Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package melange for openSUSE:Factory checked in at 2026-05-11 16:57:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/melange (Old) and /work/SRC/openSUSE:Factory/.melange.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "melange" Mon May 11 16:57:41 2026 rev:157 rq:1352351 version:0.50.6 Changes: -------- --- /work/SRC/openSUSE:Factory/melange/melange.changes 2026-05-05 15:17:07.279497822 +0200 +++ /work/SRC/openSUSE:Factory/.melange.new.1966/melange.changes 2026-05-11 17:08:08.579455104 +0200 @@ -1,0 +2,13 @@ +Mon May 11 05:04:36 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.50.6: + * Add linter to complain about shipping libtool linker files. + (#2520) + * build(deps): bump github.com/chainguard-dev/yam from 0.2.57 to + 0.2.58 in the gomod group across 1 directory (#2516) + * linter: validate cfg.Package.Version against path traversal in + saveLintResults (#2515) + * fix(ci): harden against template injection and credential + exposure (#2514) + +------------------------------------------------------------------- Old: ---- melange-0.50.5.obscpio New: ---- melange-0.50.6.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ melange.spec ++++++ --- /var/tmp/diff_new_pack.yCVEDJ/_old 2026-05-11 17:08:09.699501188 +0200 +++ /var/tmp/diff_new_pack.yCVEDJ/_new 2026-05-11 17:08:09.703501353 +0200 @@ -17,7 +17,7 @@ Name: melange -Version: 0.50.5 +Version: 0.50.6 Release: 0 Summary: Build APKs from source code License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.yCVEDJ/_old 2026-05-11 17:08:09.747503163 +0200 +++ /var/tmp/diff_new_pack.yCVEDJ/_new 2026-05-11 17:08:09.751503328 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/chainguard-dev/melange.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">refs/tags/v0.50.5</param> + <param name="revision">refs/tags/v0.50.6</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.yCVEDJ/_old 2026-05-11 17:08:09.771504151 +0200 +++ /var/tmp/diff_new_pack.yCVEDJ/_new 2026-05-11 17:08:09.775504316 +0200 @@ -3,6 +3,6 @@ <param name="url">https://github.com/chainguard-dev/melange</param> <param name="changesrevision">3f6115b820985d70ca3c93cdf8519c1b3b4cfe81</param></service><service name="tar_scm"> <param name="url">https://github.com/chainguard-dev/melange.git</param> - <param name="changesrevision">e04248bc044fbec3c8332b080665d2e74c1dfd66</param></service></servicedata> + <param name="changesrevision">02f6591a691807e561bb77cfda160a902ff8aa50</param></service></servicedata> (No newline at EOF) ++++++ melange-0.50.5.obscpio -> melange-0.50.6.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.5/.actionlint.yaml new/melange-0.50.6/.actionlint.yaml --- old/melange-0.50.5/.actionlint.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/melange-0.50.6/.actionlint.yaml 2026-05-08 01:57:51.000000000 +0200 @@ -0,0 +1,3 @@ +self-hosted-runner: + labels: + - ubuntu-latest-8-core diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.5/docs/md/melange_build.md new/melange-0.50.6/docs/md/melange_build.md --- old/melange-0.50.5/docs/md/melange_build.md 2026-05-04 00:44:13.000000000 +0200 +++ new/melange-0.50.6/docs/md/melange_build.md 2026-05-08 01:57:51.000000000 +0200 @@ -53,7 +53,7 @@ -i, --interactive when enabled, attaches stdin with a tty to the pod on failure -k, --keyring-append strings path to extra keys to include in the build environment keyring --license string license to use for the build config file itself (default "NOASSERTION") - --lint-require strings linters that must pass (default [dev,infodir,setuidgid,tempdir,usrmerge,varempty,worldwrite]) + --lint-require strings linters that must pass (default [dev,infodir,libtool/la-files,setuidgid,tempdir,usrmerge,varempty,worldwrite]) --lint-warn strings linters that will generate warnings (default [binaryarch,cudaruntimelib,dll,duplicate,dylib,lddcheck,maninfo,nonlinux,object,opt,pkgconf,python/docs,python/multiple,python/test,sbom,srv,staticarchive,strip,unsupportedarch,usrlocal]) --memory string default memory resources to use for builds --namespace string namespace to use in package URLs in SBOM (eg wolfi, alpine) (default "unknown") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.5/docs/md/melange_lint.md new/melange-0.50.6/docs/md/melange_lint.md --- old/melange-0.50.5/docs/md/melange_lint.md 2026-05-04 00:44:13.000000000 +0200 +++ new/melange-0.50.6/docs/md/melange_lint.md 2026-05-08 01:57:51.000000000 +0200 @@ -29,7 +29,7 @@ ``` -h, --help help for lint - --lint-require strings linters that must pass (default [dev,infodir,setuidgid,tempdir,usrmerge,varempty,worldwrite]) + --lint-require strings linters that must pass (default [dev,infodir,libtool/la-files,setuidgid,tempdir,usrmerge,varempty,worldwrite]) --lint-warn strings linters that will generate warnings (default [binaryarch,cudaruntimelib,dll,duplicate,dylib,lddcheck,maninfo,nonlinux,object,opt,pkgconf,python/docs,python/multiple,python/test,sbom,srv,staticarchive,strip,unsupportedarch,usrlocal]) --out-dir string directory where lint results JSON files will be saved (requires --persist-lint-results) (default "packages") --persist-lint-results persist lint results to JSON files in packages/{arch}/ directory diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.5/go.mod new/melange-0.50.6/go.mod --- old/melange-0.50.5/go.mod 2026-05-04 00:44:13.000000000 +0200 +++ new/melange-0.50.6/go.mod 2026-05-08 01:57:51.000000000 +0200 @@ -6,7 +6,7 @@ chainguard.dev/apko v1.2.9 github.com/chainguard-dev/clog v1.8.0 github.com/chainguard-dev/go-pkgconfig v0.0.0-20240404163941-6351b37b2a10 - github.com/chainguard-dev/yam v0.2.57 + github.com/chainguard-dev/yam v0.2.58 github.com/charmbracelet/log v1.0.0 github.com/docker/cli v29.4.2+incompatible github.com/docker/docker v28.5.2+incompatible diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.5/go.sum new/melange-0.50.6/go.sum --- old/melange-0.50.5/go.sum 2026-05-04 00:44:13.000000000 +0200 +++ new/melange-0.50.6/go.sum 2026-05-08 01:57:51.000000000 +0200 @@ -44,8 +44,8 @@ github.com/chainguard-dev/clog v1.8.0/go.mod h1:5MQOZi+Iu7fV7GcJG8ag8rCB5elEOpqRMKEASgnGVdo= github.com/chainguard-dev/go-pkgconfig v0.0.0-20240404163941-6351b37b2a10 h1:XR2vgQC024I9/boh9r1ihVv8Z14+pbvWqXeYMCnZJpc= github.com/chainguard-dev/go-pkgconfig v0.0.0-20240404163941-6351b37b2a10/go.mod h1:1p6+MesLcjKeON5BRWa7I87mvAY0QmKjgginIM3w6BI= -github.com/chainguard-dev/yam v0.2.57 h1:v1qCjl96/s5jT+zJrMgRDRPb74qr/SW0ubsh9Zx8GoM= -github.com/chainguard-dev/yam v0.2.57/go.mod h1:Sbt8pVO8DbHoVly44oF5gg03NRxl9AhEImOkqGyoQCs= +github.com/chainguard-dev/yam v0.2.58 h1:ty4ZOrKdTh0FRWEIhSn35hhtkY89rrXtUvr4D9C22fw= +github.com/chainguard-dev/yam v0.2.58/go.mod h1:Sbt8pVO8DbHoVly44oF5gg03NRxl9AhEImOkqGyoQCs= github.com/charmbracelet/colorprofile v0.3.2 h1:9J27WdztfJQVAQKX2WOlSSRB+5gaKqqITmrvb1uTIiI= github.com/charmbracelet/colorprofile v0.3.2/go.mod h1:mTD5XzNeWHj8oqHb+S1bssQb7vIHbepiebQ2kPKVKbI= github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.5/pkg/linter/linter.go new/melange-0.50.6/pkg/linter/linter.go --- old/melange-0.50.5/pkg/linter/linter.go 2026-05-04 00:44:13.000000000 +0200 +++ new/melange-0.50.6/pkg/linter/linter.go 2026-05-08 01:57:51.000000000 +0200 @@ -199,6 +199,11 @@ Explain: "This package contains static archives (.a files)", defaultBehavior: Warn, }, + "libtool/la-files": { + LinterFunc: linters.LaFilesLinter, + Explain: "Remove libtool archive (.la) files from the package, or disable this linter if they are required", + defaultBehavior: Require, + }, "duplicate": { LinterFunc: linters.DuplicateLinter, Explain: "This package contains files with the same name and