Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libzypp for openSUSE:Factory checked in at 2026-05-29 18:04:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libzypp (Old) and /work/SRC/openSUSE:Factory/.libzypp.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libzypp" Fri May 29 18:04:46 2026 rev:532 rq:1355462 version:17.38.10 Changes: -------- --- /work/SRC/openSUSE:Factory/libzypp/libzypp.changes 2026-05-20 15:23:35.135829392 +0200 +++ /work/SRC/openSUSE:Factory/.libzypp.new.1937/libzypp.changes 2026-05-29 18:05:33.450512533 +0200 @@ -1,0 +2,13 @@ +Wed May 27 17:09:30 CEST 2026 - [email protected] + +- Repo metadata: discard entries referring to a location outside + the repo (bsc#1259802, CVE-2026-25707) + Mirroring those data locally would refer to a location outside + the repo's local cache directory. Those data entries are reported + and discarded. +- zypp.conf: Allow [env] section to add environment variables. + This feature is designed to enable environment-specific settings + or debugging options over an extended period. See zypp.conf(5). +- version 17.38.10 (35) + +------------------------------------------------------------------- Old: ---- libzypp-17.38.9.tar.bz2 New: ---- libzypp-17.38.10.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libzypp.spec ++++++ --- /var/tmp/diff_new_pack.5Kg09x/_old 2026-05-29 18:05:34.522556892 +0200 +++ /var/tmp/diff_new_pack.5Kg09x/_new 2026-05-29 18:05:34.526557058 +0200 @@ -98,7 +98,7 @@ %endif Name: libzypp -Version: 17.38.9 +Version: 17.38.10 Release: 0 License: GPL-2.0-or-later URL: https://github.com/openSUSE/libzypp ++++++ libzypp-17.38.9.tar.bz2 -> libzypp-17.38.10.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/po/de.po new/libzypp-17.38.10/po/de.po --- old/libzypp-17.38.9/po/de.po 2026-05-12 16:28:08.000000000 +0200 +++ new/libzypp-17.38.10/po/de.po 2026-05-19 13:20:09.000000000 +0200 @@ -18,16 +18,16 @@ "Project-Id-Version: zypp.de\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2026-05-12 15:45+0200\n" -"PO-Revision-Date: 2026-01-16 21:04+0000\n" -"Last-Translator: Ettore Atalan <[email protected]>\n" -"Language-Team: German <https://l10n.opensuse.org/projects/libzypp/master/de/"; -">\n" +"PO-Revision-Date: 2026-05-19 11:12+0000\n" +"Last-Translator: Gemineo <[email protected]>\n" +"Language-Team: German <https://l10n.opensuse.org/projects/libzypp/master/de/>" +"\n" "Language: de\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=n != 1;\n" -"X-Generator: Weblate 5.15.2\n" +"X-Generator: Weblate 2026.5\n" #. translators: an annotation to a gpg keys expiry date #: zypp-logic/zypp-common/PublicKey.cc:65 @@ -4351,7 +4351,7 @@ #: zypp/zypp/VendorSupportOptions.cc:31 msgid "Discontinued and superseded by a different package" -msgstr "Nicht mehr in Betrieb und durch ein anderes Paket ersetzt" +msgstr "Eingestellt und durch ein anderes Paket ersetzt" #: zypp/zypp/VendorSupportOptions.cc:33 msgid "invalid" @@ -4409,8 +4409,8 @@ "The package was discontinued and has been superseded by a new package with a " "different name." msgstr "" -"Das Paket ist nicht mehr in Betrieb und wurde durch ein neueres Paket mit " -"einem anderen Namen ersetzt." +"Das Paket wurde eingestellt und durch ein neues Paket mit einem anderen " +"Namen ersetzt." #: zypp/zypp/VendorSupportOptions.cc:60 msgid "Unknown support option. Description not available" @@ -4465,6 +4465,9 @@ "Downloading signature key via mirrors, consider explicitly setting gpgKeyUrl " "via the repository configuration instead." msgstr "" +"Wenn Sie den Signaturschlüssel über Spiegel-Server herunterladen, sollten " +"Sie stattdessen erwägen, die Variable „gpgKeyUrl“ explizit über die " +"Repository-Konfiguration festzulegen." #. TranslatorExplanation '%s' is an URL #: zypp/zypp/ng/repo/workflows/repomanagerwf.cc:96 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/po/it.po