1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • unblock: starlette/0.46.1-3

    From Piotr =?utf-8?Q?O=C5=BCarowski?=@21:1/5 to All on Mon Jul 28 21:30:01 2025
    XPost: linux.debian.devel.release

    --4p5pqcncqatrmcy4
    Content-Type: text/plain; charset=iso-8859-1
    Content-Disposition: inline
    Content-Transfer-Encoding: quoted-printable

    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: [email protected]
    Control: affects -1 + src:starlette
    User: [email protected]
    Usertags: unblock

    Please unblock package starlette

    This upload fixes CVE-2025-54121. The fix is taken from upstream
    repository� (also released as 0.47.2).

    I'm attaching 0002-fix-cve-2024-28849-async-write.patch. More than half
    of this patch contains tests for the fix. The debdiff with changes from
    package in testing contains also wrongly indented (sorry, fixed in git
    already) debian/changelog and cosmetic changes in an older patch
    (made by `gbp pq export` and not touching the source code).


    unblock starlette/0.46.1-3

    [�] https://github.com/encode/starlette/commit/9f7ec2eb512fcc3fe90b43cb9dd9e1d08696bec1

    --4p5pqcncqatrmcy4
    Content-Type: text/x-diff; charset=us-ascii
    Content-Disposition: attachment;
    filename="0002-fix-cve-2024-28849-async-write.patch" Content-Transfer-Encoding: quoted-printable

    From: Yang Wang <[email protected]>
    Date: Mon, 28 Jul 2025 11:41:09 +0200
    Subject: fix-cve-2024-28849-async-write

    Fix CVE-2025-54121: Avoid event loop blocking during multipart file uploads
    by writing to disk using thread pool to prevent synchronous blocking when SpooledTemporaryFile rolls over to disk. (Closes: #1109805)
    ---
    starlette/datastructures.py | 22 +++++++++++++---
    tests/test_formparsers.py | 63 ++++++++++++++++++++++++++++++++++++++++++++-
    2 files changed, 80 insertions(+), 5 deletions(-)

    diff --git a/starlette/datastructures.py b/starlette/datastructures.py
    index f5d74d2..9957090 100644
    --- a/starlette/datastructures.py
    +++ b/starlette/datastructures.py
    @@ -424,6 +424,10 @@ class UploadFile:
    self.size = size
    self.headers = headers or Headers()

    + # Capture max size from SpooledTemporaryFile if one is provided. This slightly speeds up future checks.
    + # Note 0 means unlimited mirroring SpooledTemporaryFile's __init__
    + self._max_mem_size = getattr(self.file, "_max_size", 0)
    +
    @property
    def content_type(self) -> str | None:
    return self.headers.get("content-type", None)
    @@ -434,14 +438,24 @@ class UploadFile:
    rolled_to_disk = getattr(self.file, "_rolled", True)
    return not rolled_to_disk

    + def _will_roll(self