GHSA-555p-6grf-mh7f

Suggest an improvement
Source
https://github.com/advisories/GHSA-555p-6grf-mh7f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-555p-6grf-mh7f/GHSA-555p-6grf-mh7f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-555p-6grf-mh7f
Aliases
  • CVE-2026-47712
Downstream
Published
2026-06-08T23:04:48Z
Modified
2026-06-11T14:15:13.644231700Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`
Details

Impact

dulwich.porcelain.formatpatch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, getsummary only replaced spaces with dashes - path separators (/, ), parent-directory components (..), and other filename-hostile characters (e.g. :) were preserved verbatim and passed straight into os.path.join(outdir, f"{i:04d}-{summary}.patch").

A malicious commit subject could therefore direct the generated patch file outside the requested outdir. Reduced examples:

  • x/../../x produced <outdir>/0001-x/../../x.patch, resolving two directories above outdir.
  • x....\x produced the equivalent escape on Windows, here \ is also a path separator.

Related issues from the same root cause:

  • Subjects containing characters that are illegal in Windows filenames (e.g. :) caused format_patch to fail outright on Windows, where git would have succeeded.
  • Very long subjects produced excessively long filenames that could exceed filesystem limits; git truncates them.

Anyone calling porcelain.format_patch (or the dulwich format-patch CLI) against untrusted commits - for example, a service that runs format-patch over user-supplied repositories or pull requests - could have patch files written to attacker-chosen locations within the process's write permissions.

Patches

Fixed in Dulwich 1.2.5. Users should upgrade.

dulwich.patch.getsummary now mirrors git's formatsanitizedsubject: only [A-Za-z0-9._] are kept, runs of other characters collapse to a single -, consecutive . collapse to a single ., trailing ./- are stripped, and the result is length-limited. This makes the returned string safe to embed as a filename component, so formatpatch can no longer be steered out of outdir via the commit subject.

Workarounds

Until upgrading, callers that pass untrusted commits to porcelain.format_patch can:

  • Use stdout=True and write the patch to a destination they control, rather than letting format_patch choose the filename.
  • Validate the chosen path before opening - e.g. compare os.path.realpath(returned_path) against os.path.realpath(outdir) and reject any patch whose resolved path is not inside outdir.
  • Pre-screen commits and refuse to format any whose subject's first line contains /, \, .., or other characters that are not safe on the target filesystem.

Resources

  • Fix commit: https://github.com/jelmer/dulwich/commit/c2446e51b
  • Affected API: dulwich.porcelain.format_patch / dulwich format-patch
  • Reference behavior: git's formatsanitizedsubject in pretty.c
Database specific
{
    "github_reviewed_at": "2026-06-08T23:04:48Z",
    "nvd_published_at": "2026-06-10T23:16:48Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "LOW"
}
References

Affected packages

PyPI / dulwich

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.24.0
Fixed
1.2.5

Affected versions

0.*
0.24.0
0.24.1
0.24.2
0.24.3
0.24.4
0.24.5
0.24.6
0.24.7
0.24.8
0.24.9
0.24.10
0.25.0
0.25.1
0.25.2
1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-555p-6grf-mh7f/GHSA-555p-6grf-mh7f.json"