commit rubygem-tzinfo-1.2 for openSUSE:Factory

Tue, 09 Aug 2022 06:28:04 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package rubygem-tzinfo-1.2 for 
openSUSE:Factory checked in at 2022-08-09 15:26:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-tzinfo-1.2 (Old)
 and      /work/SRC/openSUSE:Factory/.rubygem-tzinfo-1.2.new.1521 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "rubygem-tzinfo-1.2"

Tue Aug  9 15:26:58 2022 rev:6 rq:993529 version:1.2.10

Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-tzinfo-1.2/rubygem-tzinfo-1.2.changes    
2021-01-21 21:56:11.973829213 +0100
+++ 
/work/SRC/openSUSE:Factory/.rubygem-tzinfo-1.2.new.1521/rubygem-tzinfo-1.2.changes
  2022-08-09 15:27:16.097439335 +0200
@@ -1,0 +2,17 @@
+Thu Aug  4 13:33:36 UTC 2022 - Stephan Kulow <co...@suse.com>
+
+updated to version 1.2.10
+ see installed CHANGES.md
+
+  Version 1.2.10 - 19-Jul-2022
+  ----------------------------
+  
+  * Fixed a relative path traversal bug that could cause arbitrary files to be
+    loaded with require when used with RubyDataSource. Please refer to
+    https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx 
for
+    details. CVE-2022-31163.
+  * Ignore the SECURITY file from Arch Linux's tzdata package. #134.
+  
+  
+
+-------------------------------------------------------------------

Old:
----
  tzinfo-1.2.9.gem

New:
----
  tzinfo-1.2.10.gem

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ rubygem-tzinfo-1.2.spec ++++++
--- /var/tmp/diff_new_pack.jpkSmy/_old  2022-08-09 15:27:16.545440615 +0200
+++ /var/tmp/diff_new_pack.jpkSmy/_new  2022-08-09 15:27:16.549440626 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package rubygem-tzinfo-1.2
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
 #
 
 Name:           rubygem-tzinfo-1.2
-Version:        1.2.9
+Version:        1.2.10
 Release:        0
 %define mod_name tzinfo
 %define mod_full_name %{mod_name}-%{version}

++++++ tzinfo-1.2.9.gem -> tzinfo-1.2.10.gem ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/CHANGES.md new/CHANGES.md
--- old/CHANGES.md      2020-12-16 21:32:03.000000000 +0100
+++ new/CHANGES.md      2022-07-19 20:23:13.000000000 +0200
@@ -1,3 +1,13 @@
+Version 1.2.10 - 19-Jul-2022
+----------------------------
+
+* Fixed a relative path traversal bug that could cause arbitrary files to be
+  loaded with require when used with RubyDataSource. Please refer to
+  https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx for
+  details. CVE-2022-31163.
+* Ignore the SECURITY file from Arch Linux's tzdata package. #134.
+
+
 Version 1.2.9 - 16-Dec-2020
 ---------------------------
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/LICENSE new/LICENSE
--- old/LICENSE 2020-12-16 21:32:03.000000000 +0100
+++ new/LICENSE 2022-07-19 20:23:13.000000000 +0200
@@ -1,4 +1,4 @@
-Copyright (c) 2005-2020 Philip Ross
+Copyright (c) 2005-2022 Philip Ross
 
 Permission is hereby granted, free of charge, to any person obtaining a copy 
of 
 this software and associated documentation files (the "Software"), to deal in 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/README.md new/README.md
--- old/README.md       2020-12-16 21:32:03.000000000 +0100
+++ new/README.md       2022-07-19 20:23:13.000000000 +0200
@@ -1,7 +1,7 @@
 TZInfo - Ruby Timezone Library
 ==============================
 
