Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package opam for openSUSE:Factory checked in at 2026-04-17 21:05:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/opam (Old) and /work/SRC/openSUSE:Factory/.opam.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "opam" Fri Apr 17 21:05:18 2026 rev:21 rq:1347738 version:2.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/opam/opam.changes 2025-11-27 15:22:00.130095655 +0100 +++ /work/SRC/openSUSE:Factory/.opam.new.11940/opam.changes 2026-04-17 21:05:33.701047473 +0200 @@ -1,0 +2,6 @@ +Thu Apr 16 16:16:16 UTC 2026 - [email protected] + +- Update to version 2.5.1 (CVE-2026-41082 bsc#1262281) + see included CHANGES file for details + +------------------------------------------------------------------- Old: ---- opam-2.5.0.tar.xz New: ---- opam-2.5.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ opam.spec ++++++ --- /var/tmp/diff_new_pack.9tRTAL/_old 2026-04-17 21:05:34.185067395 +0200 +++ /var/tmp/diff_new_pack.9tRTAL/_new 2026-04-17 21:05:34.185067395 +0200 @@ -1,7 +1,7 @@ # # spec file for package opam # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: opam -Version: 2.5.0 +Version: 2.5.1 Release: 0 Summary: Source-based package manager for OCaml License: LGPL-2.1-only WITH OCaml-LGPL-linking-exception ++++++ _service ++++++ --- /var/tmp/diff_new_pack.9tRTAL/_old 2026-04-17 21:05:34.229069206 +0200 +++ /var/tmp/diff_new_pack.9tRTAL/_new 2026-04-17 21:05:34.233069370 +0200 @@ -15,6 +15,7 @@ <param name="exclude">doc/index.html</param> <param name="exclude">doc/modules</param> <param name="exclude">doc/pages</param> + <param name="exclude">master_changes.md</param> <param name="exclude">release</param> <param name="exclude">shell/autogen</param> <param name="exclude">shell/bootstrap-ocaml.sh</param> @@ -38,7 +39,7 @@ <param name="exclude">src_ext</param> <param name="exclude">tests</param> <param name="filename">opam</param> - <param name="revision">edf980ebd18ad6b5e990dbf3b6367cffcaf01815</param> + <param name="revision">6218d0c4c022106034a93c8ecb5b80fa213d7356</param> <param name="scm">git</param> <param name="submodules">disable</param> <param name="url">https://github.com/ocaml/opam.git</param> ++++++ opam-2.5.0.tar.xz -> opam-2.5.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/CHANGES new/opam-2.5.1/CHANGES --- old/opam-2.5.0/CHANGES 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/CHANGES 2026-04-15 21:19:31.000000000 +0200 @@ -3,6 +3,16 @@ are not marked). Those prefixed with "(+)" are new command/option (since 2.1.0~alpha2). +2.5.1: +* Invalidate .install fields containing destination filepath trying to escape their scope [#6897 @kit-ty-kate - report by @andrew] +* Fix a string injection from the depexts field to nix-build, when `os-family=nixos` [#6894 @RyanGibb] +* Restore the distribution detection on Gentoo [#6886 @kit-ty-kate - fix #6887] +* Add support for single-quoted values of the /etc/os-release file [#6886 @kit-ty-kate - fix #6887] +* Fix rare potential GC corruptions [#6882 #6880 @kit-ty-kate - report by @andrew] +* Improve and extend the testsuite [#6897 @rjbou @kit-ty-kate] +* API changes in `opam-core`: + * `OpamFilename.might_escape`: ensure / is detected as a file separator when called with `~sep:Unspecified` on Windows [#6897 @kit-ty-kate] + 2.5.0: * (no difference compared to 2.5.0~rc1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/configure.ac new/opam-2.5.1/configure.ac --- old/opam-2.5.0/configure.ac 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/configure.ac 2026-04-15 21:19:31.000000000 +0200 @@ -1,5 +1,5 @@ dnl The line below must be formatted AC_INIT([opam],[VERSION]) with no extra spaces -AC_INIT([opam],[2.5.0]) +AC_INIT([opam],[2.5.1]) AC_COPYRIGHT(Copyright 2012-2019 OcamlPro SAS) AC_CONFIG_MACRO_DIR([m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/master_changes.md new/opam-2.5.1/master_changes.md --- old/opam-2.5.0/master_changes.md 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/master_changes.