Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package SimGear for openSUSE:Factory checked in at 2025-01-24 13:41:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/SimGear (Old) and /work/SRC/openSUSE:Factory/.SimGear.new.2316 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "SimGear" Fri Jan 24 13:41:15 2025 rev:31 rq:1240103 version:2020.3.19 Changes: -------- --- /work/SRC/openSUSE:Factory/SimGear/SimGear.changes 2023-11-19 20:17:07.533378021 +0100 +++ /work/SRC/openSUSE:Factory/.SimGear.new.2316/SimGear.changes 2025-01-24 13:41:16.076797282 +0100 @@ -1,0 +2,6 @@ +Thu Jan 23 16:37:27 UTC 2025 - Stefan Brüns <stefan.bru...@rwth-aachen.de> + +- Add support for file permissions check (CVE pending), add + add_NasalIORulesChecker.patch + +------------------------------------------------------------------- New: ---- add_NasalIORulesChecker.patch BETA DEBUG BEGIN: New:- Add support for file permissions check (CVE pending), add add_NasalIORulesChecker.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SimGear.spec ++++++ --- /var/tmp/diff_new_pack.6KqSPt/_old 2025-01-24 13:41:17.124840567 +0100 +++ /var/tmp/diff_new_pack.6KqSPt/_new 2025-01-24 13:41:17.128840732 +0100 @@ -1,7 +1,7 @@ # # spec file for package SimGear # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,6 +34,8 @@ Source99: SimGear-rpmlintrc # PATCH-FIX-UPSTREAM simgear-boost-1.81.patch - fix building with boost >= 1.81 Patch0: simgear-boost-1.81.patch +# PATCH-FIX-UPSTREAM +Patch1: https://gitlab.com/flightgear/simgear/-/commit/5bb023647114267141a7610e8f1ca7d6f4f5a5a8.patch#/add_NasalIORulesChecker.patch BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: libOpenSceneGraph-devel ++++++ add_NasalIORulesChecker.patch ++++++ >From 5bb023647114267141a7610e8f1ca7d6f4f5a5a8 Mon Sep 17 00:00:00 2001 From: Florent Rougon <f.rou...@frougon.net> Date: Tue, 21 Jan 2025 00:16:43 +0100 Subject: [PATCH] cppbind: check I/O rules when auto-constructing an SGPath from a Nasal scalar - Add static member function SGPath::NasalIORulesChecker as a PermissionChecker (this is essentially checkIORules() moved from the flightgear repository). - Use it in the from_nasal_helper() that creates an SGPath instance from a Nasal scalar. --- simgear/misc/sg_path.cxx | 20 +++++++++++++++++++ simgear/misc/sg_path.hxx | 7 +++++++ .../cppbind/detail/from_nasal_helper.cxx | 3 ++- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/simgear/misc/sg_path.cxx b/simgear/misc/sg_path.cxx index f6c5b089e..c66bc72c4 100644 --- a/simgear/misc/sg_path.cxx +++ b/simgear/misc/sg_path.cxx @@ -275,6 +275,26 @@ void SGPath::set_cached(bool cached) // * Access permissions for Nasal code * // *************************************************************************** +// Static member function +SGPath::Permissions SGPath::NasalIORulesChecker(const SGPath& path) +{ + Permissions perm; + + if (!path.isAbsolute()) { + // SGPath caches permissions, which breaks for relative paths if the + // current directory changes. + SG_LOG(SG_NASAL, SG_ALERT, + "SGPath::NasalIORulesChecker(): file operation on '" << + path.utf8Str() << "': access denied (relative paths not " + "accepted; use realpath() to obtain an absolute path)"); + } + + perm.read = path.isAbsolute() && !path.validate(false).isNull(); + perm.write = path.isAbsolute() && !path.validate(true).isNull(); + + return perm; +} + // Static member function void SGPath::clearListOfAllowedPaths(bool write) { diff --git a/simgear/misc/sg_path.hxx b/simgear/misc/sg_path.hxx index 32e9d662b..75da94c95 100644 --- a/simgear/misc/sg_path.hxx +++ b/simgear/misc/sg_path.hxx @@ -162,6 +162,13 @@ public: */ SGPath validate(bool write) const; + /** + * Normal PermissionChecker for SGPath instances created from Nasal. + * @param path an SGPath instance + * @return read and write permissions conforming to validate() + */ + static Permissions NasalIORulesChecker(const SGPath& path); + /** * Append another piece to the existing path. Inserts a path * separator between the existing component and the new component. diff --git a/simgear/nasal/cppbind/detail/from_nasal_helper.cxx b/simgear/nasal/cppbind/detail/from_nasal_helper.cxx index bdf10fe5e..ad027c0b0 100644 --- a/simgear/nasal/cppbind/detail/from_nasal_helper.cxx +++ b/simgear/nasal/cppbind/detail/from_nasal_helper.cxx @@ -47,7 +47,8 @@ namespace nasal SGPath from_nasal_helper(naContext c, naRef ref, const SGPath*) { naRef na_str = naStringValue(c, ref); - return SGPath(std::string(naStr_data(na_str), naStr_len(na_str))); + return SGPath(std::string(naStr_data(na_str), naStr_len(na_str)), + &SGPath::NasalIORulesChecker); } //---------------------------------------------------------------------------- -- GitLab