-[![RubyGems](https://img.shields.io/gem/v/tzinfo)](https://rubygems.org/gems/tzinfo)
 [![Travis CI 
Build](https://img.shields.io/travis/com/tzinfo/tzinfo/1.2?logo=travis)](https://travis-ci.com/tzinfo/tzinfo)
 [![AppVeyor 
Build](https://img.shields.io/appveyor/build/philr/tzinfo/1.2?logo=appveyor)](https://ci.appveyor.com/project/philr/tzinfo/branch/1.2)
+[![RubyGems](https://img.shields.io/gem/v/tzinfo?logo=rubygems&label=Gem)](https://rubygems.org/gems/tzinfo)
 
[![Tests](https://github.com/tzinfo/tzinfo/workflows/Tests/badge.svg?branch=1.2&event=push)](https://github.com/tzinfo/tzinfo/actions?query=workflow%3ATests+branch%3A1.2+event%3Apush)
 
 [TZInfo](https://tzinfo.github.io) provides daylight savings aware
 transformations between times in different timezones.
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/checksums.yaml.gz.sig new/checksums.yaml.gz.sig
--- old/checksums.yaml.gz.sig   2020-12-16 21:32:03.000000000 +0100
+++ new/checksums.yaml.gz.sig   2022-07-19 20:23:13.000000000 +0200
@@ -1,3 +1,2 @@
-3?y?=??Q??h?n?;?D7`??U??g?????T???Z?Rv?P;4P??p?Q?Gu?I+???Qubd??p???o?W[??x??q.w?yyU????a?!2kni??9?z
-4????qjJ?i> f????|????u?#?????I?O0G4?&|???b?o?
{f      ????e?k$^$?
a?n5'?.D?|?XL2?iDZ??R???g?U?C?
-A???f?????X}?`o??n;>J?iHx?@????po?????CC
\ No newline at end of file
+Y?1]Q?ti?t???mPo????? 
-O??D?cu???[<???o??c5?}?x`??[^?J?7??s????+??????M?v??????
9?e???l9J?????3?e?V~?E????6E????Eb?)??xdTk?^?BdAC??????=Jcr?%?????l?~??)?aP??\?=[????{l??fFB????]?_????<v?S??0??7?z|?-?$?????????^????(?ReaK?s?|?c??d
+?K?W??
\ No newline at end of file
Binary files old/data.tar.gz.sig and new/data.tar.gz.sig differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/tzinfo/ruby_data_source.rb 
new/lib/tzinfo/ruby_data_source.rb
--- old/lib/tzinfo/ruby_data_source.rb  2020-12-16 21:32:03.000000000 +0100
+++ new/lib/tzinfo/ruby_data_source.rb  2022-07-19 20:23:13.000000000 +0200
@@ -38,7 +38,7 @@
     # Raises InvalidTimezoneIdentifier if the timezone is not found or the 
     # identifier is invalid.
     def load_timezone_info(identifier)
-      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ 
/^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
+      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ 
/\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
       
       identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
       
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/lib/tzinfo/zoneinfo_data_source.rb 
new/lib/tzinfo/zoneinfo_data_source.rb
--- old/lib/tzinfo/zoneinfo_data_source.rb      2020-12-16 21:32:03.000000000 
+0100
+++ new/lib/tzinfo/zoneinfo_data_source.rb      2022-07-19 20:23:13.000000000 
+0200
@@ -87,6 +87,29 @@
     # The default value of 
ZoneinfoDataSource.alternate_iso3166_tab_search_path.
     DEFAULT_ALTERNATE_ISO3166_TAB_SEARCH_PATH = 
['/usr/share/misc/iso3166.tab', '/usr/share/misc/iso3166'].freeze
     
