Version in base suite: 2.35.1-0+deb13u1

Base version: swift_2.35.1-0+deb13u1
Target version: swift_2.35.1-0+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/swift/swift_2.35.1-0+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/s/swift/swift_2.35.1-0+deb13u2.dsc

 changelog                                                                             |    8 
 patches/CVE-2026-49017_OSSA-2026-014_s3api_Error_on+truncated+aws-chunked_input.patch |  118 ++++++++++
 patches/series                                                                        |    1 
 3 files changed, 127 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpb7fib348/swift_2.35.1-0+deb13u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpb7fib348/swift_2.35.1-0+deb13u2.dsc: no acceptable signature found
diff -Nru swift-2.35.1/debian/changelog swift-2.35.1/debian/changelog
--- swift-2.35.1/debian/changelog	2025-10-31 00:49:35.000000000 +0000
+++ swift-2.35.1/debian/changelog	2026-05-28 17:00:54.000000000 +0000
@@ -1,3 +1,11 @@
+swift (2.35.1-0+deb13u2) trixie-security; urgency=medium
+
+  * CVE-2026-49017: Swift proxy-server denial of service via truncated s3api
+    chunked upload. Applied upstream patch: "s3api: Error on truncated
+    aws-chunked input" (Closes: #1138170).
+
+ -- Thomas Goirand <zigo@debian.org>  Thu, 28 May 2026 19:00:54 +0200
+
 swift (2.35.1-0+deb13u1) trixie-security; urgency=medium
 
