DEBIAN-CVE-2026-47712

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-47712
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-47712.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-47712
Upstream
  • CVE-2026-47712
Published
2026-06-10T23:16:48.650Z
Modified
2026-06-11T09:03:10.670195590Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, dulwich.porcelain.formatpatch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, getsummary only replaced spaces with dashes - path separators (/, ), parent-directory components (..), and other filename-hostile characters (e.g. :) were preserved verbatim and passed straight into os.path.join(outdir, f"{i:04d}-{summary}.patch"). A malicious commit subject could therefore direct the generated patch file outside the requested outdir. This is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. dulwich.patch.getsummary now mirrors git's formatsanitizedsubject: only [A-Za-z0-9._] are kept, runs of other characters collapse to a single -, consecutive . collapse to a single ., trailing ./- are stripped, and the result is length-limited. This makes the returned string safe to embed as a filename component, so formatpatch can no longer be steered out of outdir via the commit subject. Until upgrading, callers that pass untrusted commits to porcelain.formatpatch can use stdout=True and write the patch to a destination they control, rather than letting formatpatch choose the filename; validate the chosen path before opening - e.g. compare os.path.realpath(returned_path) against os.path.realpath(outdir) and reject any patch whose resolved path is not inside outdir; and/or pre-screen commits and refuse to format any whose subject's first line contains /, \, .., or other characters that are not safe on the target filesystem.

References

Affected packages

Debian:11 / dulwich

Package

Name
dulwich
Purl
pkg:deb/debian/dulwich?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.20.15-1
0.20.23-1
0.20.25-1
0.20.26-1
0.20.27-1
0.20.30-1
0.20.31-1
0.20.31-1.1
0.20.35-1
0.20.42-1
0.20.43-1
0.20.44-1
0.20.46-1
0.20.46-2
0.20.50-1
0.21.0-1
0.21.1-1
0.21.2-1
0.21.5-1
0.21.6-1
0.22.5-1
0.22.7-1
0.22.7-2
0.24.2-1
0.24.2-2
0.24.10-1
1.*
1.0.0-1
1.0.0-2
1.1.0-1
1.1.0-2
1.1.0-3
1.2.0-1
1.2.1-1
1.2.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-47712.json"

Debian:12 / dulwich

Package

Name
dulwich
Purl
pkg:deb/debian/dulwich?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.21.2-1
0.21.5-1
0.21.6-1
0.22.5-1
0.22.7-1
0.22.7-2
0.24.2-1
0.24.2-2
0.24.10-1
1.*
1.0.0-1
1.0.0-2
1.1.0-1
1.1.0-2
1.1.0-3
1.2.0-1
1.2.1-1
1.2.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-47712.json"

Debian:13 / dulwich

Package

Name
dulwich
Purl
pkg:deb/debian/dulwich?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.22.7-1
0.22.7-2
0.24.2-1
0.24.2-2
0.24.10-1
1.*
1.0.0-1
1.0.0-2
1.1.0-1
1.1.0-2
1.1.0-3
1.2.0-1
1.2.1-1
1.2.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-47712.json"

Debian:14 / dulwich

Package

Name
dulwich
Purl
pkg:deb/debian/dulwich?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.22.7-1
0.22.7-2
0.24.2-1
0.24.2-2
0.24.10-1
1.*
1.0.0-1
1.0.0-2
1.1.0-1
1.1.0-2
1.1.0-3
1.2.0-1
1.2.1-1
1.2.5-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-47712.json"