Hello community, here is the log from the commit of package aria2 for openSUSE:Factory checked in at 2019-01-10 15:23:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aria2 (Old) and /work/SRC/openSUSE:Factory/.aria2.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aria2" Thu Jan 10 15:23:26 2019 rev:82 rq:664102 version:1.34.0 Changes: -------- --- /work/SRC/openSUSE:Factory/aria2/aria2.changes 2018-05-17 18:05:43.811196498 +0200 +++ /work/SRC/openSUSE:Factory/.aria2.new.28833/aria2.changes 2019-01-10 15:23:27.938322725 +0100 @@ -1,0 +2,7 @@ +Wed Jan 9 13:47:29 UTC 2019 - Martin Pluskal <mplus...@suse.com> + +- Fix CVE-2019-3500 boo#1120488 + * aria2-CVE-2019-3500.patch +- Move bash completion to better location + +------------------------------------------------------------------- New: ---- aria2-CVE-2019-3500.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aria2.spec ++++++ --- /var/tmp/diff_new_pack.dGttUG/_old 2019-01-10 15:23:28.718321918 +0100 +++ /var/tmp/diff_new_pack.dGttUG/_new 2019-01-10 15:23:28.726321910 +0100 @@ -1,7 +1,7 @@ # # spec file for package aria2 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -26,6 +26,8 @@ URL: https://aria2.github.io Source0: https://github.com/aria2/aria2/releases/download/release-%{version}/%{name}-%{version}.tar.xz Source1: %{name}.changes +# PATCH-FIX-UPSTREAM aria2-CVE-2019-3500.patch boo#1120488 +Patch0: aria2-CVE-2019-3500.patch BuildRequires: bison BuildRequires: gcc-c++ BuildRequires: gmp-devel @@ -82,6 +84,7 @@ %prep %setup -q +%patch0 -p1 # Do not use current date modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{SOURCE1}")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" @@ -106,6 +109,10 @@ find %{buildroot} -type f -name "*.la" -delete -print # Only installation instructions rm -rf %{buildroot}%{_defaultdocdir}/%{name}/bash_completion +# Lets use more suitable location +mkdir -p %{buildroot}%{_datadir}/bash-completion/completions +mv %{buildroot}%{_sysconfdir}/bash_completion.d/aria2c \ + %{buildroot}%{_datadir}/bash-completion/completions/aria2c %find_lang aria2 --with-man @@ -121,7 +128,9 @@ %doc AUTHORS ChangeLog NEWS README README.html README.rst %{_docdir}/%{name}/xmlrpc/ %{_bindir}/aria2c -%config %{_sysconfdir}/bash_completion.d/aria2c +%dir %{_datadir}/bash-completion +%dir %{_datadir}/bash-completion/completions +%{_datadir}/bash-completion/completions/aria2c %{_mandir}/man1/aria2c.1%{?ext_man} %{_mandir}/pt/man1/aria2c.1%{?ext_man} %{_mandir}/ru/man1/aria2c.1%{?ext_man} ++++++ aria2-CVE-2019-3500.patch ++++++ >From 37368130ca7de5491a75fd18a20c5c5cc641824a Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa <tatsuhir...@gmail.com> Date: Sat, 5 Jan 2019 09:32:40 +0900 Subject: [PATCH] Mask headers --- src/HttpConnection.cc | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/HttpConnection.cc b/src/HttpConnection.cc index 77cb9d27a..be5b97723 100644 --- a/src/HttpConnection.cc +++ b/src/HttpConnection.cc @@ -102,11 +102,17 @@ std::string HttpConnection::eraseConfidentialInfo(const std::string& request) std::string result; std::string line; while (getline(istr, line)) { - if (util::startsWith(line, "Authorization: Basic")) { - result += "Authorization: Basic ********\n"; + if (util::istartsWith(line, "Authorization: ")) { + result += "Authorization: <snip>\n"; } - else if (util::startsWith(line, "Proxy-Authorization: Basic")) { - result += "Proxy-Authorization: Basic ********\n"; + else if (util::istartsWith(line, "Proxy-Authorization: ")) { + result += "Proxy-Authorization: <snip>\n"; + } + else if (util::istartsWith(line, "Cookie: ")) { + result += "Cookie: <snip>\n"; + } + else if (util::istartsWith(line, "Set-Cookie: ")) { + result += "Set-Cookie: <snip>\n"; } else { result += line; @@ -154,8 +160,8 @@ std::unique_ptr<HttpResponse> HttpConnection::receiveResponse() const auto& proc = outstandingHttpRequests_.front()->getHttpHeaderProcessor(); if (proc->parse(socketRecvBuffer_->getBuffer(), socketRecvBuffer_->getBufferLength())) { - A2_LOG_INFO( - fmt(MSG_RECEIVE_RESPONSE, cuid_, proc->getHeaderString().c_str())); + A2_LOG_INFO(fmt(MSG_RECEIVE_RESPONSE, cuid_, + eraseConfidentialInfo(proc->getHeaderString()).c_str())); auto result = proc->getResult(); if (result->getStatusCode() / 100 == 1) { socketRecvBuffer_->drain(proc->getLastBytesProcessed());