we are too late for the next one, the one after is fine as well.
[ Tests ]
Additional testing by taking advantage of debusine in
https://debusine.debian.net/debian/developers/work-request/491634/
The unstable upload did not expose a problem. I *did* not explicitly
test once again the poc manually as the test case is included.
[ Risks ]
Should be low, the fix is targeted to the problem and has a test case
added upstream to verify the change.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Extracts just the basename to avoid the traversal.
[ Other info ]
None, but again the upload is quite late for the point release, so
feel free to not accept it and consider it for the next point release
after.
Regards,
Salvatore
diff -Nru python-multipart-0.0.20/debian/changelog
python-multipart-0.0.20/debian/changelog
--- python-multipart-0.0.20/debian/changelog 2025-03-14 06:14:13.000000000
+0100
+++ python-multipart-0.0.20/debian/changelog 2026-03-08 19:08:51.000000000
+0100
@@ -1,3 +1,18 @@
+python-multipart (0.0.20-1.1~deb13u1) trixie; urgency=medium
+
+ * Rebuild for trixie
+
+ -- Salvatore Bonaccorso <[email protected]> Sun, 08 Mar 2026 19:08:51 +0100
+
+python-multipart (0.0.20-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Arbitrary file write via a non-default configuration (CVE-2026-24486)
+ (Closes: #1126557)
+ * chore: add return type on test
+
+ -- Salvatore Bonaccorso <[email protected]> Sun, 01 Feb 2026 16:22:52 +0100
+
python-multipart (0.0.20-1) unstable; urgency=medium
* New upstream release
diff -Nru python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch
python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch
--- python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch 1970-01-01
01:00:00.000000000 +0100
+++ python-multipart-0.0.20/debian/patches/CVE-2026-24486.patch 2026-03-08
19:08:14.000000000 +0100
@@ -0,0 +1,63 @@
+From: Marcelo Trylesinski <[email protected]>
+Date: Sun, 25 Jan 2026 10:37:09 +0100
+Subject: Merge commit from fork
+Origin:
https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4
+Bug-Debian: https://bugs.debian.org/1126557
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-24486
+
+---
+ python_multipart/multipart.py | 4 +++-
+ tests/test_file.py | 26 ++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 tests/test_file.py
+
+diff --git a/python_multipart/multipart.py b/python_multipart/multipart.py
+index 0cc4c82ebdf6..1489b7afd55d 100644
+--- a/python_multipart/multipart.py
++++ b/python_multipart/multipart.py
+@@ -375,7 +375,9 @@ class File:
+
+ # Split the extension from the filename.
+ if file_name is not None:
+- base, ext = os.path.splitext(file_name)
++ # Extract just the basename to avoid directory traversal
++ basename = os.path.basename(file_name)
++ base, ext = os.path.splitext(basename)
+ self._file_base = base
+ self._ext = ext
+
+diff --git a/tests/test_file.py b/tests/test_file.py
+new file mode 100644
+index 000000000000..4d65232e1ad3
+--- /dev/null
++++ b/tests/test_file.py
+@@ -0,0 +1,26 @@
++from pathlib import Path
++
++from python_multipart.multipart import File
++
++
++def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
++ upload_dir = tmp_path / "upload"
++ upload_dir.mkdir()
++
++ # When the file_name provided has a leading slash, we should only use the
basename.
++ # This is to avoid directory traversal.
++ to_upload = tmp_path / "foo.txt"
++
++ file = File(
++ bytes(to_upload),
++ config={
++ "UPLOAD_DIR": bytes(upload_dir),
++ "UPLOAD_KEEP_FILENAME": True,
++ "UPLOAD_KEEP_EXTENSIONS": True,
++ "MAX_MEMORY_FILE_SIZE": 10,
++ },
++ )
++ file.write(b"123456789012")
++ assert not file.in_memory
++ assert Path(upload_dir / "foo.txt").exists()
++ assert Path(upload_dir / "foo.txt").read_bytes() == b"123456789012"
+--
+2.51.0
+
diff -Nru
python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch
python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch
---
python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch
1970-01-01 01:00:00.000000000 +0100
+++
python-multipart-0.0.20/debian/patches/chore-add-return-type-on-test-221.patch
2026-03-08 19:08:14.000000000 +0100
@@ -0,0 +1,25 @@
+From: Marcelo Trylesinski <[email protected]>
+Date: Sun, 25 Jan 2026 10:41:09 +0100
+Subject: chore: add return type on test (#221)
+Origin:
https://github.com/Kludex/python-multipart/commit/0fb59a9df0f273bfde99740b302ccb2ae45e2b8a
+
+---
+ tests/test_file.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test_file.py b/tests/test_file.py
+index 4d65232e1ad3..a2aa1348afdf 100644
+--- a/tests/test_file.py
++++ b/tests/test_file.py
+@@ -3,7 +3,7 @@ from pathlib import Path
+ from python_multipart.multipart import File
+
+
+-def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path):
++def test_upload_dir_with_leading_slash_in_filename(tmp_path: Path) -> None:
+ upload_dir = tmp_path / "upload"
+ upload_dir.mkdir()
+
+--
+2.51.0
+
diff -Nru python-multipart-0.0.20/debian/patches/series
python-multipart-0.0.20/debian/patches/series
--- python-multipart-0.0.20/debian/patches/series 2025-03-14
06:14:13.000000000 +0100
+++ python-multipart-0.0.20/debian/patches/series 2026-03-08
19:08:14.000000000 +0100
@@ -1 +1,3 @@
install-only-python_multipart.patch
+CVE-2026-24486.patch
+chore-add-return-type-on-test-221.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
