Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package subfinder for openSUSE:Factory checked in at 2025-04-16 20:40:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/subfinder (Old) and /work/SRC/openSUSE:Factory/.subfinder.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "subfinder" Wed Apr 16 20:40:07 2025 rev:5 rq:1269655 version:2.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/subfinder/subfinder.changes 2025-03-17 22:22:34.946985959 +0100 +++ /work/SRC/openSUSE:Factory/.subfinder.new.30101/subfinder.changes 2025-04-20 20:10:19.047031161 +0200 @@ -1,0 +2,6 @@ +Tue Apr 15 10:16:09 UTC 2025 - Dominik Heidler <dheid...@suse.de> + +- Add fix_cve_2024_0406.patch to patch github.com/mholt/archive dependency + for bsc#1241187 / CVE-2024-0406 / GHSA-rhh4-rh7c-7r5v + +------------------------------------------------------------------- New: ---- fix_cve_2024_0406.patch BETA DEBUG BEGIN: New: - Add fix_cve_2024_0406.patch to patch github.com/mholt/archive dependency for bsc#1241187 / CVE-2024-0406 / GHSA-rhh4-rh7c-7r5v BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ subfinder.spec ++++++ --- /var/tmp/diff_new_pack.u67KkC/_old 2025-04-20 20:10:19.775061607 +0200 +++ /var/tmp/diff_new_pack.u67KkC/_new 2025-04-20 20:10:19.775061607 +0200 @@ -24,6 +24,7 @@ URL: https://github.com/projectdiscovery/subfinder Source0: https://github.com/projectdiscovery/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: vendor.tar.zstd +Source2: fix_cve_2024_0406.patch Patch1: disable-version-check.patch BuildRequires: binutils BuildRequires: help2man @@ -40,6 +41,7 @@ %prep %autosetup -p1 -a1 +patch -d vendor/github.com/mholt/archiver/v3 < %{S:2} %build cd v2 ++++++ fix_cve_2024_0406.patch ++++++ >From 82ca88a2eb24d418c30bf960ef071b0bbec04631 Mon Sep 17 00:00:00 2001 From: Alex Goodman <wagood...@users.noreply.github.com> Date: Wed, 31 Jan 2024 10:41:03 -0500 Subject: [PATCH] Fix tar path traversal through symlinks (#1) * fix tar path traversal through symlinks Signed-off-by: Alex Goodman <wagood...@users.noreply.github.com> * address absolute symlink destinations Signed-off-by: Alex Goodman <wagood...@users.noreply.github.com> * Removed patch for tar_test.go which doesn't exist in vendor dir ~ dheidler --------- Signed-off-by: Alex Goodman <wagood...@users.noreply.github.com> --- tar.go | 18 +++++++++++ tar_test.go | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 106 insertions(+), 1 deletion(-) diff --git a/tar.go b/tar.go index be898665..d5820114 100644 --- a/tar.go +++ b/tar.go @@ -238,6 +238,24 @@ func (t *Tar) untarNext(destination string) error { return fmt.Errorf("checking path traversal attempt: %v", errPath) } + switch header.Typeflag { + case tar.TypeSymlink, tar.TypeLink: + // this covers cases when the link is an absolute path to a file outside the destination folder + if filepath.IsAbs(header.Linkname) { + errPath := &IllegalPathError{AbsolutePath: "", Filename: header.Linkname} + return fmt.Errorf("absolute path for symlink destination not allowed: %w", errPath) + } + + // though we've already checked the name for possible path traversals, it is possible + // to write content though a symlink to a path outside of the destination folder + // with multiple header entries. We should consider any symlink or hardlink that points + // to outside of the destination folder to be a possible path traversal attack. + errPath = t.CheckPath(destination, header.Linkname) + if errPath != nil { + return fmt.Errorf("checking path traversal attempt in symlink: %w", errPath) + } + } + if t.StripComponents > 0 { if strings.Count(header.Name, "/") < t.StripComponents { return nil // skip path with fewer components ++++++ vendor.tar.zstd ++++++ Binary files /var/tmp/diff_new_pack.u67KkC/_old and /var/tmp/diff_new_pack.u67KkC/_new differ
