Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package element-web for openSUSE:Factory checked in at 2021-12-13 20:45:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/element-web (Old) and /work/SRC/openSUSE:Factory/.element-web.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "element-web" Mon Dec 13 20:45:21 2021 rev:6 rq:940304 version:1.9.7 Changes: -------- --- /work/SRC/openSUSE:Factory/element-web/element-web.changes 2021-12-10 21:53:13.786914980 +0100 +++ /work/SRC/openSUSE:Factory/.element-web.new.2520/element-web.changes 2021-12-13 20:51:38.480682707 +0100 @@ -1,0 +2,7 @@ +Mon Dec 13 16:13:35 UTC 2021 - Dominik Heidler <dheid...@suse.de> + +- Version 1.9.7 + * Security fix: buffer overflow in libolm and matrix-js-sdk + https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk + +------------------------------------------------------------------- Old: ---- element-1.9.6.tar.gz element-web-1.9.6.tar.gz New: ---- element-1.9.7.tar.gz element-web-1.9.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ element-web.spec ++++++ --- /var/tmp/diff_new_pack.oxpW5R/_old 2021-12-13 20:51:39.016683050 +0100 +++ /var/tmp/diff_new_pack.oxpW5R/_new 2021-12-13 20:51:39.016683050 +0100 @@ -17,7 +17,7 @@ Name: element-web -Version: 1.9.6 +Version: 1.9.7 Release: 0 Summary: A glossy Matrix collaboration client - web files License: Apache-2.0 ++++++ element-1.9.6.tar.gz -> element-1.9.7.tar.gz ++++++ /work/SRC/openSUSE:Factory/element-web/element-1.9.6.tar.gz /work/SRC/openSUSE:Factory/.element-web.new.2520/element-1.9.7.tar.gz differ: char 13, line 1 ++++++ element-web-1.9.6.tar.gz -> element-web-1.9.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/CHANGELOG.md new/element-web-1.9.7/CHANGELOG.md --- old/element-web-1.9.6/CHANGELOG.md 2021-12-06 16:38:51.000000000 +0100 +++ new/element-web-1.9.7/CHANGELOG.md 2021-12-13 16:36:54.000000000 +0100 @@ -1,3 +1,9 @@ +Changes in [1.9.7](https://github.com/vector-im/element-web/releases/tag/v1.9.7) (2021-12-13) +============================================================================================= + + * Security release with updated version of Olm to fix https://matrix.org/blog/2021/12/03/pre-disclosure-upcoming-security-release-of-libolm-and-matrix-js-sdk + * Fix a crash on logout + Changes in [1.9.6](https://github.com/vector-im/element-web/releases/tag/v1.9.6) (2021-12-06) ============================================================================================= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/Dockerfile new/element-web-1.9.7/Dockerfile --- old/element-web-1.9.6/Dockerfile 2021-12-06 16:38:51.000000000 +0100 +++ new/element-web-1.9.7/Dockerfile 2021-12-13 16:36:54.000000000 +0100 @@ -16,15 +16,12 @@ COPY . /src RUN dos2unix /src/scripts/docker-link-repos.sh && bash /src/scripts/docker-link-repos.sh RUN yarn --network-timeout=100000 install -RUN yarn build + +RUN dos2unix /src/scripts/docker-package.sh && bash /src/scripts/docker-package.sh # Copy the config now so that we don't create another layer in the app image RUN cp /src/config.sample.json /src/webapp/config.json -# Ensure we populate the version file -RUN dos2unix /src/scripts/docker-write-version.sh && bash /src/scripts/docker-write-version.sh - - # App FROM nginx:alpine diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/package.json new/element-web-1.9.7/package.json --- old/element-web-1.9.6/package.json 2021-12-06 16:38:51.000000000 +0100 +++ new/element-web-1.9.7/package.json 2021-12-13 16:36:54.000000000 +0100 @@ -1,6 +1,6 @@ { "name": "element-web", - "version": "1.9.6", + "version": "1.9.7", "description": "A feature-rich client