commit deepin-compressor for openSUSE:Factory

Source-Sync Thu, 28 Dec 2023 14:05:23 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package deepin-compressor for 
openSUSE:Factory checked in at 2023-12-28 23:03:35
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/deepin-compressor (Old)
 and      /work/SRC/openSUSE:Factory/.deepin-compressor.new.28375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "deepin-compressor"

Thu Dec 28 23:03:35 2023 rev:10 rq:1135476 version:5.12.13

Changes:
--------
--- /work/SRC/openSUSE:Factory/deepin-compressor/deepin-compressor.changes      
2023-01-17 17:36:26.145564774 +0100
+++ 
/work/SRC/openSUSE:Factory/.deepin-compressor.new.28375/deepin-compressor.changes
   2023-12-28 23:05:07.802482857 +0100
@@ -1,0 +2,6 @@
+Thu Dec 28 12:43:20 UTC 2023 - Hillwood Yang <hillw...@opensuse.org>
+
+- Add fix-Zip-Path-Traversal.patch
+  * Fix Zip Path Traversal (boo#1218428 and CVE-2023-50255)
+
+-------------------------------------------------------------------

New:
----
  fix-Zip-Path-Traversal.patch

BETA DEBUG BEGIN:
  New:
- Add fix-Zip-Path-Traversal.patch
  * Fix Zip Path Traversal (boo#1218428 and CVE-2023-50255)
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ deepin-compressor.spec ++++++
--- /var/tmp/diff_new_pack.vm30ty/_old  2023-12-28 23:05:08.274500108 +0100
+++ /var/tmp/diff_new_pack.vm30ty/_new  2023-12-28 23:05:08.274500108 +0100
@@ -34,6 +34,9 @@
 # PATCH-FIX-UPSTREAM 002-install-compressor-ChardetDetector.patch 
hillw...@opensuse.org
 # Install libcompressor-ChardetDetector.so
 Patch1:         002-install-compressor-ChardetDetector.patch
+# PATCH-FIX-UPSTREAM fix-Zip-Path-Traversal.patch - fix Zip Path Traversal
+# backport form 
https://github.com/linuxdeepin/deepin-compressor/commit/82f668c78c133873f5094cfab6e4eabc0b70e4b6
+Patch2:         fix-Zip-Path-Traversal.patch
 BuildRequires:  fdupes
 BuildRequires:  gtest
 BuildRequires:  hicolor-icon-theme

++++++ fix-Zip-Path-Traversal.patch ++++++
diff -Nur deepin-compressor-5.12.13/3rdparty/libzipplugin/libzipplugin.cpp 
deepin-compressor-5.12.13-new/3rdparty/libzipplugin/libzipplugin.cpp
--- deepin-compressor-5.12.13/3rdparty/libzipplugin/libzipplugin.cpp    
2022-12-28 13:50:00.000000000 +0800
+++ deepin-compressor-5.12.13-new/3rdparty/libzipplugin/libzipplugin.cpp        
2023-12-28 20:41:04.137085065 +0800
@@ -741,6 +741,11 @@
     }
 
     strFileName = m_common->trans2uft8(statBuffer.name, m_mapFileCode[index]); 
   // è§£åæä»¶åï¼åç¼©åä¸ï¼
+    //fix 232873
+    if(strFileName.indexOf("../") != -1) {
+        qInfo() << "skipped ../ path component(s) in " << strFileName;
+        strFileName = strFileName.replace("../", "");
+    }
     QString strOriginName = strFileName;
 
     // éå¯¹æä»¶å¤¹åç§°è¿é¿çæ
åµï¼ç´æ¥æç¤ºè§£åå¤±è´¥ï¼æä»¶å¤¹åç§°è¿é¿

commit deepin-compressor for openSUSE:Factory

Reply via email to