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,127 +0,0 @@ -Working version changelog, used as a base for the changelog and the release -note. -Prefixes used to help generate release notes, changes, and blog posts: -* ✘ Possibly scripts breaking changes -* ◈ New option/command/subcommand -* [BUG] for bug fixes -* [NEW] for new features (not a command itself) -* [API] api updates 🕮 -If there is changes in the API (new non optional argument, function renamed or -moved, etc.), please update the _API updates_ part (it helps opam library -users) - -## Version - -## Global CLI - -## Plugins - -## Init - -## Config report - -## Actions - -## Install - -## Build (package) - -## Remove - -## UI - -## Switch - -## Config - -## Pin - -## List - -## Show - -## Var/Option - -## Update / Upgrade - -## Tree - -## Exec - -## Source - -## Lint - -## Repository - -## Lock - -## Clean - -## Env - -## Opamfile - -## External dependencies - -## Format upgrade - -## Sandbox - -## VCS - -## Build - -## Infrastructure - -## Release scripts - -## Install script - -## Admin - -## Opam installer - -## State - -## Opam file format - -## Solver - -## Client - -## Shell - -## Internal - -## Internal: Unix - -## Internal: Windows - -## Test - -## Benchmarks - -## Reftests -### Tests - -### Engine - -## Github Actions - -## Doc - -## Security fixes - -# API updates -## opam-client - -## opam-repository - -## opam-state - -## opam-solver - -## opam-format - -## opam-core diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/opam-client.opam new/opam-2.5.1/opam-client.opam --- old/opam-2.5.0/opam-client.opam 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/opam-client.opam 2026-04-15 21:19:31.000000000 +0200 @@ -1,5 +1,5 @@ opam-version: "2.0" -version: "2.5.0" +version: "2.5.1" synopsis: "Client library for opam 2.5" description: """ Actions on the opam root, switches, installations, and front-end. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/opam-core.opam new/opam-2.5.1/opam-core.opam --- old/opam-2.5.0/opam-core.opam 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/opam-core.opam 2026-04-15 21:19:31.000000000 +0200 @@ -1,5 +1,5 @@ opam-version: "2.0" -version: "2.5.0" +version: "2.5.1" synopsis: "Core library for opam 2.5" description: "Small standard library extensions, and generic system interaction modules used by opam." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/opam-devel.opam new/opam-2.5.1/opam-devel.opam --- old/opam-2.5.0/opam-devel.opam 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/opam-devel.opam 2026-04-15 21:19:31.000000000 +0200 @@ -1,5 +1,5 @@ opam-version: "2.0" -version: "2.5.0" +version: "2.5.1" synopsis: "Bootstrapped development binary for opam 2.5" description: """ This package compiles (bootstraps) opam. For consistency and safety of the installation, the binaries are not installed into the PATH, but into lib/opam-devel, from where the user can manually install them system-wide. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/opam-format.opam new/opam-2.5.1/opam-format.opam --- old/opam-2.5.0/opam-format.opam 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/opam-format.opam 2026-04-15 21:19:31.000000000 +0200 @@ -1,5 +1,5 @@ opam-version: "2.0" -version: "2.5.0" +version: "2.5.1" synopsis: "Format library for opam 2.5" description: """ Definition of opam datastructures and its file interface. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/opam-installer.opam new/opam-2.5.1/opam-installer.opam --- old/opam-2.5.0/opam-installer.opam 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/opam-installer.opam 2026-04-15 21:19:31.000000000 +0200 @@ -1,5 +1,5 @@ opam-version: "2.0" -version: "2.5.0" +version: "2.5.1" synopsis: "Installation of files to a prefix, following opam conventions" description: """ opam-installer is a small tool that can read *.install files, as defined by opam [1], and execute them to install or remove package files without going through opam. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/opam-repository.opam new/opam-2.5.1/opam-repository.opam --- old/opam-2.5.0/opam-repository.opam 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/opam-repository.opam 2026-04-15 21:19:31.000000000 +0200 @@ -1,5 +1,5 @@ opam-version: "2.0" -version: "2.5.0" +version: "2.5.1" synopsis: "Repository library for opam 2.5" description: """ This library includes repository and remote sources handling, including curl/wget, rsync, git, mercurial, darcs backends. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/opam-solver.opam new/opam-2.5.1/opam-solver.opam --- old/opam-2.5.0/opam-solver.opam 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/opam-solver.opam 2026-04-15 21:19:31.000000000 +0200 @@ -1,5 +1,5 @@ opam-version: "2.0" -version: "2.5.0" +version: "2.5.1" synopsis: "Solver library for opam 2.5" description: """ Solver and Cudf interaction. This library is based on the Cudf and Dose libraries, and handles calls to the external solver from opam. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/opam-state.opam new/opam-2.5.1/opam-state.opam --- old/opam-2.5.0/opam-state.opam 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/opam-state.opam 2026-04-15 21:19:31.000000000 +0200 @@ -1,5 +1,5 @@ opam-version: "2.0" -version: "2.5.0" +version: "2.5.1" synopsis: "State library for opam 2.5" description: """ Handling of the ~/.opam hierarchy, repository and switch states. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/src/core/opamFilename.ml new/opam-2.5.1/src/core/opamFilename.ml --- old/opam-2.5.0/src/core/opamFilename.ml 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/src/core/opamFilename.ml 2026-04-15 21:19:31.000000000 +0200 @@ -11,10 +11,14 @@ let might_escape ~sep path = let sep = + let real_sep = function + | `Unix -> Re.char '/' + | `Windows -> Re.alt Re.[ char '\\'; char '/' ] + in match sep with - | `Unix -> Re.char '/' - | `Windows -> Re.alt Re.[ char '\\'; char '/' ] - | `Unspecified -> Re.str Filename.dir_sep + | `Unspecified when Sys.win32 -> real_sep `Windows + | `Unspecified -> real_sep `Unix + | `Unix | `Windows as sep -> real_sep sep in List.exists (String.equal Filename.parent_dir_name) Re.(split (compile sep) path) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/src/core/opamUnix.c new/opam-2.5.1/src/core/opamUnix.c --- old/opam-2.5.0/src/core/opamUnix.c 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/src/core/opamUnix.c 2026-04-15 21:19:31.000000000 +0200 @@ -22,8 +22,9 @@ #include <sys/utsname.h> CAMLprim value opam_uname(value _unit) { + CAMLparam0(); + CAMLlocal1(ret); struct utsname buf; - value ret; if (-1 == uname(&buf)) { caml_uerror("uname", Nothing); @@ -33,5 +34,5 @@ Store_field(ret, 1, caml_copy_string(buf.release)); Store_field(ret, 2, caml_copy_string(buf.machine)); - return ret; + CAMLreturn(ret); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/src/core/opamWindows.c