Hello community, here is the log from the commit of package osc for openSUSE:Factory checked in at 2015-03-16 07:00:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/osc (Old) and /work/SRC/openSUSE:Factory/.osc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "osc" Changes: -------- --- /work/SRC/openSUSE:Factory/osc/osc.changes 2015-01-14 11:46:03.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.osc.new/osc.changes 2015-03-16 07:00:47.000000000 +0100 @@ -1,0 +2,9 @@ +Thu Mar 12 09:36:27 UTC 2015 - [email protected] + +- 0.151.0 + - fixed shell command injection via crafted _service files CVE-2015-0778 boo#901643 + - fix times when data comes from OBS backend + - support updateing the link in target package for submit requests + - various minor bugfixes + +------------------------------------------------------------------- Old: ---- osc-0.150.1.tar.gz New: ---- osc-0.151.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ osc.spec ++++++ --- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100 +++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package osc # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: osc -Version: 0.150.1 +Version: 0.151.0 Release: 0 Summary: openSUSE Build Service Commander License: GPL-2.0+ ++++++ PKGBUILD ++++++ --- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100 +++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100 @@ -1,5 +1,5 @@ pkgname=osc -pkgver=0.150.1 +pkgver=0.151.0 pkgrel=0 pkgdesc="Open Build Service client" arch=('i686' 'x86_64') @@ -8,7 +8,7 @@ groups=('base-devel') depends=('python2' 'python2-m2crypto' 'urlgrabber') source=(osc-${pkgver}.tar.gz) -md5sums=('24a5313d364d46a1a03c443c50bfbc2b') +md5sums=('877b9e4fc2c55b8950d3e642241ff6aa') package() { msg "Installing osc ..." ++++++ _service ++++++ --- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100 +++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100 @@ -1,7 +1,7 @@ <services> <service name="tar_scm" mode="disabled"> - <param name="version">0.150.1</param> - <param name="revision">0.150</param> + <param name="version">0.151.0</param> + <param name="revision">0.151.0</param> <param name="url">git://github.com/openSUSE/osc.git</param> <param name="scm">git</param> </service> ++++++ debian.changelog ++++++ --- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100 +++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100 @@ -1,4 +1,4 @@ -osc (0.150.1) unstable; urgency=low +osc (0.151.0) unstable; urgency=low - Update to 0.135.0 -- Adrian Schroeter <[email protected]> Wed, 28 Jun 2012 10:00:00 +0200 ++++++ osc-0.150.1.tar.gz -> osc-0.151.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/osc-0.150.1/NEWS new/osc-0.151.0/NEWS --- old/osc-0.150.1/NEWS 2015-01-13 16:53:00.000000000 +0100 +++ new/osc-0.151.0/NEWS 2015-03-12 19:50:41.000000000 +0100 @@ -1,3 +1,9 @@ +0.151 + - fixed shell command injection via crafted _service files (CVE-2015-0778) + - fix times when data comes from OBS backend + - support updateing the link in target package for submit requests + - various minor bugfixes + 0.150 - support local builds using builenv (for same build environment as a former build) - add "osc api --edit" option to be able to edit some meta files directly diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/osc-0.150.1/osc/commandline.py new/osc-0.151.0/osc/commandline.py --- old/osc-0.150.1/osc/commandline.py 2015-01-13 16:53:00.000000000 +0100 +++ new/osc-0.151.0/osc/commandline.py 2015-03-12 19:50:41.000000000 +0100 @@ -47,7 +47,7 @@ * http://en.opensuse.org/openSUSE:Build_Service_Tutorial * http://en.opensuse.org/openSUSE:OSC .PP -You can modify osc commands, or roll you own, via the plugin API: +You can modify osc commands, or roll your own, via the plugin API: * http://en.opensuse.org/openSUSE:OSC_plugins .SH AUTHOR osc was written by several authors. This man page is automatically generated. @@ -67,7 +67,7 @@ * http://en.opensuse.org/openSUSE:Build_Service_Tutorial * http://en.opensuse.org/openSUSE:OSC - You can modify osc commands, or roll you own, via the plugin API: + You can modify osc commands, or roll your own, via the plugin API: * http://en.opensuse.org/openSUSE:OSC_plugins """ name = 'osc' @@ -948,6 +948,8 @@ help='never remove source package on accept, but update its content') @cmdln.option('--no-update', action='store_true', help='never touch source package on accept (will break source links)') + @cmdln.option('--update-link', action='store_true', + help='This transfers the source including the _link file.') @cmdln.option('-d', '--diff', action='store_true', help='show diff only instead of creating the actual request') @cmdln.option('--yes', action='store_true', @@ -1026,9 +1028,12 @@ sr_ids = [] # for single request actionxml = "" - options_block = "" + options_block = "<options>" if src_update: - options_block = """<options><sourceupdate>%s</sourceupdate></options> """ % (src_update) + options_block += """<sourceupdate>%s</sourceupdate>""" % (src_update) + if opts.update_link: + options_block + """<updatelink>true</updatelink></options> """ + options_block += "</options>" # loop via all packages for checking their state for p in meta_get_packagelist(apiurl, project): @@ -1242,7 +1247,8 @@ result = create_submit_request(apiurl, src_project, src_package, dst_project, dst_package, - opts.message, orev=rev, src_update=src_update) + opts.message, orev=rev, + src_update=src_update, dst_updatelink=opts.update_link) if supersede_existing: for req in reqs: change_request_state(apiurl, req.reqid, 'superseded', @@ -4139,6 +4145,7 @@ 'M' Modified '?' item is not under version control '!' item is missing (removed by non-osc command) or incomplete + 'S' item is skipped (item exceeds a file size limit or is _service:* file) 'F' Frozen (use "osc pull" to merge conflicts) (package-only state) examples: @@ -5657,9 +5664,6 @@ if not os.path.isdir(d): raise oscerr.WrongOptions('Preferred package location \'%s\' is not a directory' % d) - if opts.noinit and opts.offline: - raise oscerr.WrongOptions('--noinit and --offline are mutually exclusive') - if opts.offline and opts.preload: raise oscerr.WrongOptions('--offline and --preload are mutually exclusive') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/osc-0.150.1/osc/core.py new/osc-0.151.0/osc/core.py --- old/osc-0.150.1/osc/core.py 2015-01-13 16:53:00.000000000 +0100 +++ new/osc-0.151.0/osc/core.py 2015-03-12 19:50:41.000000000 +0100 @@ -5,7 +5,7 @@ from __future__ import print_function -__version__ = '0.150' +__version__ = '0.151' # __store_version__ is to be incremented when the format of the working copy # "store" changes in an incompatible way. Please add any needed migration @@ -273,18 +273,22 @@ for service in services: name = service.get('name') + if len(name) < 3 or '/' in name: + raise oscerr.APIError("invalid service name") mode = service.get('mode', None) data = { 'name' : name, 'mode' : '' } if mode: data['mode'] = mode try: + command = [ name ] for param in service.findall('param'): option = param.get('name', None) value = "" if param.text: value = param.text - name += " --" + option + " '" + value + "'" - data['command'] = name + command.append("--"+option) + command.append(value) + data['command'] = command self.services.append(data) except: msg = 'invalid service format:\n%s' % ET.tostring(serviceinfo_node, encoding=ET_ENCODING) @@ -372,7 +376,7 @@ allservices = self.services or [] if singleservice and not singleservice in allservices: # set array to the manual specified singleservice, if it is not part of _service file - data = { 'name' : singleservice, 'command' : singleservice, 'mode' : '' } + data = { 'name' : singleservice, 'command' : [ singleservice ], 'mode' : '' } allservices = [data] # set environment when using OBS 2.3 or later @@ -393,17 +397,17 @@ continue if service['mode'] != "trylocal" and service['mode'] != "localonly" and callmode == "trylocal": continue - call = service['command'] temp_dir = None try: temp_dir = tempfile.mkdtemp() - name = call.split(None, 1)[0] - if not os.path.exists("/usr/lib/obs/service/"+name): - raise oscerr.PackageNotInstalled("obs-service-"+name) - cmd = "/usr/lib/obs/service/" + call + " --outdir " + temp_dir + cmd = service['command'] + if not os.path.exists("/usr/lib/obs/service/"+cmd[0]): + raise oscerr.PackageNotInstalled("obs-service-%s"%cmd[0]) + cmd[0] = "/usr/lib/obs/service/"+cmd[0] + cmd = cmd + [ "--outdir", temp_dir ] if conf.config['verbose'] > 1 or verbose: print("Run source service:", cmd) - r = run_external(cmd, shell=True) + r = run_external(*cmd) if r != 0: print("Aborting: service call failed: " + cmd) @@ -2413,6 +2417,8 @@ class RequestHistory(AbstractState): """Represents a history element of a request""" + re_name = re.compile(r'^Request (?:got )?([^\s]+)$') + def __init__(self, history_node): AbstractState.