Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package helm3 for openSUSE:Factory checked in at 2026-04-11 22:26:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/helm3 (Old) and /work/SRC/openSUSE:Factory/.helm3.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "helm3" Sat Apr 11 22:26:49 2026 rev:8 rq:1346084 version:3.20.2 Changes: -------- --- /work/SRC/openSUSE:Factory/helm3/helm3.changes 2026-03-18 16:52:04.552959983 +0100 +++ /work/SRC/openSUSE:Factory/.helm3.new.21863/helm3.changes 2026-04-11 22:32:27.175307722 +0200 @@ -1,0 +2,14 @@ +Sat Apr 11 06:59:55 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 3.20.2 (CVE-2026-35206): + Helm v3.20.2 is a security patch release. Users are encouraged to + upgrade for the best experience. + * Security fixes + - GHSA-hr2v-4r36-88hr Helm Chart extraction output directory + collapse via Chart.yaml name dot-segment + * Changelog + - fix: Chart dot-name path bug 8fb76d6 (George Jenkins) + - fix: pin codeql-action/upload-sarif to commit SHA in + scorecards workflow 3a8927e (Terry Howe) + +------------------------------------------------------------------- Old: ---- helm3-3.20.1.obscpio New: ---- helm3-3.20.2.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ helm3.spec ++++++ --- /var/tmp/diff_new_pack.T0c3Py/_old 2026-04-11 22:32:28.779373328 +0200 +++ /var/tmp/diff_new_pack.T0c3Py/_new 2026-04-11 22:32:28.779373328 +0200 @@ -19,7 +19,7 @@ %define goipath helm.sh/helm/v3 %define git_dirty clean Name: helm3 -Version: 3.20.1 +Version: 3.20.2 Release: 0 Summary: The Kubernetes Package Manager License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.T0c3Py/_old 2026-04-11 22:32:28.947380199 +0200 +++ /var/tmp/diff_new_pack.T0c3Py/_new 2026-04-11 22:32:28.967381017 +0200 @@ -5,7 +5,7 @@ <param name="exclude">.git</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> - <param name="revision">v3.20.1</param> + <param name="revision">v3.20.2</param> <param name="changesgenerate">enable</param> <param name="filename">helm3</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.T0c3Py/_old 2026-04-11 22:32:29.023383307 +0200 +++ /var/tmp/diff_new_pack.T0c3Py/_new 2026-04-11 22:32:29.031383635 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/helm/helm.git</param> - <param name="changesrevision">a2369ca71c0ef633bf6e4fccd66d634eb379b371</param></service></servicedata> + <param name="changesrevision">8fb76d6ab555577e98e23b7500009537a471feee</param></service></servicedata> (No newline at EOF) ++++++ helm3-3.20.1.obscpio -> helm3-3.20.2.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/helm3-3.20.1/pkg/chart/metadata.go new/helm3-3.20.2/pkg/chart/metadata.go --- old/helm3-3.20.1/pkg/chart/metadata.go 2026-03-12 00:22:18.000000000 +0100 +++ new/helm3-3.20.2/pkg/chart/metadata.go 2026-04-09 22:27:07.000000000 +0200 @@ -112,6 +112,9 @@ return ValidationError("chart.metadata.name is required") } + if md.Name == "." || md.Name == ".." { + return ValidationErrorf("chart.metadata.name %q is not allowed", md.Name) + } if md.Name != filepath.Base(md.Name) { return ValidationErrorf("chart.metadata.name %q is invalid", md.Name) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/helm3-3.20.1/pkg/chart/metadata_test.go new/helm3-3.20.2/pkg/chart/metadata_test.go --- old/helm3-3.20.1/pkg/chart/metadata_test.go 2026-03-12 00:22:18.000000000 +0100 +++ new/helm3-3.20.2/pkg/chart/metadata_test.go 2026-04-09 22:27:07.000000000 +0200 @@ -41,6 +41,16 @@ ValidationError("chart.metadata.name is required"), }, { + "chart with dot name", + &Metadata{Name: ".", APIVersion: "v2", Version: "1.0"}, + ValidationError("chart.metadata.name \".\" is not allowed"), + }, + { + "chart with dotdot name", + &Metadata{Name: "..", APIVersion: "v2", Version: "1.0"}, + ValidationError("chart.metadata.name \"..\" is not allowed"), + }, + { "chart without name", &Metadata{Name: "../../test", APIVersion: "v2", Version: "1.0"}, ValidationError("chart.metadata.name \"../../test\" is invalid"), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/helm3-3.20.1/pkg/chartutil/expand.go new/helm3-3.20.2/pkg/chartutil/expand.go --- old/helm3-3.20.1/pkg/chartutil/expand.go 2026-03-12 00:22:18.000000000 +0100 +++ new/helm3-3.20.2/pkg/chartutil/expand.go 2026-04-09 22:27:07.000000000 +0200 @@ -17,6 +17,7 @@ package chartutil import ( + "fmt" "io" "os" "path/filepath" @@ -51,6 +52,17 @@ return errors.New("chart name not specified") } + // Reject chart names that are POSIX path dot-segments or dot-dot segments or contain path separators. + // A dot-segment name (e.g. ".") causes SecureJoin to resolve to the root + // directory and extraction then to write files directly into that extraction root + // instead of a per-chart subdirectory. + if chartName == "." || chartName == ".." { + return fmt.Errorf("chart name %q is not allowed", chartName) + } + if chartName != filepath.Base(chartName) { + return fmt.Errorf("chart name %q must not contain path