new/libzypp-17.38.10/po/it.po --- old/libzypp-17.38.9/po/it.po 2026-05-12 16:28:08.000000000 +0200 +++ new/libzypp-17.38.10/po/it.po 2026-05-19 13:20:09.000000000 +0200 @@ -15,16 +15,16 @@ "Project-Id-Version: zypp\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2026-05-12 15:45+0200\n" -"PO-Revision-Date: 2026-03-14 12:04+0000\n" -"Last-Translator: Paolo Za <[email protected]>\n" -"Language-Team: Italian <https://l10n.opensuse.org/projects/libzypp/master/it/"; -">\n" +"PO-Revision-Date: 2026-05-19 11:12+0000\n" +"Last-Translator: Davide Aiello <[email protected]>\n" +"Language-Team: Italian <https://l10n.opensuse.org/projects/libzypp/master/"; +"it/>\n" "Language: it\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=n != 1;\n" -"X-Generator: Weblate 5.16.2\n" +"X-Generator: Weblate 2026.5\n" "X-Poedit-Bookmarks: 370,-1,-1,-1,-1,-1,-1,-1,-1,-1\n" #. translators: an annotation to a gpg keys expiry date @@ -366,7 +366,7 @@ #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:264 msgid "The peer certificate could not be verified" -msgstr "" +msgstr "Non è stato possibile verificare il certificato peer" #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:266 msgid "Connection failed" @@ -402,7 +402,7 @@ #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:282 msgid "Login failed." -msgstr "" +msgstr "Accesso non riuscito." #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:284 msgid "Server returned an error for the given request." @@ -417,6 +417,8 @@ "Invalid data from server, multipart was requested but there was no range " "status code." msgstr "" +"Dati non validi dal server: è stato richiesto il multipart ma non è stato " +"fornito alcun codice di stato dell'intervallo." #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:290 msgid "Server returned a HTTP/2 error." @@ -424,7 +426,7 @@ #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:292 msgid "Server returned a HTTP/2 stream error." -msgstr "" +msgstr "Il server ha restituito un errore di flusso HTTP/2." #: zypp-logic/zypp-media/mediaexception.cc:33 #, c-format, boost-format @@ -4453,6 +4455,8 @@ "Downloading signature key via mirrors, consider explicitly setting gpgKeyUrl " "via the repository configuration instead." msgstr "" +"Se stai scaricando la chiave della firma tramite mirror, valuta invece di " +"impostare esplicitamente gpgKeyUrl tramite la configurazione del repository." #. TranslatorExplanation '%s' is an URL #: zypp/zypp/ng/repo/workflows/repomanagerwf.cc:96 @@ -4747,7 +4751,7 @@ #: zypp/zypp/repo/PackageProvider.cc:615 msgid "download deltarpm: not found" -msgstr "" +msgstr "download deltarpm: non trovato" #: zypp/zypp/repo/PackageProvider.cc:629 msgid "applydeltarpm check failed." diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/zypp/VERSION.cmake new/libzypp-17.38.10/zypp/VERSION.cmake --- old/libzypp-17.38.9/zypp/VERSION.cmake 2026-05-19 10:02:21.000000000 +0200 +++ new/libzypp-17.38.10/zypp/VERSION.cmake 2026-05-27 17:50:40.000000000 +0200 @@ -61,8 +61,8 @@ SET(LIBZYPP_MAJOR "17") SET(LIBZYPP_COMPATMINOR "35") SET(LIBZYPP_MINOR "38") -SET(LIBZYPP_PATCH "9") +SET(LIBZYPP_PATCH "10") # -# LAST RELEASED: 17.38.9 (35) +# LAST RELEASED: 17.38.10 (35) # (The number in parenthesis is LIBZYPP_COMPATMINOR) #======= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/zypp/doc/zypp.conf.5.txt new/libzypp-17.38.10/zypp/doc/zypp.conf.5.txt --- old/libzypp-17.38.9/zypp/doc/zypp.conf.5.txt 2026-01-29 17:27:54.000000000 +0100 +++ new/libzypp-17.38.10/zypp/doc/zypp.conf.5.txt 2026-05-21 11:30:08.000000000 +0200 @@ -363,6 +363,15 @@ *arch* (_<UNSET>_):: [__Expert Only!