for Matrix.org", "author": "New Vector Ltd.", "repository": { @@ -55,13 +55,13 @@ "test": "jest" }, "dependencies": { - "@matrix-org/olm": "https://gitlab.matrix.org/api/v4/projects/27/packages/npm/@matrix-org/olm/-/@matrix-org/olm-3.2.3.tgz";, + "@matrix-org/olm": "https://gitlab.matrix.org/api/v4/projects/27/packages/npm/@matrix-org/olm/-/@matrix-org/olm-3.2.8.tgz";, "browser-request": "^0.3.3", "gfm.css": "^1.1.2", "jsrsasign": "^10.2.0", "katex": "^0.12.0", - "matrix-js-sdk": "15.2.0", - "matrix-react-sdk": "3.36.0", + "matrix-js-sdk": "15.2.1", + "matrix-react-sdk": "3.36.1", "matrix-widget-api": "^0.1.0-beta.17", "prop-types": "^15.7.2", "react": "17.0.2", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/scripts/ci_package.sh new/element-web-1.9.7/scripts/ci_package.sh --- old/element-web-1.9.6/scripts/ci_package.sh 2021-12-06 16:38:51.000000000 +0100 +++ new/element-web-1.9.7/scripts/ci_package.sh 2021-12-13 16:36:54.000000000 +0100 @@ -1,17 +1,11 @@ #!/bin/bash -# Runs package.sh setting the version to git hashes of the element-web, -# react-sdk & js-sdk checkouts, for the case where these dependencies -# are git checkouts. +# Runs package.sh, passing DIST_VERSION determined by git set -ex rm dist/element-*.tar.gz || true # rm previous artifacts without failing if it doesn't exist -# Since the deps are fetched from git, we can rev-parse -REACT_SHA=$(cd node_modules/matrix-react-sdk; git rev-parse --short=12 HEAD) -JSSDK_SHA=$(cd node_modules/matrix-js-sdk; git rev-parse --short=12 HEAD) +DIST_VERSION=`$(dirname $0)/get-version-from-git.sh` -VECTOR_SHA=$(git rev-parse --short=12 HEAD) # use the ACTUAL SHA rather than assume develop - -CI_PACKAGE=true DIST_VERSION=$VECTOR_SHA-react-$REACT_SHA-js-$JSSDK_SHA scripts/package.sh +CI_PACKAGE=true DIST_VERSION=$DIST_VERSION scripts/package.sh diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/scripts/docker-package.sh new/element-web-1.9.7/scripts/docker-package.sh --- old/element-web-1.9.6/scripts/docker-package.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/element-web-1.9.7/scripts/docker-package.sh 2021-12-13 16:36:54.000000000 +0100 @@ -0,0 +1,21 @@ +#!/bin/sh + +set -ex + +TAG=$(git describe --tags) +BRANCH=$(git rev-parse --abbrev-ref HEAD) +DIST_VERSION=$TAG + +# If the branch comes out as HEAD then we're probably checked out to a tag, so if the thing is *not* +# coming out as HEAD then we're on a branch. When we're on a branch, we want to resolve ourselves to +# a few SHAs rather than a version. +# Docker Hub doesn't always check out the tag and sometimes checks out the branch, so we should look +# for an appropriately tagged branch as well (heads/v1.2.3). +if [[ $BRANCH != HEAD && ! $BRANCH =~ heads/v.+ ]] +then + DIST_VERSION=`$(dirname $0)/get-version-from-git.sh` +fi + +DIST_VERSION=`$(dirname $0)/normalize-version.sh ${DIST_VERSION}` +VERSION=$DIST_VERSION yarn build +echo $DIST_VERSION > /src/webapp/version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/scripts/docker-write-version.sh new/element-web-1.9.7/scripts/docker-write-version.sh --- old/element-web-1.9.6/scripts/docker-write-version.sh 2021-12-06 16:38:51.000000000 +0100 +++ new/element-web-1.9.7/scripts/docker-write-version.sh 1970-01-01 01:00:00.000000000 +0100 @@ -1,22 +0,0 @@ -#!/bin/sh - -set -ex - -TAG=$(git describe --tags) -BRANCH=$(git rev-parse --abbrev-ref HEAD) -DIST_VERSION=$TAG - -# If the branch comes out as HEAD then we're probably checked out to a tag, so if the thing is *not* -# coming out as HEAD then we're on a branch. When we're on a branch, we want to resolve ourselves to -# a few SHAs rather than a version. -# Docker Hub doesn't always check out the tag and sometimes checks out the branch, so we should look -# for an appropriately tagged branch as well (heads/v1.2.3). -if [[ $BRANCH != HEAD && ! $BRANCH =~ heads/v.