content in different directories (consider symlinking)", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.5/pkg/linter/linter_test.go new/melange-0.50.6/pkg/linter/linter_test.go --- old/melange-0.50.5/pkg/linter/linter_test.go 2026-05-04 00:44:13.000000000 +0200 +++ new/melange-0.50.6/pkg/linter/linter_test.go 2026-05-08 01:57:51.000000000 +0200 @@ -571,6 +571,19 @@ linter: "staticarchive", pkgname: "test-dev", pass: true, // .a files are expected in -dev packages + }, { + dirFunc: mkfile(t, "usr/lib/libfoo.la"), + linter: "libtool/la-files", + pass: false, + }, { + dirFunc: mkfile(t, "usr/lib/libfoo.la"), + linter: "libtool/la-files", + pkgname: "foo-dev", + pass: false, // no auto-exemption for -dev; opt-out is via checks.disabled + }, { + dirFunc: mkfile(t, "usr/lib/libfoo.so"), + linter: "libtool/la-files", + pass: true, }} { ctx := slogtest.Context(t) t.Run(c.linter, func(t *testing.T) { @@ -759,3 +772,20 @@ assert.NotEmpty(t, manInfoFindings[0].Message) assert.NotEmpty(t, manInfoFindings[0].Explain) } + +func Test_saveLintResultsVersionTraversal(t *testing.T) { + ctx := slogtest.Context(t) + + cfg := &config.Configuration{ + Package: config.Package{ + Name: "testpkg", + Version: "1.0-../../etc/cron.d/evil", + }, + } + results := map[string]*types.PackageLintResults{ + "testpkg": {}, + } + + err := saveLintResults(ctx, cfg, results, t.TempDir(), "x86_64") + assert.ErrorContains(t, err, "path traversal") +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.5/pkg/linter/linters/libtool.go new/melange-0.50.6/pkg/linter/linters/libtool.go --- old/melange-0.50.5/pkg/linter/linters/libtool.go 1970-01-01 01:00:00.000000000 +0100 +++ new/melange-0.50.6/pkg/linter/linters/libtool.go 2026-05-08 01:57:51.000000000 +0200 @@ -0,0 +1,37 @@ +// Copyright 2026 Chainguard, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package linters + +import ( + "context" + "fmt" + "io/fs" + "path/filepath" + + "chainguard.dev/melange/pkg/config" +) + +func LaFilesLinter(ctx context.Context, _ *config.Configuration, pkgname string, fsys fs.FS) error { + return AllPaths(ctx, pkgname, fsys, + func(path string, d fs.DirEntry) bool { return !d.IsDir() && filepath.Ext(path) == ".la" }, + func(pkgname string, paths []string) string { + fileWord := "file" + if len(paths) > 1 { + fileWord = "files" + } + return fmt.Sprintf("%s contains %d libtool archive (.la) %s. Remove them in the build pipeline; if this package legitimately needs to ship .la files, disable this linter via checks.disabled", pkgname, len(paths), fileWord) + }, + ) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/melange-0.50.5/pkg/linter/results.go new/melange-0.50.6/pkg/linter/results.go --- old/melange-0.50.5/pkg/linter/results.go 2026-05-04 00:44:13.000000000 +0200 +++ new/melange-0.50.6/pkg/linter/results.go 2026-05-08 01:57:51.000000000 +0200 @@ -51,6 +51,11 @@ return fmt.Errorf("invalid arch %q: contains path traversal sequence", arch) } + // Validate version to prevent path traversal + if containsPathTraversal(cfg.Package.Version) { + return fmt.Errorf("invalid package version %q: contains path traversal sequence", cfg.Package.Version) + } + // Ensure the package directory exists packageDir := filepath.Join(outputDir, arch) if err := os.MkdirAll(packageDir, 0o755); err != nil { ++++++ melange.obsinfo ++++++ --- /var/tmp/diff_new_pack.yCVEDJ/_old 2026-05-11 17:08:11.779586774 +0200 +++ /var/tmp/diff_new_pack.yCVEDJ/_new 2026-05-11 17:08:11.783586938 +0200 @@ -1,5 +1,5 @@ name: melange -version: 0.50.5 -mtime: 1777848253 -commit: e04248bc044fbec3c8332b080665d2e74c1dfd66 +version: 0.50.6 +mtime: 1778198271 +commit: 02f6591a691807e561bb77cfda160a902ff8aa50 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/melange/vendor.tar.gz /work/SRC/openSUSE:Factory/.melange.new.1966/vendor.tar.gz differ: char 132, line 3