+    # File and directories in the top level zoneinfo directory that will be
+    # excluded from the list of available time zones:
+    #
+    #   - +VERSION is included on Mac OS X.
+    #   - leapseconds is a list of leap seconds.
+    #   - localtime is the current local timezone (may be a link).
+    #   - posix, posixrules and right are directories containing other versions
+    #     of the zoneinfo files.
+    #   - SECURITY is included in the Arch Linux tzdata package.
+    #   - src is a directory containing the tzdata source included on Solaris.
+    #   - timeconfig is a symlink included on Slackware.
+    EXCLUDED_FILENAMES = [
+      '+VERSION',
+      'leapseconds',
+      'localtime',
+      'posix',
+      'posixrules',
+      'right',
+      'SECURITY',
+      'src',
+      'timeconfig'
+    ].freeze
+
     # Paths to be checked to find the system zoneinfo directory.
     @@search_path = DEFAULT_SEARCH_PATH.dup
     
@@ -352,16 +375,8 @@
     # identifiers.
     def load_timezone_index
       index = []
-      
-      # Ignoring particular files:
-      # +VERSION is included on Mac OS X.
-      # leapseconds is a list of leap seconds.
-        # localtime is the current local timezone (may be a link).
-      # posix, posixrules and right are directories containing other versions 
of the zoneinfo files.
-      # src is a directory containing the tzdata source included on Solaris.
-      # timeconfig is a symlink included on Slackware.
-      
-      enum_timezones(nil, ['+VERSION', 'leapseconds', 'localtime', 'posix', 
'posixrules', 'right', 'src', 'timeconfig']) do |identifier|
+
+      enum_timezones(nil, EXCLUDED_FILENAMES) do |identifier|
         index << identifier
       end
       
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata        2020-12-16 21:32:03.000000000 +0100
+++ new/metadata        2022-07-19 20:23:13.000000000 +0200
@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: tzinfo
 version: !ruby/object:Gem::Version
-  version: 1.2.9
+  version: 1.2.10
 platform: ruby
 authors:
 - Philip Ross
@@ -29,7 +29,7 @@
   J3Zn/kSTjTekiaspyGbczC3PUaeJNxr+yCvR4sk71Xmk/GaKKGOHedJ1uj/LAXrA
   MR0mpl7b8zCg0PFC1J73uw==
   -----END CERTIFICATE-----
-date: 2020-12-16 00:00:00.000000000 Z
+date: 2022-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thread_safe
@@ -92,6 +92,7 @@
 - lib/tzinfo/zoneinfo_country_info.rb
 - lib/tzinfo/zoneinfo_data_source.rb
 - lib/tzinfo/zoneinfo_timezone_info.rb
+- test/assets/payload.rb
 - test/tc_annual_rules.rb
 - test/tc_country.rb
 - test/tc_country_index_definition.rb
@@ -190,7 +191,7 @@
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Daylight savings aware timezone library
Binary files old/metadata.gz.sig and new/metadata.gz.sig differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/test/assets/payload.rb new/test/assets/payload.rb
--- old/test/assets/payload.rb  1970-01-01 01:00:00.000000000 +0100
+++ new/test/assets/payload.rb  2022-07-19 20:23:13.000000000 +0200
@@ -0,0 +1 @@
+raise 'This should never be executed'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/test/tc_ruby_data_source.rb 
new/test/tc_ruby_data_source.rb
--- old/test/tc_ruby_data_source.rb     2020-12-16 21:32:03.000000000 +0100
+++ new/test/tc_ruby_data_source.rb     2022-07-19 20:23:13.000000000 +0200
@@ -48,9 +48,15 @@
   
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/UTC')
+      @data_source.load_timezone_info('../definitions/UTC')
     end
   end
+
+  def test_load_timezone_info_directory_traversal
+    test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
+    payload_path = File.join(TESTS_DIR, 'assets', 'payload')
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * 
(test_data_depth + 4)}#{payload_path}") }
+  end
   
   def test_load_timezone_info_nil
     assert_raises(InvalidTimezoneIdentifier) do
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/test/tc_timezone.rb new/test/tc_timezone.rb
--- old/test/tc_timezone.rb     2020-12-16 21:32:03.000000000 +0100
+++ new/test/tc_timezone.rb     2022-07-19 20:23:13.000000000 +0200
@@ -213,7 +213,7 @@
   end
   
