Version in base suite: 6.0.1-1 Base version: jaraco.context_6.0.1-1 Target version: jaraco.context_6.0.1-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/jaraco.context/jaraco.context_6.0.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/j/jaraco.context/jaraco.context_6.0.1-1+deb13u1.dsc .gitlab-ci.yml | 2 +- changelog | 7 +++++++ patches/01_path_traversal.diff | 34 ++++++++++++++++++++++++++++++++++ patches/series | 1 + 4 files changed, 43 insertions(+), 1 deletion(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnk0e0mtp/jaraco.context_6.0.1-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpnk0e0mtp/jaraco.context_6.0.1-1+deb13u1.dsc: no acceptable signature found diff -Nru jaraco.context-6.0.1/debian/.gitlab-ci.yml jaraco.context-6.0.1/debian/.gitlab-ci.yml --- jaraco.context-6.0.1/debian/.gitlab-ci.yml 2025-03-04 10:59:04.000000000 +0000 +++ jaraco.context-6.0.1/debian/.gitlab-ci.yml 2026-01-23 09:58:31.000000000 +0000 @@ -3,4 +3,4 @@ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml variables: - RELEASE: 'unstable' + RELEASE: 'trixie' diff -Nru jaraco.context-6.0.1/debian/changelog jaraco.context-6.0.1/debian/changelog --- jaraco.context-6.0.1/debian/changelog 2025-03-04 11:00:00.000000000 +0000 +++ jaraco.context-6.0.1/debian/changelog 2026-01-23 09:59:16.000000000 +0000 @@ -1,3 +1,10 @@ +jaraco.context (6.0.1-1+deb13u1) trixie; urgency=medium + + * Backport the upstream security fix to prevent a path traversal + issue. (CVE-2026-23949) + + -- Jeroen Ploemen Fri, 23 Jan 2026 09:59:16 +0000 + jaraco.context (6.0.1-1) unstable; urgency=medium * New upstream version 6.0.1 diff -Nru jaraco.context-6.0.1/debian/patches/01_path_traversal.diff jaraco.context-6.0.1/debian/patches/01_path_traversal.diff --- jaraco.context-6.0.1/debian/patches/01_path_traversal.diff 1970-01-01 00:00:00.000000000 +0000 +++ jaraco.context-6.0.1/debian/patches/01_path_traversal.diff 2026-01-23 09:59:08.000000000 +0000 @@ -0,0 +1,34 @@ +# Minimal backport of the upstream fix for a path traversal issue (CVE-2026-23949) +--- a/jaraco/context/__init__.py ++++ b/jaraco/context/__init__.py +@@ -78,12 +78,19 @@ + try: + req = urllib.request.urlopen(url) + with tarfile.open(fileobj=req, mode='r|*') as tf: +- tf.extractall(path=target_dir, filter=strip_first_component) ++ tf.extractall(path=target_dir, filter=_default_filter) + yield target_dir + finally: + shutil.rmtree(target_dir) + + ++def _compose_tarfile_filters(*filters): ++ def compose_two(f1, f2): ++ return lambda member, path: f1(f2(member, path), path) ++ ++ return functools.reduce(compose_two, filters, lambda member, path: member) ++ ++ + def strip_first_component( + member: tarfile.TarInfo, + path, +@@ -92,6 +99,9 @@ + return member + + ++_default_filter = _compose_tarfile_filters(tarfile.data_filter, strip_first_component) ++ ++ + def _compose(*cmgrs): + """ + Compose any number of dependent context managers into a single one. diff -Nru jaraco.context-6.0.1/debian/patches/series jaraco.context-6.0.1/debian/patches/series --- jaraco.context-6.0.1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ jaraco.context-6.0.1/debian/patches/series 2026-01-23 09:59:08.000000000 +0000 @@ -0,0 +1 @@ +01_path_traversal.diff