new/opam-2.5.1/src/core/opamWindows.c --- old/opam-2.5.0/src/core/opamWindows.c 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/src/core/opamWindows.c 2026-04-15 21:19:31.000000000 +0200 @@ -431,11 +431,6 @@ LPWSTR lpEnvironment; - result = caml_alloc_small(2, 0); - Field(result, 0) = Val_int(0); /* Unused */ - Field(result, 1) = Val_emptylist; /* The actual result */ - tail = result; - HKEY key; DWORD type; LSTATUS ret; @@ -453,6 +448,11 @@ caml_raise_out_of_memory(); } + result = caml_alloc_small(2, 0); + Field(result, 0) = Val_int(0); /* Unused */ + Field(result, 1) = Val_emptylist; /* The actual result */ + tail = result; + ret = RegOpenKey(roots[Int_val(hKey)], lpSubKey, &key); if (ret == ERROR_SUCCESS) ret = RegQueryInfoKey(key, NULL, NULL, NULL, NULL, NULL, NULL, NULL, &cbValueName, &cbData, NULL, NULL); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/src/format/opamFile.ml new/opam-2.5.1/src/format/opamFile.ml --- old/opam-2.5.0/src/format/opamFile.ml 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/src/format/opamFile.ml 2026-04-15 21:19:31.000000000 +0200 @@ -3728,8 +3728,15 @@ Pp.V.map_list ~depth:1 @@ Pp.V.map_option (Pp.V.string -| pp_optional) (Pp.opt @@ - Pp.singleton -| Pp.V.string -| - Pp.of_module "rel-filename" (module OpamFilename.Base)) + Pp.singleton -| Pp.V.string -| Pp.pp ~name:"rel-filename" + (fun ~pos s -> + if OpamFilename.might_escape ~sep:`Unspecified s then + Pp.bad_format ~pos "%s references its parent directory." s + else if Filename.is_relative s then + OpamFilename.Base.of_string s + else + Pp.bad_format ~pos "%s is an absolute filename." s) + OpamFilename.Base.to_string) in let pp_misc = Pp.V.map_list ~depth:1 @@ Pp.V.map_option diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/src/state/opamSysInteract.ml new/opam-2.5.1/src/state/opamSysInteract.ml --- old/opam-2.5.0/src/state/opamSysInteract.ml 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/src/state/opamSysInteract.ml 2026-04-15 21:19:31.000000000 +0200 @@ -1141,11 +1141,18 @@ OpamFilename.create dir (OpamFilename.Base.of_string "env.nix") in + let packageFile = + OpamFilename.create dir + (OpamFilename.Base.of_string "nix-depexts.json") + in let packages = - String.concat " " - (OpamSysPkg.Set.fold (fun p l -> OpamSysPkg.to_string p :: l) - OpamSysPkg.Set.Op.(sys_packages.ti_new ++ sys_packages.ti_required) []) + "[" ^ + String.concat ", " + (OpamSysPkg.Set.fold (fun p l -> ("\"" ^ OpamSysPkg.to_string p ^ "\"") :: l) + OpamSysPkg.Set.Op.(sys_packages.ti_new ++ sys_packages.ti_required) []) + ^ "]" in + OpamFilename.write packageFile packages; (* We exclude variables from https://github.com/NixOS/nix/blob/e4bda20918ad2af690c2e938211a7d362548e403/src/nix/develop.cc#L308-L325 append to variables from @@ -1156,7 +1163,7 @@ with pkgs; stdenv.mkDerivation { name = "opam-nix-env"; - nativeBuildInputs = with buildPackages; [ |} ^ packages ^ {| ]; + nativeBuildInputs = map (name: buildPackages.${name}) (builtins.fromJSON (builtins.readFile ./nix-depexts.json)); phases = [ "buildPhase" ]; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/opam-2.5.0/src/state/opamSysPoll.ml new/opam-2.5.1/src/state/opamSysPoll.ml --- old/opam-2.5.0/src/state/opamSysPoll.ml 2025-11-25 16:04:46.000000000 +0100 +++ new/opam-2.5.1/src/state/opamSysPoll.ml 2026-04-15 21:19:31.000000000 +0200 @@ -93,6 +93,8 @@ Scanf.sscanf s "%s@= %s" (fun x v -> let contents = try Scanf.sscanf v "\"%s@\"" (fun s -> s) + with Scanf.Scan_failure _ | End_of_file -> + try Scanf.sscanf v "'%s@'" (fun s -> s) with Scanf.Scan_failure _ | End_of_file -> v in Some (x, contents))