   * New upstream point release:
diff -Nru swift-2.35.1/debian/patches/CVE-2026-49017_OSSA-2026-014_s3api_Error_on+truncated+aws-chunked_input.patch swift-2.35.1/debian/patches/CVE-2026-49017_OSSA-2026-014_s3api_Error_on+truncated+aws-chunked_input.patch
--- swift-2.35.1/debian/patches/CVE-2026-49017_OSSA-2026-014_s3api_Error_on+truncated+aws-chunked_input.patch	1970-01-01 00:00:00.000000000 +0000
+++ swift-2.35.1/debian/patches/CVE-2026-49017_OSSA-2026-014_s3api_Error_on+truncated+aws-chunked_input.patch	2026-05-28 17:00:54.000000000 +0000
@@ -0,0 +1,118 @@
+Author: Clay Gerrard <clay.gerrard@gmail.com>
+Date: Fri, 08 May 2026 16:42:06 -0500
+Description: CVE-2026-49017 / OSSA-2026-014: s3api: Error on truncated aws-chunked input
+ When an aws-chunked request body ends in the middle of a chunk, the
+ underlying input should return b''. StreamingInput was appending that
+ empty buffer and re-reading forever.
+ .
+ Treat an empty chunk read before the terminal zero-byte chunk completes
+ the payload as incomplete input instead. Add parser-level and object PUT
+ regression tests for a client disconnecting mid-chunk.
+Change-Id: I0fb8aa85232b8cea37fa01863f777233dd50af8e
+Signed-off-by: Clay Gerrard <clay.gerrard@gmail.com>
+Bug: https://launchpad.net/bugs/2152205
+Bug-Debian: https://bugs.debian.org/1138170
+Origin: Upstream, https://review.opendev.org/c/openstack/swift/+/990355
+Last-Update: 2026-05-28
+
+diff --git a/swift/common/middleware/s3api/s3request.py b/swift/common/middleware/s3api/s3request.py
+index 5ccf0b9..8d42528 100644
+--- a/swift/common/middleware/s3api/s3request.py
++++ b/swift/common/middleware/s3api/s3request.py
+@@ -430,6 +430,8 @@
+             self._to_read -= len(buf)
+             if readline and buf[-1:] == b'\n':
+                 break
++            if not buf and not self._completed_payload:
++                raise S3InputIncomplete
+         return b''.join(bufs)
+ 
+     def _read_trailers(self):
+diff --git a/test/unit/common/middleware/s3api/test_obj.py b/test/unit/common/middleware/s3api/test_obj.py
+index f9c77de..daa5f6d 100644
+--- a/test/unit/common/middleware/s3api/test_obj.py
++++ b/test/unit/common/middleware/s3api/test_obj.py
+@@ -14,6 +14,7 @@
+ # limitations under the License.
+ 
+ import binascii
++import io
+ import unittest
+ from datetime import datetime
+ import functools
+@@ -796,6 +797,57 @@
+         self.assertEqual('/v1/AUTH_test/bucket/object',
+                          req.environ.get('swift.backend_path'))
+ 
++    def test_object_PUT_v4_aws_chunked_client_disconnect_mid_chunk(self):
++        class EndOfLine(BaseException):
++            pass
++
++        class DisconnectingBody(io.BytesIO):
++            def __init__(self, body):
++                super(DisconnectingBody, self).__init__(body)
++                self.seen_eof = False
++
++            def read(self, size=-1):
++                if self.seen_eof:
++                    raise EndOfLine
++                chunk = super(DisconnectingBody, self).read(size)
++                if not chunk:
++                    self.seen_eof = True
++                return chunk
++
++        # One aws-chunked chunk declaring a 9-byte payload, followed by only
++        # 3 bytes of payload data before client EOF.
++        body = b'9\r\nabc'
++        wsgi_input = DisconnectingBody(body)
++        amz_date = self.get_v4_amz_date_header()
++        req = Request.blank(
++            '/bucket/object',
++            environ={'REQUEST_METHOD': 'PUT',
++                     'wsgi.input': wsgi_input},
++            headers={
++                'Authorization':
++                    'AWS4-HMAC-SHA256 '
++                    'Credential=test:tester/%s/us-east-1/s3/aws4_request, '
++                    'SignedHeaders=content-encoding;content-length;host;'
++                    'x-amz-content-sha256;x-amz-date;'
++                    'x-amz-decoded-content-length, '
++                    'Signature=hmac' % amz_date.split('T', 1)[0],
++                'Content-Encoding': 'aws-chunked',
++                'Content-Length': str(len(body)),
++                'Date': self.get_date_header(),
++                'X-Amz-Content-SHA256':
++                    'STREAMING-UNSIGNED-PAYLOAD-TRAILER',
++                'X-Amz-Date': amz_date,
++                'X-Amz-Decoded-Content-Length': '9',
++            })
++
++        try:
++            resp = req.get_response(self.s3api)
++        except EndOfLine:
++            self.fail('read after eof')
++
++        self.assertEqual(400, resp.status_int)
++        self.assertEqual('IncompleteBody', self._get_error_code(resp.body))
++
+     def test_object_PUT_v4_bad_hash(self):
+         orig_app = self.s3api.app
+ 
+diff --git a/test/unit/common/middleware/s3api/test_s3request.py b/test/unit/common/middleware/s3api/test_s3request.py
+index f478823..5015787 100644
+--- a/test/unit/common/middleware/s3api/test_s3request.py
++++ b/test/unit/common/middleware/s3api/test_s3request.py
+@@ -1672,6 +1672,13 @@
+         self.assertEqual(b'abcdefghijklmnopqrstuvwxyz\n',
+                          s3req.environ['wsgi.input'].read())
+ 
++    def test_sig_v4_strm_unsgnd_pyld_trl_incomplete_chunk(self):
++        body = 'a\r\nabcdefghij\r\n' \
++               'a\r\nklm'
++        s3req = self._test_sig_v4_streaming_unsigned_payload_trailer(body)
++        with self.assertRaises(s3request.S3InputIncomplete):
++            s3req.environ['wsgi.input'].read()
++
+     def test_sig_v4_strm_unsgnd_pyld_trl_none_ok(self):
+         # verify it's ok to not send any trailer
+         body = 'a\r\nabcdefghij\r\n' \
diff -Nru swift-2.35.1/debian/patches/series swift-2.35.1/debian/patches/series
--- swift-2.35.1/debian/patches/series	2025-10-31 00:49:35.000000000 +0000
+++ swift-2.35.1/debian/patches/series	2026-05-28 17:00:54.000000000 +0000
@@ -5,3 +5,4 @@
 swift-recon-only-query-object-servers-once.patch
 drive-full-checker.patch
 bug-2119646-swift.patch
+CVE-2026-49017_OSSA-2026-014_s3api_Error_on+truncated+aws-chunked_input.patch