__init__(self, history_node.tag) self.who = history_node.get('who') @@ -2428,6 +2434,17 @@ if not history_node.find('comment') is None and \ history_node.find('comment').text: self.comment = history_node.find('comment').text.strip() + self.name = self._parse_name(history_node) + + def _parse_name(self, history_node): + name = history_node.get('name', None) + if name is not None: + # OBS 2.5 and before + return name + mo = self.re_name.search(self.description) + if mo is not None: + return mo.group(1) + return self.description def get_node_attrs(self): return ('who', 'when') @@ -2767,7 +2784,9 @@ tgt_package = '' d['target'] = prj_pkg_join(action.tgt_project, tgt_package) if action.opt_makeoriginolder: - d['target'] = d['target'] + ' ***makeoriginolder***' + d['target'] = d['target'] + ' ***make origin older***' + if action.opt_updatelink: + d['target'] = d['target'] + ' ***update link***' elif action.type == 'add_role': roles = [] if action.person_name and action.person_role: @@ -2885,11 +2904,11 @@ """ import time - if time.localtime()[0] == time.localtime(t)[0]: + if time.gmtime()[0] == time.gmtime(t)[0]: # same year - return time.strftime('%b %d %H:%M', time.localtime(t)) + return time.strftime('%b %d %H:%M %Z', time.gmtime(t)) else: - return time.strftime('%b %d %Y', time.localtime(t)) + return time.strftime('%b %d %Y', time.gmtime(t)) def is_project_dir(d): @@ -3908,19 +3927,23 @@ r.create(apiurl, addrevision=True) return r -# This creates an old style submit request for server api 1.0 def create_submit_request(apiurl, src_project, src_package=None, dst_project=None, dst_package=None, - message="", orev=None, src_update=None): + message="", orev=None, src_update=None, dst_updatelink=None): import cgi options_block = "" package = "" if src_package: package = """package="%s" """ % (src_package) + options_block = "<options>" if src_update: - options_block = """<options><sourceupdate>%s</sourceupdate></options> """ % (src_update) + options_block += """<sourceupdate>%s</sourceupdate>""" % (src_update) + if dst_updatelink: + options_block += """<updatelink>true</updatelink>""" + options_block += "</options>" + # Yes, this kind of xml construction is horrible targetxml = "" @@ -3931,12 +3954,12 @@ targetxml = """<target project="%s" %s /> """ % ( dst_project, packagexml ) # XXX: keep the old template for now in order to work with old obs instances xml = """\ -<request type="submit"> - <submit> +<request> + <action type="submit"> <source project="%s" %s rev="%s"/> %s %s - </submit> + </action> <state name="new"/> <description>%s</description> </request> @@ -5701,20 +5724,21 @@ r = [] for node in root.findall('entry'): - rev = int(node.get('rev')) + rev = node.get('rev') srcmd5 = node.get('srcmd5') versrel = node.get('versrel') bcnt = int(node.get('bcnt')) - t = time.localtime(int(node.get('time'))) - t = time.strftime('%Y-%m-%d %H:%M:%S', t) + t = time.gmtime(int(node.get('time'))) + t = time.strftime('%Y-%m-%d %H:%M:%S %Z', t) if format == 'csv': - r.append('%s|%s|%d|%s.%d' % (t, srcmd5, rev, versrel, bcnt)) + r.append('%s|%s|%s|%s.%d' % (t, srcmd5, rev, versrel, bcnt)) else: - r.append('%s %s %6d %s.%d' % (t, srcmd5, rev, versrel, bcnt)) + bversrel='%s.%d' % (versrel, bcnt) + r.append('%s %s %s %s' % (t, srcmd5, bversrel.ljust(16)[:16], rev)) if format == 'text': - r.insert(0, 'time srcmd5 rev vers-rel.bcnt') + r.insert(0, 'time srcmd5 vers-rel.bcnt rev') return r @@ -5739,11 +5763,11 @@ reason = "unknown" code = node.get('code') rt = int(node.get('readytime')) - readyt = time.localtime(rt) - readyt = time.strftime('%Y-%m-%d %H:%M:%S', readyt) + readyt = time.gmtime(rt) + readyt = time.strftime('%Y-%m-%d %H:%M:%S %Z', readyt) st = int(node.get('starttime')) et = int(node.get('endtime')) - endtime = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(et)) + endtime = time.strftime('%Y-%m-%d %H:%M:%S %Z', time.gmtime(et)) waittm = time.gmtime(et-st) if waittm.tm_mday > 1: waitbuild = "%1dd %2dh %2dm %2ds" % (waittm.tm_mday-1, waittm.tm_hour, waittm.tm_min, waittm.tm_sec) @@ -5804,8 +5828,8 @@ requestid = node.find('requestid').text.encode(locale.getpreferredencoding(), 'replace') except: requestid = "" - t = time.localtime(int(node.find('time').text)) - t = time.strftime('%Y-%m-%d %H:%M:%S', t) + t = time.gmtime(int(node.find('time').text)) + t = time.strftime('%Y-%m-%d %H:%M:%S %Z', t) if format == 'csv': s = '%s|%s|%s|%s|%s|%s|%s' % (rev, user, t, srcmd5, version, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/osc-0.150.1/tests/test_request.py new/osc-0.151.0/tests/test_request.py --- old/osc-0.150.1/tests/test_request.py 2015-01-13 16:53:00.000000000 +0100 +++ new/osc-0.151.0/tests/test_request.py 2015-03-12 19:50:41.000000000 +0100 @@ -470,7 +470,7 @@ exp = """\ Request: #123 - submit: xyz/abc(cleanup) -> foo + submit: xyz/abc(cleanup) -> foo ***update link*** add_role: person: bar as maintainer, group: groupxyz as reader home:foo ++++++ osc.dsc ++++++ --- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100 +++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100 @@ -1,6 +1,6 @@ Format: 1.0 Source: osc -Version: 0.150.1 +Version: 0.151.0 Binary: osc Maintainer: Adrian Schroeter <[email protected]> Architecture: any -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
