Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pyenv for openSUSE:Factory checked
in at 2022-07-21 11:33:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pyenv (Old)
and /work/SRC/openSUSE:Factory/.pyenv.new.1523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pyenv"
Thu Jul 21 11:33:04 2022 rev:13 rq:989861 version:2.3.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/pyenv/pyenv.changes 2022-05-05
23:07:05.977610196 +0200
+++ /work/SRC/openSUSE:Factory/.pyenv.new.1523/pyenv.changes 2022-07-21
11:33:33.678957684 +0200
@@ -1,0 +2,19 @@
+Mon Jul 18 09:35:05 UTC 2022 - Thomas Schraitle <thomas.schrai...@suse.com> -
2.3.2
+
+- Update to 2.3.2
+ - Add CPython 3.11.0b2 by @saaketp in #2380
+ - Honor CFLAGS_EXTRA for MicroPython #2006 by @yggdr in #2007
+ - Add post-install checks for curses, ctypes, lzma, and tkinter
+ by @aphedges in #2353
+ - Add CPython 3.11.0b3 by @edgarrmondragon in #2382
+ - Add flags for Homebrew into python-config --ldflags by @native-api
+ in #2384
+ - Add CPython 3.10.5 by @illia-v in #2386
+ - Add Anaconda 2019.10, 2021.04, 2022.05; support Anaconda in
+ add_miniconda.py by @native-api in #2385
+ - Add Pyston-2.3.4 by @dand-oss in #2390
+ - Update Anaconda3-2022.05 MacOSX arm64 md5 by @bkbncn in #2391
+- Fix bsc#1201582 to fix CVE-2022-35861 (from commit 22fa683, file
+ pyenv-CVE-2022-35861.patch)
+
+-------------------------------------------------------------------
Old:
----
pyenv-2.3.0.tar.gz
New:
----
pyenv-2.3.2.tar.gz
pyenv-CVE-2022-35861.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pyenv.spec ++++++
--- /var/tmp/diff_new_pack.dgNGNZ/_old 2022-07-21 11:33:34.246958243 +0200
+++ /var/tmp/diff_new_pack.dgNGNZ/_new 2022-07-21 11:33:34.246958243 +0200
@@ -19,13 +19,17 @@
%define pyenv_dir %{_libexecdir}/pyenv
#
Name: pyenv
-Version: 2.3.0
+Version: 2.3.2
Release: 0
Summary: Python Version Management
License: MIT
Group: Development/Languages/Python
URL: https://github.com/pyenv/pyenv
Source:
https://github.com/pyenv/pyenv/archive/refs/tags/v%{version}.tar.gz#/pyenv-%{version}.tar.gz
+#
+# PATCH-FIX-OPENSUSE
+# https://github.com/pyenv/pyenv/commit/22fa6835.patch
+Patch0: %{name}-CVE-2022-35861.patch
BuildRequires: bash-completion
BuildRequires: fdupes
BuildRequires: fish
++++++ pyenv-2.3.0.tar.gz -> pyenv-2.3.2.tar.gz ++++++
++++ 3349 lines of diff (skipped)
++++++ pyenv-CVE-2022-35861.patch ++++++
>From 22fa683571d98b59ea16e5fe48ac411c67939653 Mon Sep 17 00:00:00 2001
From: James Stronz <j.a.str...@gmail.com>
Date: Sat, 16 Jul 2022 15:01:04 -0700
Subject: [PATCH] CVE-2022-35861: Fixed relative path traversal due to using
version string in path (#2412)
---
libexec/pyenv-version-file-read | 13 ++++++++++---
test/version-file-read.bats | 12 ++++++++++++
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/libexec/pyenv-version-file-read b/libexec/pyenv-version-file-read
index 5dcc40fc..faaf1596 100755
--- a/libexec/pyenv-version-file-read
+++ b/libexec/pyenv-version-file-read
@@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then
IFS="${IFS}"$'\r'
sep=
while read -n 1024 -r version _ || [[ $version ]]; do
- [[ -z $version || $version == \#* ]] && continue
- printf "%s%s" "$sep" "$version"
- sep=:
+ if [[ -z $version || $version == \#* ]]; then
+ # Skip empty lines and comments
+ continue
+ elif [ "$version" = ".." ] || [[ $version == */* ]]; then
+ # The version string is used to construct a path and we skip dubious
values.
+ # This prevents issues such as path traversal (CVE-2022-35861).
+ continue
+ fi
+ printf "%s%s" "$sep" "$version"
+ sep=:
done <"$VERSION_FILE"
[[ $sep ]] && { echo; exit; }
fi
diff --git a/test/version-file-read.bats b/test/version-file-read.bats
index a7b184de..18cfe131 100644
--- a/test/version-file-read.bats
+++ b/test/version-file-read.bats
@@ -82,3 +82,15 @@ IN
run pyenv-version-file-read my-version
assert_success "3.9.3:3.8.9:2.7.16"
}
+
+@test "skips relative path traversal" {
+ cat > my-version <<IN
+3.9.3
+3.8.9
+ ..
+./*
+2.7.16
+IN
+ run pyenv-version-file-read my-version
+ assert_success "3.9.3:3.8.9:2.7.16"
+}
--
2.35.3
