Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ckermit for openSUSE:Factory checked in at 2026-04-07 16:32:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ckermit (Old) and /work/SRC/openSUSE:Factory/.ckermit.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ckermit" Tue Apr 7 16:32:52 2026 rev:16 rq:1344691 version:9.0.302 Changes: -------- --- /work/SRC/openSUSE:Factory/ckermit/ckermit.changes 2026-01-08 15:29:55.895332392 +0100 +++ /work/SRC/openSUSE:Factory/.ckermit.new.21863/ckermit.changes 2026-04-07 16:47:55.510103518 +0200 @@ -1,0 +2,14 @@ +Wed Jan 14 17:12:30 CET 2026 - Ruediger Oertel <[email protected]> + +- add patches from debian: + * default-transfer-mode.patch (default to manual mode, binary) + * remote-security.patch (CVE-2025-68920) + Malicious remote can overwrite and exfiltrate local files + (bsc#1255718) + +------------------------------------------------------------------- +Mon Jan 5 16:25:07 UTC 2026 - Michal Hrusecky <[email protected]> + +- pass -std=gnu89 to fix compilation issues + +------------------------------------------------------------------- @@ -6,0 +21,6 @@ + +------------------------------------------------------------------- +Tue Jun 10 09:18:42 UTC 2025 - Michal Hrusecky <[email protected]> + +- respect %optflags +- create and set lock directory in a way, that dialout members can use tty New: ---- ckermit-tmp.conf default-transfer-mode.patch remote-security.patch ----------(New B)---------- New:- add patches from debian: * default-transfer-mode.patch (default to manual mode, binary) * remote-security.patch (CVE-2025-68920) New: * default-transfer-mode.patch (default to manual mode, binary) * remote-security.patch (CVE-2025-68920) Malicious remote can overwrite and exfiltrate local files ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ckermit.spec ++++++ --- /var/tmp/diff_new_pack.OIlkxI/_old 2026-04-07 16:47:57.202172916 +0200 +++ /var/tmp/diff_new_pack.OIlkxI/_new 2026-04-07 16:47:57.202172916 +0200 @@ -24,10 +24,13 @@ Group: Hardware/Modem URL: https://www.kermitproject.org/ Source0: ftp://ftp.kermitproject.org/kermit/archives/cku302.tar.gz +Source1: ckermit-tmp.conf Patch0: decl-definition-conflict.patch # PATCH-FIX-UPSTREAM time_and_file_failure.patch Patch1: time_and_file_failure.patch Patch2: gcc14.patch +Patch3: default-transfer-mode.patch +Patch4: remote-security.patch BuildRequires: ncurses-devel Provides: kermit @@ -51,8 +54,8 @@ %autosetup -p1 -c %build -export KFLAGS="%{optflags} -std=gnu11" -%make_build linux +export CFLAGS="%{optflags} -std=gnu89 -DLOCK_DIR=\\\\\\\\\\\\\\\"/run/lock/uucp\\\\\\\\\\\\\\\"" +%make_build KFLAGS="$CFLAGS" linux %install install -d -m 755 %{buildroot}%{_bindir} @@ -61,12 +64,14 @@ install -m 644 ckuker.nr %{buildroot}%{_mandir}/man1/kermit.1 cd %{buildroot}%{_mandir}/man1 ln -s kermit.1 ckermit.1 +install -pD -m644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/ckermit.conf %files %license COPYING.TXT %{_bindir}/kermit %{_mandir}/man1/ckermit.1%{?ext_man} %{_mandir}/man1/kermit.1%{?ext_man} +%{_tmpfilesdir}/ckermit.conf %files doc %doc *.txt ++++++ ckermit-tmp.conf ++++++ # tmpfiles.d(5) lock directory for ckermit #Type Path Mode UID GID Age Argument d /run/lock/uucp 0771 root dialout - - ++++++ default-transfer-mode.patch ++++++ Description: Disable auto transfer mode Author: John Goerzen <[email protected]> Last-Update: 2025-12-04 Prior to this change, "show file" shows, among other things: Transfer mode: automatic File patterns: automatic (SHOW PATTERNS for list) Default file type: binary With this change: Transfer mode: manual File patterns: automatic (but disabled by TRANSFER-MODE MANUAL) File type: binary The modern assumption is a byte-accurate transfer of files. We have had a proliferation of file types, extensions, and complicating circumstances since the earlier days of Kermit. By changing this default, we disable the heuristic for attempting to guess the type of files, and convert the existing binary default into a binary setting. This can always be changed by the user, but the idea is to not violate the principle of least surprise. If the user asks to transfer a file, we assume the user wants an exact transfer of the file unless stated otherwise. Additionally, some platforms (eg, HP48 calculators) have wildly different behavior depending on whether a text or binary transfer is requested. By defaulting to manual mode, the user is in charge and further surprises that may be caused by "set file type" being ignored can be avoided. This fixes bug #1121901. --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/ckcftp.c +++ b/ckcftp.c @@ -951,7 +951,7 @@ int sav_log = -1; int ftp_action = 0; /* FTP action from command line */ int ftp_dates = 1; /* Set file dates from server */ -int ftp_xfermode = XMODE_A; /* FTP-specific transfer mode */ +int ftp_xfermode = XMODE_M; /* FTP-specific transfer mode */ char ftp_reply_str[FTP_BUFSIZ] = ""; /* Last line of previous reply */ char ftp_srvtyp[SRVNAMLEN] = { NUL, NUL }; /* Server's system type */ --- a/ckcmai.c +++ b/ckcmai.c @@ -1408,7 +1408,7 @@ cursor_save = -1, /* Cursor state */ #endif /* OS2 */ - xfermode = XMODE_A, /* Transfer mode, manual or auto */ + xfermode = XMODE_M, /* Transfer mode, manual or auto */ xfiletype = -1, /* Transfer only text (or binary) */ recursive = 0, /* Recursive directory traversal */ nolinks = 2, /* Don't follow symbolic links */ --- a/ckuus2.c +++ b/ckuus2.c @@ -9770,9 +9770,10 @@ " does not agree.", " ", "SET TRANSFER MODE { AUTOMATIC, MANUAL }", -" Automatic (the default) means Kermit should automatically go into binary", +" Automatic means Kermit should automatically go into binary", " file-transfer mode and use literal filenames if the other Kermit says it", " has a compatible file system, e.g. UNIX-to-UNIX, but not UNIX-to-DOS.", +" Manual (the default) means to always use the SET FILE TYPE setting.", #ifdef PATTERNS " Also, when sending files, Kermit should switch between binary and text", " mode automatically per file based on the SET FILE BINARY-PATTERNS and SET", ++++++ remote-security.patch ++++++ Description: Fix remote security hole Author: John Goerzen <[email protected]> Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123025 Last-Update: 2025-12-15 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Fix insecure defaults This can lead to data exfiltration and compromise Further information at http://bugs.debian.org/1123025 --- a/ckcmai.c +++ b/ckcmai.c @@ -724,7 +724,7 @@ #ifdef VMS /* Default filename collision action */ XYFX_X, /* REPLACE for VAX/VMS */ #else - XYFX_B, /* BACKUP for everybody else */ + XYFX_D, /* REJECT for everybody else */ #endif /* VMS */ #ifdef OS2 /* Flag for file name conversion */ @@ -1574,37 +1574,37 @@ only as initial (default) values. */ int en_xit = 2; /* EXIT */ -int en_cwd = 3; /* CD/CWD */ -int en_cpy = 3; /* COPY */ +int en_cwd = 2; /* CD/CWD */ +int en_cpy = 2; /* COPY */ int en_del = 2; /* DELETE */ -int en_mkd = 3; /* MKDIR */ +int en_mkd = 2; /* MKDIR */ int en_rmd = 2; /* RMDIR */ -int en_dir = 3; /* DIRECTORY */ -int en_fin = 3; /* FINISH */ -int en_get = 3; /* GET */ +int en_dir = 2; /* DIRECTORY */ +int en_fin = 2; /* FINISH */ +int en_get = 2; /* GET */ #ifndef NOPUSH int en_hos = 2; /* HOST enabled */ #else int en_hos = 0; /* HOST disabled */ #endif /* NOPUSH */ -int en_ren = 3; /* RENAME */ -int en_sen = 3; /* SEND */ -int en_set = 3; /* SET */ -int en_spa = 3; /* SPACE */ -int en_typ = 3; /* TYPE */ -int en_who = 3; /* WHO */ +int en_ren = 2; /* RENAME */ +int en_sen = 2; /* SEND */ +int en_set = 2; /* SET */ +int en_spa = 2; /* SPACE */ +int en_typ = 2; /* TYPE */ +int en_who = 2; /* WHO */ #ifdef datageneral /* Data General AOS/VS can't do this */ int en_bye = 0; /* BYE */ #else int en_bye = 2; /* PCs in local mode... */ #endif /* datageneral */ -int en_asg = 3; /* ASSIGN */ -int en_que = 3; /* QUERY */ +int en_asg = 2; /* ASSIGN */ +int en_que = 2; /* QUERY */ int en_ret = 2; /* RETRIEVE */ -int en_mai = 3; /* MAIL */ -int en_pri = 3; /* PRINT */ -int en_ena = 3; /* ENABLE */ +int en_mai = 2; /* MAIL */ +int en_pri = 2; /* PRINT */ +int en_ena = 2; /* ENABLE */ #else int en_xit = 0, en_cwd = 0, en_cpy = 0, en_del = 0, en_mkd = 0, en_rmd = 0, en_dir = 0, en_fin = 0, en_get = 0, en_hos = 0, en_ren = 0, en_sen = 0, --- a/ckuus2.c +++ b/ckuus2.c @@ -4068,12 +4068,12 @@ "SET FILE COLLISION option", " Tells what to do when a file arrives that has the same name as", " an existing file. The options are:", -" BACKUP (default) - Rename the old file to a new, unique name and store", +" BACKUP - Rename the old file to a new, unique name and store", " the incoming file under the name it was sent with.", " OVERWRITE - Overwrite (replace) the existing file.", " APPEND - Append the incoming file to the end of the existing file.", " REJECT - Refuse and/or discard the incoming file (= DISCARD).", -" RENAME - Give the incoming file a unique name.", +" RENAME (default) - Give the incoming file a unique name.", " UPDATE - Accept the incoming file only if newer than the existing file.", " ", @@ -7929,7 +7929,7 @@ "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }", " enables/disables automatic switching into file-transfer mode when a Kermit", " or ZMODEM file transfer has been detected during CONNECT mode or while", -" an INPUT command is active. Default is OFF.", +" an INPUT command is active. Default is ON.", #else "SET TERMINAL AUTODOWNLOAD { ON, OFF, ERROR { STOP, CONTINUE } }", " enables/disables automatic switching into file-transfer mode when a Kermit",