   def test_get_invalid
-    assert_raises(InvalidTimezoneIdentifier) { 
Timezone.get('../Definitions/UTC') }
+    assert_raises(InvalidTimezoneIdentifier) { 
Timezone.get('../definitions/UTC') }
   end
   
   def test_get_nil
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/test/tc_zoneinfo_data_source.rb 
new/test/tc_zoneinfo_data_source.rb
--- old/test/tc_zoneinfo_data_source.rb 2020-12-16 21:32:03.000000000 +0100
+++ new/test/tc_zoneinfo_data_source.rb 2022-07-19 20:23:13.000000000 +0200
@@ -374,7 +374,7 @@
   
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/Europe/London')
+      @data_source.load_timezone_info('../zoneinfo/Europe/London')
     end
   end
   
@@ -818,6 +818,25 @@
     end
   end
   
+  def test_timezone_identifiers_ignored_security_file
+    # The Arch linux tzdata package includes a file named SECURITY giving
+    # instructions for reporting security-related bugs.
+
+    Dir.mktmpdir('tzinfo_test') do |dir|
+      FileUtils.touch(File.join(dir, 'zone.tab'))
+      FileUtils.touch(File.join(dir, 'iso3166.tab'))
+      FileUtils.cp(File.join(@data_source.zoneinfo_dir, 'EST'), File.join(dir, 
'EST'))
+
+      File.open(File.join(dir, 'SECURITY'), 'w') do |f|
+        f.binmode
+        f.write("Please report any sensitive security-related bugs...\n")
+      end
+
+      data_source = ZoneinfoDataSource.new(dir)
+      assert_equal(['EST'], data_source.timezone_identifiers)
+    end
+  end
+
   def test_load_country_info
     info = @data_source.load_country_info('GB')
     assert_equal('GB', info.code)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/test/test_utils.rb new/test/test_utils.rb
--- old/test/test_utils.rb      2020-12-16 21:32:03.000000000 +0100
+++ new/test/test_utils.rb      2022-07-19 20:23:13.000000000 +0200
@@ -153,6 +153,22 @@
       
       actual_lines = process.readlines
       actual_lines = actual_lines.collect {|l| l.chomp}
+
+      # Ignore warnings from JRuby 1.7 and 9.0 on modern versions of Java:
+      # https://github.com/tzinfo/tzinfo/runs/1664655982#step:8:1893
+      #
+      # Ignore untaint deprecation warnings from Bundler 1 on Ruby 3.0.
+      actual_lines = actual_lines.reject do |l|
+        l.start_with?('unsupported Java version') ||
+          l.start_with?('WARNING: An illegal reflective access operation has 
occurred') ||
+          l.start_with?('WARNING: Illegal reflective access by') ||
+          l.start_with?('WARNING: Please consider reporting this to the 
maintainers of') ||
+          l.start_with?('WARNING: All illegal access operations will be denied 
in a future release') ||
+          l.start_with?('WARNING: Use --illegal-access=warn to enable warnings 
of further illegal reflective access operations') ||
+          l.start_with?('io/console on JRuby shells out to stty for most 
operations') ||
+          l =~ /\/bundler-1\..*\/lib\/bundler\/.*\.rb:\d+: warning: 
(Object|Pathname)#untaint is deprecated and will be removed in Ruby 3\.2\.\z/
+      end
+
       assert_equal(expected_lines, actual_lines)
     end
   end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/tzinfo.gemspec new/tzinfo.gemspec
--- old/tzinfo.gemspec  2020-12-16 21:32:03.000000000 +0100
+++ new/tzinfo.gemspec  2022-07-19 20:23:13.000000000 +0200
@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'tzinfo'
-  s.version = '1.2.9'
+  s.version = '1.2.10'
   s.summary = 'Daylight savings aware timezone library'
   s.description = 'TZInfo provides daylight savings aware transformations 
between times in different time zones.'
   s.author = 'Philip Ross'

Reply via email to