Version in base suite: 0.12.15-2+deb10u1

Base version: python-bottle_0.12.15-2+deb10u1
Target version: python-bottle_0.12.15-2+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/p/python-bottle/python-bottle_0.12.15-2+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/p/python-bottle/python-bottle_0.12.15-2+deb10u2.dsc

 changelog                    |    6 ++++++
 patches/CVE-2022-31799.patch |   40 ++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 47 insertions(+)

diff -Nru python-bottle-0.12.15/debian/changelog python-bottle-0.12.15/debian/changelog
--- python-bottle-0.12.15/debian/changelog	2021-01-28 14:52:22.000000000 +0000
+++ python-bottle-0.12.15/debian/changelog	2022-06-08 17:22:05.000000000 +0000
@@ -1,3 +1,9 @@
+python-bottle (0.12.15-2+deb10u2) buster-security; urgency=medium
+
+  * CVE-2022-31799
+
+ -- Moritz Muehlenhoff <jmm@debian.org>  Wed, 08 Jun 2022 19:22:05 +0200
+
 python-bottle (0.12.15-2+deb10u1) buster; urgency=high
 
   * Non-maintainer upload by the Security team.
diff -Nru python-bottle-0.12.15/debian/patches/CVE-2022-31799.patch python-bottle-0.12.15/debian/patches/CVE-2022-31799.patch
--- python-bottle-0.12.15/debian/patches/CVE-2022-31799.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-bottle-0.12.15/debian/patches/CVE-2022-31799.patch	2022-06-08 17:20:54.000000000 +0000
@@ -0,0 +1,40 @@
+From e140e1b54da721a660f2eb9d58a106b7b3ff2f00 Mon Sep 17 00:00:00 2001
+From: Marcel Hellkamp <marc@gsites.de>
+Date: Thu, 26 May 2022 14:49:32 +0200
+Subject: [PATCH] Gracefully handle errors during early request binding.
+
+---
+ bottle.py | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/bottle.py b/bottle.py
+index 04ccf7da..035f99ec 100644
+--- a/bottle.py
++++ b/bottle.py
+@@ -848,17 +848,19 @@ def default_error_handler(self, res):
+         return tob(template(ERROR_PAGE_TEMPLATE, e=res))
+ 
+     def _handle(self, environ):
+-        path = environ['bottle.raw_path'] = environ['PATH_INFO']
+-        if py3k:
+-            try:
+-                environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
+-            except UnicodeError:
+-                return HTTPError(400, 'Invalid path string. Expected UTF-8')
+-
+         try:
++
+             environ['bottle.app'] = self
+             request.bind(environ)
+             response.bind()
++
++            path = environ['bottle.raw_path'] = environ['PATH_INFO']
++            if py3k:
++                try:
++                    environ['PATH_INFO'] = path.encode('latin1').decode('utf8')
++                except UnicodeError:
++                    return HTTPError(400, 'Invalid path string. Expected UTF-8')
++
+             try:
+                 self.trigger_hook('before_request')
+                 route, args = self.router.match(environ)
diff -Nru python-bottle-0.12.15/debian/patches/series python-bottle-0.12.15/debian/patches/series
--- python-bottle-0.12.15/debian/patches/series	2021-01-28 14:51:33.000000000 +0000
+++ python-bottle-0.12.15/debian/patches/series	2022-06-08 17:21:42.000000000 +0000
@@ -1,3 +1,4 @@
 0001-Remove-bottle.py-from-scripts.patch
 0002-Add-CLI-manpage.patch
 CVE-2020-28473.patch
+CVE-2022-31799.patch