separators", chartName) + } + // Find the base directory // The directory needs to be cleaned prior to passing to SecureJoin or the location may end up // being wrong or returning an error. This was introduced in v0.4.0. @@ -60,6 +72,12 @@ return err } + // Defense-in-depth: the chart directory must be a subdirectory of dir, + // never dir itself. + if chartdir == dir { + return fmt.Errorf("chart name %q resolves to the extraction root", chartName) + } + // Copy all files verbatim. We don't parse these files because parsing can remove // comments. for _, file := range files { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/helm3-3.20.1/pkg/chartutil/expand_test.go new/helm3-3.20.2/pkg/chartutil/expand_test.go --- old/helm3-3.20.1/pkg/chartutil/expand_test.go 2026-03-12 00:22:18.000000000 +0100 +++ new/helm3-3.20.2/pkg/chartutil/expand_test.go 2026-04-09 22:27:07.000000000 +0200 @@ -17,11 +17,73 @@ package chartutil import ( + "archive/tar" + "bytes" + "compress/gzip" + "io/fs" "os" "path/filepath" "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) +// makeTestChartArchive builds a gzipped tar archive from the given sourceDir directory, file entries are prefixed with the given chartName +func makeTestChartArchive(t *testing.T, chartName, sourceDir string) *bytes.Buffer { + t.Helper() + + var result bytes.Buffer + gw := gzip.NewWriter(&result) + tw := tar.NewWriter(gw) + + dir := os.DirFS(sourceDir) + + writeFile := func(relPath string) { + t.Helper() + f, err := dir.Open(relPath) + require.NoError(t, err) + + fStat, err := f.Stat() + require.NoError(t, err) + + err = tw.WriteHeader(&tar.Header{ + Name: filepath.Join(chartName, relPath), + Mode: int64(fStat.Mode()), + Size: fStat.Size(), + }) + require.NoError(t, err) + + data, err := fs.ReadFile(dir, relPath) + require.NoError(t, err) + tw.Write(data) + } + + err := fs.WalkDir(dir, ".", func(path string, d os.DirEntry, walkErr error) error { + if walkErr != nil { + return walkErr + } + + if d.IsDir() { + return nil + } + + writeFile(path) + + return nil + }) + if err != nil { + t.Fatal(err) + } + + err = tw.Close() + require.NoError(t, err) + err = gw.Close() + require.NoError(t, err) + + return &result +} + func TestExpand(t *testing.T) { dest := t.TempDir() @@ -75,6 +137,28 @@ } } +func TestExpandError(t *testing.T) { + tests := map[string]struct { + chartName string + chartDir string + wantErr string + }{ + "dot name": {"dotname", "testdata/dotname", "not allowed"}, + "dotdot name": {"dotdotname", "testdata/dotdotname", "not allowed"}, + "slash in name": {"slashinname", "testdata/slashinname", "must not contain path separators"}, + } + + for name, tt := range tests { + t.Run(name, func(t *testing.T) { + archive := makeTestChartArchive(t, tt.chartName, tt.chartDir) + + dest := t.TempDir() + err := Expand(dest, archive) + assert.ErrorContains(t, err, tt.wantErr) + }) + } +} + func TestExpandFile(t *testing.T) { dest := t.TempDir() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/helm3-3.20.1/pkg/chartutil/testdata/dotdotname/Chart.yaml new/helm3-3.20.2/pkg/chartutil/testdata/dotdotname/Chart.yaml --- old/helm3-3.20.1/pkg/chartutil/testdata/dotdotname/Chart.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/helm3-3.20.2/pkg/chartutil/testdata/dotdotname/Chart.yaml 2026-04-09 22:27:07.000000000 +0200 @@ -0,0 +1,4 @@ +apiVersion: v3 +name: .. +description: A Helm chart for Kubernetes +version: 0.1.0 \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/helm3-3.20.1/pkg/chartutil/testdata/dotname/Chart.yaml new/helm3-3.20.2/pkg/chartutil/testdata/dotname/Chart.yaml --- old/helm3-3.20.1/pkg/chartutil/testdata/dotname/Chart.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/helm3-3.20.2/pkg/chartutil/testdata/dotname/Chart.yaml 2026-04-09 22:27:07.000000000 +0200 @@ -0,0 +1,4 @@ +apiVersion: v3 +name: . +description: A Helm chart for Kubernetes +version: 0.1.0 \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/helm3-3.20.1/pkg/chartutil/testdata/slashinname/Chart.yaml new/helm3-3.20.2/pkg/chartutil/testdata/slashinname/Chart.yaml --- old/helm3-3.20.1/pkg/chartutil/testdata/slashinname/Chart.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/helm3-3.20.2/pkg/chartutil/testdata/slashinname/Chart.yaml 2026-04-09 22:27:07.000000000 +0200 @@ -0,0 +1,4 @@ +apiVersion: v3 +name: a/../b +description: A Helm chart for Kubernetes +version: 0.1.0 \ No newline at end of file ++++++ helm3.obsinfo ++++++ --- /var/tmp/diff_new_pack.T0c3Py/_old 2026-04-11 22:32:30.599447769 +0200 +++ /var/tmp/diff_new_pack.T0c3Py/_new 2026-04-11 22:32:30.603447932 +0200 @@ -1,5 +1,5 @@ name: helm3 -version: 3.20.1 -mtime: 1773271338 -commit: a2369ca71c0ef633bf6e4fccd66d634eb379b371 +version: 3.20.2 +mtime: 1775766427 +commit: 8fb76d6ab555577e98e23b7500009537a471feee ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/helm3/vendor.tar.gz /work/SRC/openSUSE:Factory/.helm3.new.21863/vendor.tar.gz differ: char 13, line 1