_] Only set it if you actually know what you're doing! Overrides the _autodetected_ system architecture. Sometimes used for testing, but there's actually no use case unless the autodetection would fail. +*[env]* +~~~~~~~ +The section allows _adding_ environment variables after the host system's configuration has been parsed. Each _key/value_ pair is applied to the process environment if it does not already exist. It will neither amend nor unset already existing environment variables. + +*key = value* attempts to set the environment variable named _key_ to _value_. + +This feature is designed to enable environment-specific settings or debugging options over an extended period. However, note that any environment variables required before configuration files are parsed cannot be set here, as they will have no effect. (e.g. ZYPP_LOGFILE) + + FILES ----- _/{vendorconfdir}/zypp/zypp.conf + @@ -395,5 +404,3 @@ SEE ALSO -------- *zypper*(8) - - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/zypp/package/libzypp.changes new/libzypp-17.38.10/zypp/package/libzypp.changes --- old/libzypp-17.38.9/zypp/package/libzypp.changes 2026-05-19 10:02:21.000000000 +0200 +++ new/libzypp-17.38.10/zypp/package/libzypp.changes 2026-05-27 17:50:41.000000000 +0200 @@ -1,4 +1,17 @@ ------------------------------------------------------------------- +Wed May 27 17:09:30 CEST 2026 - [email protected] + +- Repo metadata: discard entries referring to a location outside + the repo (bsc#1259802, CVE-2026-25707) + Mirroring those data locally would refer to a location outside + the repo's local cache directory. Those data entries are reported + and discarded. +- zypp.conf: Allow [env] section to add environment variables. + This feature is designed to enable environment-specific settings + or debugging options over an extended period. See zypp.conf(5). +- version 17.38.10 (35) + +------------------------------------------------------------------- Tue May 19 09:21:50 CEST 2026 - [email protected] - Prevent configured scripts from escaping the sigcheck directory diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/zypp/tests/parser/yum/data/repomd-1.xml new/libzypp-17.38.10/zypp/tests/parser/yum/data/repomd-1.xml --- old/libzypp-17.38.9/zypp/tests/parser/yum/data/repomd-1.xml 2025-08-12 11:30:13.000000000 +0200 +++ new/libzypp-17.38.10/zypp/tests/parser/yum/data/repomd-1.xml 2026-05-27 17:50:41.000000000 +0200 @@ -36,4 +36,10 @@ <timestamp>1176225550</timestamp> <open-checksum type="sha">ce38366eaded03cb8b3fdc64bb31ea5304e9901c</open-checksum> </data> + <data type="hostile"> + <location href="../hostile/to_be_discarded"/> + <checksum type="sha">689fecabbb0907f51f5bb7211048e091c6f2bc84</checksum> + <timestamp>1176225550</timestamp> + <open-checksum type="sha">ce38366eaded03cb8b3fdc64bb31ea5304e9901c</open-checksum> + </data> </repomd> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/zypp/zypp/ZConfig.cc new/libzypp-17.38.10/zypp/zypp/ZConfig.cc --- old/libzypp-17.38.9/zypp/zypp/ZConfig.cc 2026-04-09 15:30:10.000000000 +0200 +++ new/libzypp-17.38.10/zypp/zypp/ZConfig.cc 2026-05-21 11:30:08.000000000 +0200 @@ -9,13 +9,15 @@ /** \file zypp/ZConfig.cc * */ - +#include <cstdlib> #include <iostream> #include <optional> +#include <map> #include <zypp-core/APIConfig.h> #include <zypp-core/base/LogTools.h> #include <zypp-core/base/IOStream.h> #include <zypp-core/base/InputStream> +#include <zypp-core/base/Errno.h> #include <zypp-core/base/String.h> #include <zypp-core/base/Regex.h> @@ -341,6 +343,9 @@ MIL << "libzypp: " LIBZYPP_VERSION_STRING << " (" << LIBZYPP_CODESTREAM << ")" << endl; ZyppConfIniMap iniMap; // Scan the default zypp.conf settings + + using EnvMap = std::map<std::string,std::string>; + std::optional<EnvMap> envMap; for ( const auto & section : iniMap.sections() ) { for ( const auto & [entry,value] : iniMap.entries( section ) ) { @@ -525,11 +530,38 @@ pWAR( "zypp.conf: Unknown entry in [main]:", entry, "=", value ); } } + else if ( section == "env" ) + { + if ( !envMap ) + envMap = EnvMap(); + auto [it, inserted] = envMap->emplace( entry, value ); + if ( !inserted ) { + WAR << "zypp.conf [env]: duplicate key '" << entry << "', shadowing previous value '" << it->second << "' with '" << value << "'" << endl; + it->second = value; + } + } else { // unknown section { pWAR( "zypp.conf: Unknown section:", str::sconcat("[",section,"]"), entry, "=", value ); } } } + + if ( envMap ) { + for ( const auto & [entry, value] : *envMap ) { + const char* exists = ::getenv( entry.c_str() ); + if ( exists == nullptr ) { + if ( ::setenv( entry.c_str(), value.c_str(), 0 ) != 0 ) { + pWAR( "zypp.conf [env]: set", str::sconcat("'",entry,"=",value,"'"), ": failed", Errno() ); + } + else { + pMIL( "zypp.conf [env]: set", str::sconcat("'",entry,"=",value,"'") ); + } + } + else { + pWAR( "zypp.conf [env]: skip", str::sconcat("'",entry,"=",value,"'"), ": is already set to", str::sconcat("'",exists,"'") ); + } + } + } // legacy: if ( getenv( "ZYPP_TESTSUITE_FAKE_ARCH" ) ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/zypp/zypp/parser/susetags/ContentFileReader.cc new/libzypp-17.38.10/zypp/zypp/parser/susetags/ContentFileReader.cc --- old/libzypp-17.38.9/zypp/zypp/parser/susetags/ContentFileReader.cc 2026-04-09 15:30:10.000000000 +0200 +++ new/libzypp-17.38.10/zypp/zypp/parser/susetags/ContentFileReader.cc 2026-05-27 17:50:41.000000000 +0200 @@ -12,6 +12,7 @@ #include <iostream> #include <sstream> +#include <zypp/ZYppCallbacks.h> #include <zypp-core/base/LogTools.h> #include <zypp-core/base/String.h> #include <zypp-core/base/IOStream.h> @@ -35,6 +36,37 @@ namespace susetags { ///////////////////////////////////////////////////////////////// + namespace { + // Take care the parsed pathnames do not + // refer to locations outside the repo! + Pathname sanitize( Pathname path_r ) + { + Pathname ret = path_r.absolutename(); // strips leading ../s. + if ( path_r.relativeDotDot() ) { + // Don't accept downloadable data outside repo root + JobReport::warning( str::sconcat( "Content file: hostile location ",path_r," => ", ret ) ); + pWAR( "Hostile location:", path_r, "=>", ret ); + } + return ret; + } + + std::string sanitizeEntry( Pathname path_r ) + { + if ( path_r.empty() ) + return {}; + // HASH SHA1 d423ad41e93a51195a6264961e4a074c6d89359d boot/../x86_64/bind => x86_64/bind + // HASH SHA1 d423ad41e93a51195a6264961e4a074c6d89359d boot/../../x86_64/bind => ../* discarded + // Turning it into a Pathname normalizes the representation. + if ( path_r.relativeDotDot() ) { + // Don't accept downloadable data outside repo root + JobReport::warning( str::sconcat( "Content file: hostile location ",path_r," => discard data entry" ) ); + pWAR( "Hostile location:", path_r, "=>", "discard data entry" ); + return {}; + } + return path_r.asString().substr( path_r.absolute() ? 1 : 2 ); // skip leading "/" or "./" + } + } + /////////////////////////////////////////////////////////////////// // // CLASS NAME : ContentFileReader::Impl @@ -71,7 +103,9 @@ std::vector<std::string> words; if ( str::split( value, std::back_inserter( words ) ) == 3 ) { - map_r[words[2]] = CheckSum( words[0], words[1] ); + std::string pathstr = sanitizeEntry( words[2] ); + if ( not pathstr.empty() ) + map_r[std::move(pathstr)] = CheckSum( words[0], words[1] ); } else { @@ -216,11 +250,11 @@ // else if ( key == "DESCRDIR" ) { - _pimpl->repoindex().descrdir = value; + _pimpl->repoindex().descrdir = sanitize( value ); } else if ( key == "DATADIR" ) { - _pimpl->repoindex().datadir = value; + _pimpl->repoindex().datadir = sanitize( value ); } else if ( key == "KEY" ) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/zypp/zypp/parser/yum/RepomdFileReader.cc new/libzypp-17.38.10/zypp/zypp/parser/yum/RepomdFileReader.cc --- old/libzypp-17.38.9/zypp/zypp/parser/yum/RepomdFileReader.cc 2026-04-09 15:30:10.000000000 +0200 +++ new/libzypp-17.38.10/zypp/zypp/parser/yum/RepomdFileReader.cc 