Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jline3 for openSUSE:Factory checked in at 2026-06-25 17:13:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jline3 (Old) and /work/SRC/openSUSE:Factory/.jline3.new.2088 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jline3" Thu Jun 25 17:13:35 2026 rev:13 rq:1361681 version:3.30.13 Changes: -------- --- /work/SRC/openSUSE:Factory/jline3/jline3.changes 2026-05-30 23:01:07.439637087 +0200 +++ /work/SRC/openSUSE:Factory/.jline3.new.2088/jline3.changes 2026-06-25 17:13:36.449955870 +0200 @@ -1,0 +2,9 @@ +Thu Jun 25 05:19:01 UTC 2026 - Fridrich Strba <[email protected]> + +- Added patch: + * jline3-GHSA-47qp-hqvx-6r3f.patch + + backport of the upstream fix for GHSA-47qp-hqvx-6r3f, + bsc#1269021: unauthenticated remote memory exhaustion via + unbounded Telnet 'NEW-ENVIRON variables + +------------------------------------------------------------------- New: ---- jline3-GHSA-47qp-hqvx-6r3f.patch ----------(New B)---------- New:- Added patch: * jline3-GHSA-47qp-hqvx-6r3f.patch + backport of the upstream fix for GHSA-47qp-hqvx-6r3f, ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jline3.spec ++++++ --- /var/tmp/diff_new_pack.QXTTPe/_old 2026-06-25 17:13:37.405988849 +0200 +++ /var/tmp/diff_new_pack.QXTTPe/_new 2026-06-25 17:13:37.409988987 +0200 @@ -41,6 +41,7 @@ Source1: %{name}-build.tar.xz Source100: Load-native-library-system-wide-place.patch.in Patch0: 0001-Remove-optional-dependency-on-universalchardet.patch +Patch1: jline3-GHSA-47qp-hqvx-6r3f.patch BuildRequires: ant BuildRequires: fdupes BuildRequires: jansi ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.QXTTPe/_old 2026-06-25 17:13:37.473991194 +0200 +++ /var/tmp/diff_new_pack.QXTTPe/_new 2026-06-25 17:13:37.477991333 +0200 @@ -1,6 +1,6 @@ -mtime: 1780127192 -commit: 6f3d6e1c25f10d225dbf858d8e59b351eeb65ca33876890df563e79c410f0fb5 +mtime: 1782364919 +commit: 10996b00764733a4f1c8ab174fbbb008a9cfb235b8d455a8c76f119a2fa78251 url: https://src.opensuse.org/java-packages/jline3 -revision: 6f3d6e1c25f10d225dbf858d8e59b351eeb65ca33876890df563e79c410f0fb5 +revision: 10996b00764733a4f1c8ab174fbbb008a9cfb235b8d455a8c76f119a2fa78251 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-25 07:21:59.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ jline3-GHSA-47qp-hqvx-6r3f.patch ++++++ diff --git a/remote-telnet/src/main/java/org/jline/builtins/telnet/TelnetIO.java b/remote-telnet/src/main/java/org/jline/builtins/telnet/TelnetIO.java index 45e6547a..6f1c800e 100644 --- a/remote-telnet/src/main/java/org/jline/builtins/telnet/TelnetIO.java +++ b/remote-telnet/src/main/java/org/jline/builtins/telnet/TelnetIO.java @@ -279,6 +279,7 @@ public class TelnetIO { protected static final int NE_IN_END = -3; protected static final int NE_VAR_NAME_MAXLENGTH = 50; protected static final int NE_VAR_VALUE_MAXLENGTH = 1000; + protected static final int NE_VAR_COUNT_MAX = 100; /** * Unused */ @@ -296,6 +297,8 @@ public class TelnetIO { private static final int SMALLEST_BELIEVABLE_HEIGHT = 6; private static final int DEFAULT_WIDTH = 80; private static final int DEFAULT_HEIGHT = 25; + private static final int LARGEST_BELIEVABLE_WIDTH = 500; + private static final int LARGEST_BELIEVABLE_HEIGHT = 500; private Connection connection; // a reference to the connection this instance works for private ConnectionData connectionData; // holds all important information of the connection private DataOutputStream out; // the byte oriented outputstream @@ -596,10 +599,10 @@ public class TelnetIO { * @param height Integer that represents the Window height in chars */ private void setTerminalGeometry(int width, int height) { - if (width < SMALLEST_BELIEVABLE_WIDTH) { + if (width < SMALLEST_BELIEVABLE_WIDTH || width > LARGEST_BELIEVABLE_WIDTH) { width = DEFAULT_WIDTH; } - if (height < SMALLEST_BELIEVABLE_HEIGHT) { + if (height < SMALLEST_BELIEVABLE_HEIGHT || height > LARGEST_BELIEVABLE_HEIGHT) { height = DEFAULT_HEIGHT; } // DEBUG: write("[New Window Size " + window_width + "x" + window_height + "]"); @@ -1143,6 +1146,7 @@ public class TelnetIO { LOG.log(Level.FINE, "readNEVariables()::INVALID VARIABLE"); return; } + int varCount = 0; boolean cont = true; if (i == NE_VAR || i == NE_USERVAR) { do { @@ -1155,6 +1159,11 @@ public class TelnetIO { return; case NE_VAR_DEFINED: LOG.log(Level.FINE, "readNEVariables()::NE_VAR_DEFINED"); + if (++varCount > NE_VAR_COUNT_MAX) { + LOG.log(Level.WARNING, "readNEVariables()::TOO_MANY_VARS (>" + NE_VAR_COUNT_MAX + ")"); + skipToSE(); + return; + } String str = sbuf.toString(); sbuf.delete(0, sbuf.length()); switch (readNEVariableValue(sbuf)) {
