Bug#1105971: marked as done (bookworm-pu: package python-zipp/1.0.0-6+deb12u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 06 Sep 2025 12:14:50 +0100
with message-id <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 12.12
has caused the Debian Bug report #1105971,
regarding bookworm-pu: package python-zipp/1.0.0-6+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1105971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105971
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package python-zipp/1.0.0-6+deb12u1
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Sun, 18 May 2025 12:31:05 +0200
• Message-id: <174756426551.8564.7010818209152932112.reportbug@hullmann.westfalen.local>

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: python-zipp@packages.debian.org
Control: affects -1 + src:python-zipp
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes one minor security issue, includes a backport of
the test case. Debdiff below.

Cheers,
        Moritz

diff -Nru python-zipp-1.0.0/debian/changelog python-zipp-1.0.0/debian/changelog
--- python-zipp-1.0.0/debian/changelog	2022-12-21 23:06:15.000000000 +0100
+++ python-zipp-1.0.0/debian/changelog	2025-05-18 00:34:40.000000000 +0200
@@ -1,3 +1,9 @@
+python-zipp (1.0.0-6+deb12u1) bookworm; urgency=medium
+
+  * CVE-2024-5569
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Sun, 18 May 2025 00:34:40 +0200
+
 python-zipp (1.0.0-6) unstable; urgency=medium
 
   * Team upload.
diff -Nru python-zipp-1.0.0/debian/patches/CVE-2024-5569.patch python-zipp-1.0.0/debian/patches/CVE-2024-5569.patch
--- python-zipp-1.0.0/debian/patches/CVE-2024-5569.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-zipp-1.0.0/debian/patches/CVE-2024-5569.patch	2025-05-18 00:34:25.000000000 +0200
@@ -0,0 +1,109 @@
+
+
+--- python-zipp-1.0.0.orig/test_zipp.py
++++ python-zipp-1.0.0/test_zipp.py
+@@ -196,3 +196,20 @@ class TestPath(unittest.TestCase):
+         for alpharep in self.zipfile_alpharep():
+             root = zipp.Path(alpharep)
+             assert (root / 'missing dir/').parent.at == ''
++
++    def test_malformed_paths(self):
++        """
++        Path should handle malformed paths.
++        """
++        data = io.BytesIO()
++        zf = zipfile.ZipFile(data, "w")
++        zf.writestr("/one-slash.txt", b"content")
++        zf.writestr("//two-slash.txt", b"content")
++        zf.writestr("../parent.txt", b"content")
++        zf.filename = ''
++        root = zipp.Path(zf)
++        assert list(map(str, root.iterdir())) == [
++            'one-slash.txt',
++            'two-slash.txt',
++            'parent.txt',
++        ]
+\ No newline at end of file
+--- python-zipp-1.0.0.orig/zipp.py
++++ python-zipp-1.0.0/zipp.py
+@@ -8,6 +8,7 @@ import posixpath
+ import zipfile
+ import functools
+ import itertools
++import re
+ 
+ import more_itertools
+ 
+@@ -54,7 +55,63 @@ def _ancestry(path):
+         yield path
+         path, tail = posixpath.split(path)
+ 
++class SanitizedNames:
++    """
++    ZipFile mix-in to ensure names are sanitized.
++    """
++
++    def namelist(self):
++        return list(map(self._sanitize, super().namelist()))
++
++    @staticmethod
++    def _sanitize(name):
++        r"""
++        Ensure a relative path with posix separators and no dot names.
++        Modeled after
++        https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813
++        but provides consistent cross-platform behavior.
++        >>> san = SanitizedNames._sanitize
++        >>> san('/foo/bar')
++        'foo/bar'
++        >>> san('//foo.txt')
++        'foo.txt'
++        >>> san('foo/.././bar.txt')
++        'foo/bar.txt'
++        >>> san('foo../.bar.txt')
++        'foo../.bar.txt'
++        >>> san('\\foo\\bar.txt')
++        'foo/bar.txt'
++        >>> san('D:\\foo.txt')
++        'D/foo.txt'
++        >>> san('\\\\server\\share\\file.txt')
++        'server/share/file.txt'
++        >>> san('\\\\?\\GLOBALROOT\\Volume3')
++        '?/GLOBALROOT/Volume3'
++        >>> san('\\\\.\\PhysicalDrive1\\root')
++        'PhysicalDrive1/root'
++        Retain any trailing slash.
++        >>> san('abc/')
++        'abc/'
++        Raises a ValueError if the result is empty.
++        >>> san('../..')
++        Traceback (most recent call last):
++        ...
++        ValueError: Empty filename
++        """
++
++        def allowed(part):
++            return part and part not in {'..', '.'}
+ 
++        # Remove the drive letter.
++        # Don't use ntpath.splitdrive, because that also strips UNC paths
++        bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE)
++        clean = bare.replace('\\', '/')
++        parts = clean.split('/')
++        joined = '/'.join(filter(allowed, parts))
++        if not joined:
++            raise ValueError("Empty filename")
++        return joined + '/' * name.endswith('/')
++    
+ class Path:
+     """
+     A pathlib-compatible interface for zip files.
+@@ -214,7 +271,7 @@ class Path:
+         return self._next(parent_at)
+ 
+     def _names(self):
+-        return self._add_implied_dirs(self.root.namelist())
++        return self._add_implied_dirs(list(map(SanitizedNames._sanitize, self.root.namelist())))
+ 
+     if sys.version_info < (3,):
+         __div__ = __truediv__
diff -Nru python-zipp-1.0.0/debian/patches/series python-zipp-1.0.0/debian/patches/series
--- python-zipp-1.0.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ python-zipp-1.0.0/debian/patches/series	2025-05-18 00:34:20.000000000 +0200
@@ -0,0 +1 @@
+CVE-2024-5569.patch

