Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cni for openSUSE:Factory checked in at 2021-06-04 22:42:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cni (Old) and /work/SRC/openSUSE:Factory/.cni.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cni" Fri Jun 4 22:42:59 2021 rev:12 rq:896962 version:0.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/cni/cni.changes 2021-05-19 17:48:47.573682389 +0200 +++ /work/SRC/openSUSE:Factory/.cni.new.1898/cni.changes 2021-06-04 22:43:16.415110088 +0200 @@ -1,0 +2,7 @@ +Mon May 31 10:38:40 UTC 2021 - John Paul Adrian Glaubitz <[email protected]> + +- Update to version 0.8.1: + * This is a security release that fixes a single bug: + - Tighten up plugin-finding logic (#811). + +------------------------------------------------------------------- Old: ---- cni-0.8.0.tar.xz New: ---- cni-0.8.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cni.spec ++++++ --- /var/tmp/diff_new_pack.vJeFj9/_old 2021-06-04 22:43:16.863110581 +0200 +++ /var/tmp/diff_new_pack.vJeFj9/_new 2021-06-04 22:43:16.867110585 +0200 @@ -21,7 +21,7 @@ %define cni_doc_dir %{_docdir}/cni Name: cni -Version: 0.8.0 +Version: 0.8.1 Release: 0 Summary: Container Network Interface - networking for Linux containers License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.vJeFj9/_old 2021-06-04 22:43:16.891110612 +0200 +++ /var/tmp/diff_new_pack.vJeFj9/_new 2021-06-04 22:43:16.891110612 +0200 @@ -4,8 +4,8 @@ <param name="scm">git</param> <param name="filename">cni</param> <param name="exclude">.git</param> - <param name="versionformat">0.8.0</param> - <param name="revision">v0.8.0</param> + <param name="versionformat">0.8.1</param> + <param name="revision">v0.8.1</param> <param name="changesgenerate">enable</param> </service> <service name="recompress" mode="disabled"> ++++++ cni-0.8.0.tar.xz -> cni-0.8.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cni-0.8.0/pkg/invoke/find.go new/cni-0.8.1/pkg/invoke/find.go --- old/cni-0.8.0/pkg/invoke/find.go 2020-06-10 17:43:06.000000000 +0200 +++ new/cni-0.8.1/pkg/invoke/find.go 2021-02-02 15:20:12.000000000 +0100 @@ -18,6 +18,7 @@ "fmt" "os" "path/filepath" + "strings" ) // FindInPath returns the full path of the plugin by searching in the provided path @@ -26,6 +27,10 @@ return "", fmt.Errorf("no plugin name provided") } + if strings.ContainsRune(plugin, os.PathSeparator) { + return "", fmt.Errorf("invalid plugin name: %s", plugin) + } + if len(paths) == 0 { return "", fmt.Errorf("no paths provided") } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cni-0.8.0/pkg/invoke/find_test.go new/cni-0.8.1/pkg/invoke/find_test.go --- old/cni-0.8.0/pkg/invoke/find_test.go 2020-06-10 17:43:06.000000000 +0200 +++ new/cni-0.8.1/pkg/invoke/find_test.go 2021-02-02 15:20:12.000000000 +0100 @@ -99,5 +99,13 @@ Expect(err).To(MatchError(fmt.Sprintf("failed to find plugin %q in path %s", pluginName, pathsWithNothing))) }) }) + + Context("When the plugin contains a directory separator", func() { + It("returns an error", func() { + bogusPlugin := ".." + string(os.PathSeparator) + "pluginname" + _, err := invoke.FindInPath(bogusPlugin, []string{anotherTempDir}) + Expect(err).To(MatchError("invalid plugin name: " + bogusPlugin)) + }) + }) }) })