+ ]] -then - REACT_SHA=$(cd node_modules/matrix-react-sdk; git rev-parse --short=12 HEAD) - JSSDK_SHA=$(cd node_modules/matrix-js-sdk; git rev-parse --short=12 HEAD) - VECTOR_SHA=$(git rev-parse --short=12 HEAD) # use the ACTUAL SHA rather than assume develop - DIST_VERSION=$VECTOR_SHA-react-$REACT_SHA-js-$JSSDK_SHA -fi - -echo $DIST_VERSION > /src/webapp/version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/scripts/get-version-from-git.sh new/element-web-1.9.7/scripts/get-version-from-git.sh --- old/element-web-1.9.6/scripts/get-version-from-git.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/element-web-1.9.7/scripts/get-version-from-git.sh 2021-12-13 16:36:54.000000000 +0100 @@ -0,0 +1,10 @@ +#!/bin/bash + +# Echoes a version based on the git hashes of the element-web, react-sdk & js-sdk checkouts, for the case where +# these dependencies are git checkouts. + +# Since the deps are fetched from git, we can rev-parse +REACT_SHA=$(cd node_modules/matrix-react-sdk; git rev-parse --short=12 HEAD) +JSSDK_SHA=$(cd node_modules/matrix-js-sdk; git rev-parse --short=12 HEAD) +VECTOR_SHA=$(git rev-parse --short=12 HEAD) # use the ACTUAL SHA rather than assume develop +echo $VECTOR_SHA-react-$REACT_SHA-js-$JSSDK_SHA diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/scripts/normalize-version.sh new/element-web-1.9.7/scripts/normalize-version.sh --- old/element-web-1.9.6/scripts/normalize-version.sh 1970-01-01 01:00:00.000000000 +0100 +++ new/element-web-1.9.7/scripts/normalize-version.sh 2021-12-13 16:36:54.000000000 +0100 @@ -0,0 +1,8 @@ +#!/bin/bash + +# If $1 looks like v1.2.3 or v1.2.3-foo, strip the leading v, then print it to stdout +if [[ $1 =~ ^v[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+(-.+)?$ ]]; then + echo ${1:1} +else + echo $1 +fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/scripts/package.sh new/element-web-1.9.7/scripts/package.sh --- old/element-web-1.9.6/scripts/package.sh 2021-12-06 16:38:51.000000000 +0100 +++ new/element-web-1.9.7/scripts/package.sh 2021-12-13 16:36:54.000000000 +0100 @@ -21,12 +21,7 @@ # Just in case you have a local config, remove it before packaging rm element-$version/config.json || true -# if $version looks like semver with leading v, strip it before writing to file -if [[ ${version} =~ ^v[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+(-.+)?$ ]]; then - echo ${version:1} > element-$version/version -else - echo ${version} > element-$version/version -fi +$(dirname $0)/normalize-version.sh ${version} > element-$version/version tar chvzf dist/element-$version.tar.gz element-$version rm -r element-$version diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/src/vector/platform/WebPlatform.ts new/element-web-1.9.7/src/vector/platform/WebPlatform.ts --- old/element-web-1.9.6/src/vector/platform/WebPlatform.ts 2021-12-06 16:38:51.000000000 +0100 +++ new/element-web-1.9.7/src/vector/platform/WebPlatform.ts 2021-12-13 16:36:54.000000000 +0100 @@ -107,7 +107,7 @@ // presence of intermediate caching proxies), but still: we're trying // to tell the user that there is a new version. - return new Promise(function(resolve, reject) { + return new Promise((resolve, reject) => { request( { method: "GET", @@ -121,27 +121,24 @@ return; } - const ver = body.trim(); - resolve(ver); + resolve(this.getNormalizedAppVersion(body.trim())); }, ); }); } - getNormalizedAppVersion(): string { - let ver = process.env.VERSION; - + getNormalizedAppVersion(version: string): string { // if version looks like semver with leading v, strip it - // (matches scripts/package.sh) + // (matches scripts/normalize-version.sh) const semVerRegex = new RegExp("^v[0-9]+.