2026-05-27 17:50:41.000000000 +0200 @@ -12,8 +12,9 @@ #include <iostream> #include <utility> +#include <zypp/ZYppCallbacks.h> #include <zypp-core/base/String.h> -#include <zypp-core/base/Logger.h> +#include <zypp-core/base/LogTools.h> #include <zypp-core/base/Regex.h> #include <zypp-core/Pathname.h> @@ -48,6 +49,7 @@ /** Ctro taking a ProcessResource callback */ Impl(const Pathname &repomd_file, ProcessResource &&callback ) : _callback( std::move(callback) ) + , _repomdFile( repomd_file ) { Reader reader( repomd_file ); MIL << "Reading " << repomd_file << endl; @@ -85,6 +87,9 @@ OnMediaLocation _location; std::set<std::string> _keywords; ///< repo keywords parsed on the fly + + Pathname _repomdFile; ///< remember parsed filename + bool _discardDataEntry = false; ///< to ignore the current data entry }; /////////////////////////////////////////////////////////////////////// @@ -101,7 +106,7 @@ bool RepomdFileReader::Impl::consumeNode( Reader & reader_r ) { - if ( reader_r->nodeType() == XML_READER_TYPE_ELEMENT ) + if ( reader_r->nodeType() == XML_READER_TYPE_ELEMENT && not _discardDataEntry ) { // xpath: /repomd if ( reader_r->name() == "repomd" ) @@ -119,7 +124,16 @@ // xpath: /repomd/location if ( reader_r->name() == "location" ) { - _location.setLocation( reader_r->getAttribute("href").asString(), 1 ); + Pathname location { reader_r->getAttribute("href").asString() }; + if ( location.relativeDotDot() ) { + // Don't accept downloadable data outside repo root + JobReport::warning( str::sconcat( _repomdFile,": data type ",_typeStr,": hostile location ",location," => discard data entry" ) ); + pWAR( "Hostile location:", _typeStr, location, "=>", "discard data entry" ); + _discardDataEntry = true; + return true; + } + _location.setLocation( std::move(location), 1 ); + // ignoring attribute xml:base return true; } @@ -174,8 +188,10 @@ // xpath: /repomd/data if ( reader_r->name() == "data" ) { - if (_callback) { - _callback( std::move(_location), _typeStr ); + if ( _callback ) { + if ( not _discardDataEntry ) + _callback( std::move(_location), _typeStr ); + _discardDataEntry = false; _location = OnMediaLocation(); _typeStr.clear(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.9/zypp-logic/zypp-common/KeyManager.cc new/libzypp-17.38.10/zypp-logic/zypp-common/KeyManager.cc --- old/libzypp-17.38.9/zypp-logic/zypp-common/KeyManager.cc 2026-04-09 15:30:09.000000000 +0200 +++ new/libzypp-17.38.10/zypp-logic/zypp-common/KeyManager.cc 2026-05-20 11:40:09.000000000 +0200 @@ -290,18 +290,22 @@ // our workflow when verifying files that have multiple signatures, including some that are // not in the trusted keyring. We should not fail if we have unknown or expired keys and at least a good one. // We will however keep the behaviour of failing if we find a bad signatures even if others are good. - if ( status != GPG_ERR_KEY_EXPIRED && status != GPG_ERR_NO_PUBKEY ) - { - WAR << "Failed signature check: " << file_r << " " << GpgmeErr(sig->status) << endl; - if ( !foundBadSignature ) - foundBadSignature = true; - } - else - { - WAR << "Legacy: Ignore expired or unknown key: " << file_r << " " << GpgmeErr(sig->status) << endl; - // for now treat expired keys as good signature - if ( status == GPG_ERR_KEY_EXPIRED ) + switch ( status ) { + case GPG_ERR_KEY_EXPIRED: + // for now treat expired keys as good signature foundGoodSignature = true; + WAR << "Accept good signature from expired key: " << file_r << " " << GpgmeErr(sig->status) << endl; + break; + + case GPG_ERR_NO_PUBKEY: + WAR << "Legacy: Ignore unknown key: " << file_r << " " << GpgmeErr(sig->status) << endl; + break; + + default: + WAR << "Failed signature check: " << file_r << " " << GpgmeErr(sig->status) << endl; + if ( !foundBadSignature ) + foundBadSignature = true; + break; } } else { foundGoodSignature = true;