--- End Message ---

--- Begin Message ---

• To: 1086622-done@bugs.debian.org, 1098225-done@bugs.debian.org, 1098229-done@bugs.debian.org, 1098783-done@bugs.debian.org, 1100607-done@bugs.debian.org, 1100960-done@bugs.debian.org, 1101144-done@bugs.debian.org, 1102091-done@bugs.debian.org, 1102675-done@bugs.debian.org, 1102752-done@bugs.debian.org, 1103926-done@bugs.debian.org, 1103927-done@bugs.debian.org, 1104028-done@bugs.debian.org, 1104154-done@bugs.debian.org, 1104821-done@bugs.debian.org, 1104874-done@bugs.debian.org, 1104882-done@bugs.debian.org, 1105009-done@bugs.debian.org, 1105113-done@bugs.debian.org, 1105816-done@bugs.debian.org, 1105888-done@bugs.debian.org, 1105957-done@bugs.debian.org, 1105971-done@bugs.debian.org, 1105996-done@bugs.debian.org, 1106300-done@bugs.debian.org, 1106328-done@bugs.debian.org, 1106348-done@bugs.debian.org, 1106536-done@bugs.debian.org, 1106721-done@bugs.debian.org, 1106756-done@bugs.debian.org, 1106761-done@bugs.debian.org, 1106867-done@bugs.debian.org, 1107069-done@bugs.debian.org, 1107116-done@bugs.debian.org, 1107147-done@bugs.debian.org, 1107217-done@bugs.debian.org, 1107252-done@bugs.debian.org, 1107253-done@bugs.debian.org, 1107568-done@bugs.debian.org, 1107852-done@bugs.debian.org, 1107902-done@bugs.debian.org, 1108122-done@bugs.debian.org, 1108127-done@bugs.debian.org, 1108137-done@bugs.debian.org, 1108185-done@bugs.debian.org, 1108308-done@bugs.debian.org, 1108353-done@bugs.debian.org, 1108504-done@bugs.debian.org, 1108508-done@bugs.debian.org, 1108543-done@bugs.debian.org, 1108548-done@bugs.debian.org, 1108921-done@bugs.debian.org, 1109012-done@bugs.debian.org, 1109034-done@bugs.debian.org, 1109084-done@bugs.debian.org, 1109087-done@bugs.debian.org, 1109095-done@bugs.debian.org, 1109127-done@bugs.debian.org, 1109147-done@bugs.debian.org, 1109207-done@bugs.debian.org, 1109545-done@bugs.debian.org, 1109611-done@bugs.debian.org, 1109763-done@bugs.debian.org, 1109819-done@bugs.debian.org, 1109943-done@bugs.debian.org, 1109945-done@bugs.debian.org, 1109947-done@bugs.debian.org, 1109995-done@bugs.debian.org, 1110034-done@bugs.debian.org, 1110080-done@bugs.debian.org, 1110114-done@bugs.debian.org, 1110340-done@bugs.debian.org, 1110489-done@bugs.debian.org, 1110643-done@bugs.debian.org, 1110686-done@bugs.debian.org, 1110813-done@bugs.debian.org, 1111034-done@bugs.debian.org, 1111076-done@bugs.debian.org, 1111426-done@bugs.debian.org, 1111486-done@bugs.debian.org, 1111600-done@bugs.debian.org, 1111607-done@bugs.debian.org, 1111653-done@bugs.debian.org, 1111666-done@bugs.debian.org, 1111835-done@bugs.debian.org, 1111859-done@bugs.debian.org, 1111924-done@bugs.debian.org, 1111959-done@bugs.debian.org, 1111966-done@bugs.debian.org, 1111969-done@bugs.debian.org, 1111987-done@bugs.debian.org, 1111989-done@bugs.debian.org, 1112039-done@bugs.debian.org, 1112053-done@bugs.debian.org, 1112070-done@bugs.debian.org, 1112074-done@bugs.debian.org, 1112124-done@bugs.debian.org, 1112129-done@bugs.debian.org, 1112141-done@bugs.debian.org, 1112195-done@bugs.debian.org, 1112239-done@bugs.debian.org, 1112252-done@bugs.debian.org, 1112340-done@bugs.debian.org, 1112347-done@bugs.debian.org, 1112368-done@bugs.debian.org, 1112449-done@bugs.debian.org, 1112459-done@bugs.debian.org, 1112467-done@bugs.debian.org, 1112542-done@bugs.debian.org
• Subject: Closing p-u requests for fixes included in 12.12
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 06 Sep 2025 12:14:50 +0100
• Message-id: <ee4c0876608d99eb3f8b333b556fbd92e7a652eb.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 12.12

Hi,

Each of the updates referenced by these requests was included in
today's 12.12 point release for bookworm.

Regards,

Adam

--- End Message ---