[0-9]+.[0-9]+(-.+)?$"); - if (semVerRegex.test(process.env.VERSION)) { - ver = process.env.VERSION.substr(1); + if (semVerRegex.test(version)) { + return version.substr(1); } - return ver; + return version; } getAppVersion(): Promise<string> { - return Promise.resolve(this.getNormalizedAppVersion()); + return Promise.resolve(this.getNormalizedAppVersion(process.env.VERSION)); } startUpdater() { @@ -155,7 +152,7 @@ pollForUpdate = () => { return this.getMostRecentVersion().then((mostRecentVersion) => { - const currentVersion = this.getNormalizedAppVersion(); + const currentVersion = this.getNormalizedAppVersion(process.env.VERSION); if (currentVersion !== mostRecentVersion) { if (this.shouldShowUpdate(mostRecentVersion)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/element-web-1.9.6/yarn.lock new/element-web-1.9.7/yarn.lock --- old/element-web-1.9.6/yarn.lock 2021-12-06 16:38:51.000000000 +0100 +++ new/element-web-1.9.7/yarn.lock 2021-12-13 16:36:54.000000000 +0100 @@ -1306,9 +1306,9 @@ "@types/yargs" "^16.0.0" chalk "^4.0.0" -"@matrix-org/olm@https://gitlab.matrix.org/api/v4/projects/27/packages/npm/@matrix-org/olm/-/@matrix-org/olm-3.2.3.tgz": - version "3.2.3" - resolved "https://gitlab.matrix.org/api/v4/projects/27/packages/npm/@matrix-org/olm/-/@matrix-org/olm-3.2.3.tgz#cc332fdd25c08ef0e40f4d33fc3f822a0f98b6f4"; +"@matrix-org/olm@https://gitlab.matrix.org/api/v4/projects/27/packages/npm/@matrix-org/olm/-/@matrix-org/olm-3.2.8.tgz": + version "3.2.8" + resolved "https://gitlab.matrix.org/api/v4/projects/27/packages/npm/@matrix-org/olm/-/@matrix-org/olm-3.2.8.tgz#8d53636d045e1776e2a2ec6613e57330dd9ce856"; "@mrmlnc/readdir-enhanced@^2.2.1": version "2.2.1" @@ -7854,10 +7854,10 @@ resolved "https://registry.yarnpkg.com/mathml-tag-names/-/mathml-tag-names-2.1.3.tgz#4ddadd67308e780cf16a47685878ee27b736a0a3"; integrity sha512-APMBEanjybaPzUrfqU0IMU5I0AswKMH7k8OTLs0vvV4KZpExkTkY87nR/zpbuTPj+gARop7aGUbl11pnDfW6xg== -matrix-js-sdk@15.2.0: - version "15.2.0" - resolved "https://registry.yarnpkg.com/matrix-js-sdk/-/matrix-js-sdk-15.2.0.tgz#1f04fe938f951af8af4b78dff8ff697db5981428"; - integrity sha512-jZOM8Fn86oNvU3zVQcc+JTKKrtYq4ADN6rPZs4Mwxj/X/GDP+2YIP5176GtviF0GM6VO1dcnPZY73ykl8DayjA== +matrix-js-sdk@15.2.1: + version "15.2.1" + resolved "https://registry.yarnpkg.com/matrix-js-sdk/-/matrix-js-sdk-15.2.1.tgz#61e9742ccacfe486231415372e12cb13607b5d7c"; + integrity sha512-e0/NE6LUfDLKLdWNFyH5OGt2QHybandrC0x9qgj7P1/fe+zgLGGd8W4XGDa5CMHjjqm/OoLMam44+0+FafojlQ== dependencies: "@babel/runtime" "^7.12.5" another-json "^0.2.0" @@ -7878,10 +7878,10 @@ bluebird "^3.5.0" expect "^1.20.2" -matrix-react-sdk@3.36.0: - version "3.36.0" - resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-3.36.0.tgz#70a07944bd217e8d52e7b818d215d6d7e1b9c3f2"; - integrity sha512-/Mc+4PrySGs2LHN15LQk9bUauAHk2dW7SrG04wEnjNSA+yudH5wiHYZ/4p1ZHjOLW/NsDoGpIYN+Yqkr9aKuHA== +matrix-react-sdk@3.36.1: + version "3.36.1" + resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-3.36.1.tgz#0970b5e707e5dfc07dd708a3e30f7050296fcc31"; + integrity sha512-5L6SoMt3S1gjvB4AviR1Duc6sSVqf1hSq7aW8JH1houF3N7cYlNDJL5RXQ+G3iFqMlE+QpEUOApfN45WjLA+Bw== dependencies: "@babel/runtime" "^7.12.5" "@sentry/browser" "^6.11.0" @@ -7912,7 +7912,7 @@ katex "^0.12.0" linkifyjs "^2.1.9" lodash "^4.17.20" - matrix-js-sdk "15.2.0" + matrix-js-sdk "15.2.1" matrix-widget-api "^0.1.0-beta.17" minimist "^1.2.5" opus-recorder "^8.0.3"
