Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libzypp for openSUSE:Factory checked in at 2026-05-31 18:28:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libzypp (Old) and /work/SRC/openSUSE:Factory/.libzypp.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libzypp" Sun May 31 18:28:24 2026 rev:533 rq:1355935 version:17.38.11 Changes: -------- --- /work/SRC/openSUSE:Factory/libzypp/libzypp.changes 2026-05-29 18:05:33.450512533 +0200 +++ /work/SRC/openSUSE:Factory/.libzypp.new.1937/libzypp.changes 2026-05-31 18:28:35.284842711 +0200 @@ -1,0 +2,7 @@ +Fri May 29 18:07:39 CEST 2026 - [email protected] + +- Fix potential crash on malformed or malicious repository + metadata (fixes #740) +- version 17.38.11 (35) + +------------------------------------------------------------------- Old: ---- libzypp-17.38.10.tar.bz2 New: ---- libzypp-17.38.11.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libzypp.spec ++++++ --- /var/tmp/diff_new_pack.bVwSvR/_old 2026-05-31 18:28:37.448931408 +0200 +++ /var/tmp/diff_new_pack.bVwSvR/_new 2026-05-31 18:28:37.448931408 +0200 @@ -98,7 +98,7 @@ %endif Name: libzypp -Version: 17.38.10 +Version: 17.38.11 Release: 0 License: GPL-2.0-or-later URL: https://github.com/openSUSE/libzypp ++++++ libzypp-17.38.10.tar.bz2 -> libzypp-17.38.11.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.10/po/da.po new/libzypp-17.38.11/po/da.po --- old/libzypp-17.38.10/po/da.po 2026-05-12 16:28:08.000000000 +0200 +++ new/libzypp-17.38.11/po/da.po 2026-05-28 19:20:09.000000000 +0200 @@ -7,16 +7,16 @@ "Project-Id-Version: libzypp\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2026-05-12 15:45+0200\n" -"PO-Revision-Date: 2026-04-08 13:04+0000\n" +"PO-Revision-Date: 2026-05-28 17:12+0000\n" "Last-Translator: Peter Andreasen <[email protected]>\n" -"Language-Team: Danish <https://l10n.opensuse.org/projects/libzypp/master/da/"; -">\n" +"Language-Team: Danish <https://l10n.opensuse.org/projects/libzypp/master/da/>" +"\n" "Language: da\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=n != 1;\n" -"X-Generator: Weblate 5.16.2\n" +"X-Generator: Weblate 2026.5\n" #. translators: an annotation to a gpg keys expiry date #: zypp-logic/zypp-common/PublicKey.cc:65 @@ -4241,7 +4241,7 @@ #. translator: Shown as result tag in a progress bar: .......[attention] #: zypp/zypp-tui/output/Out.cc:143 msgid "attention" -msgstr "" +msgstr "se her" #. translator: Shown as result tag in a progress bar: ...........[error] #. Translator: download progress bar result: "............[error]" @@ -4378,6 +4378,7 @@ "The package was discontinued and has been superseded by a new package with a " "different name." msgstr "" +"Pakken er udgået og er blevet erstattet med en ny pakke med et andet navn." #: zypp/zypp/VendorSupportOptions.cc:60 msgid "Unknown support option. Description not available" @@ -4402,12 +4403,12 @@ #. just report (NO_ERROR); no interactive request to the user #: zypp/zypp/media/MediaCurl.cc:822 msgid "Will try again..." -msgstr "" +msgstr "Prøver igen..." #: zypp/zypp/media/MediaCurl.cc:825 #, boost-format msgid "Giving up after %1% attempts." -msgstr "" +msgstr "Giver op efter %1% forsøg." #: zypp/zypp/media/MediaHandler.cc:339 msgid "" @@ -4432,6 +4433,8 @@ "Downloading signature key via mirrors, consider explicitly setting gpgKeyUrl " "via the repository configuration instead." msgstr "" +"Henter signatur-fil via spejle, overvej specifikt at sætte gpgKeyUrl via " +"repo-konfigurationen i stedet." #. TranslatorExplanation '%s' is an URL #: zypp/zypp/ng/repo/workflows/repomanagerwf.cc:96 @@ -4449,11 +4452,11 @@ #: zypp/zypp/ng/repo/workflows/repomanagerwf.cc:452 msgid "Failed to retrieve new repository metadata." -msgstr "" +msgstr "Kunne ikke hente nye repo-metadata." #: zypp/zypp/ng/repo/workflows/repomanagerwf.cc:546 msgid "Failed to cache repo ( unable to start repo2solv )." -msgstr "" +msgstr "Kunne ikke mellemlagre repo ( kan ikke starte repo2solv )." #: zypp/zypp/ng/repo/workflows/repomanagerwf.cc:563 #: zypp/zypp/ng/repo/workflows/repomanagerwf.cc:602 @@ -4474,7 +4477,7 @@ #: zypp/zypp/ng/repo/workflows/repomanagerwf.cc:775 #, boost-format msgid "Failed to cache repo %1%" -msgstr "" +msgstr "Kunne ikke mellemlagre repo %1%" #: zypp/zypp/ng/repo/workflows/repomanagerwf.cc:792 msgid "Unhandled repository type" @@ -4526,28 +4529,28 @@ #: zypp/zypp/ng/repomanager.cc:381 msgid "Cleaning metadata" -msgstr "" +msgstr "Renser metadata" #: zypp/zypp/ng/repomanager.cc:399 msgid "Cleaning packages" -msgstr "" +msgstr "Renser pakker" #: zypp/zypp/ng/repomanager.cc:451 msgid "Cleaning up cache dirs" -msgstr "" +msgstr "Renser mapper med mellemlager" #: zypp/zypp/ng/repomanager.cc:471 #, boost-format msgid "Cleaning up directory: %1%" -msgstr "" +msgstr "Renser mappen: %1%" #: zypp/zypp/ng/repomanager.cc:501 msgid "Cleaning cache" -msgstr "" +msgstr "Renser mellemlager" #: zypp/zypp/ng/repomanager.cc:522 msgid "Loading from cache" -msgstr "" +msgstr "Henter fra mellemlager" #: zypp/zypp/ng/repomanager.cc:613 #, c-format, boost-format @@ -4566,11 +4569,11 @@ #: zypp/zypp/ng/repomanager.cc:703 msgid "Modifying repository" -msgstr "" +msgstr "Ændrer repo" #: zypp/zypp/ng/repomanager.cc:896 msgid "Refreshing Repository: " -msgstr "" +msgstr "Genopfrisker Repo: " #: zypp/zypp/ng/repomanager.cc:1081 zypp/zypp/ng/repomanager.cc:1153 msgid "Can't figure out where the service is stored." @@ -4596,38 +4599,39 @@ #: zypp/zypp/ng/reporthelper.cc:26 #, c-format, boost-format msgid "No digest for file %s." -msgstr "" +msgstr "Ingen sammendrag for filen %s." #: zypp/zypp/ng/reporthelper.cc:38 #, c-format, boost-format msgid "Unknown digest %s for file %s." -msgstr "" +msgstr "Ukendt sammendrag %s for filen %s." #: zypp/zypp/ng/reporthelper.cc:51 #, c-format, boost-format msgid "Digest verification failed for file '%s'" -msgstr "" +msgstr "Sammendrag kunne ikke verificeres for filen '%s'" #. TranslatorExplanation: speaking of a file #: zypp/zypp/ng/reporthelper.cc:68 #, c-format, boost-format msgid "File '%s' is unsigned, continue?" -msgstr "" +msgstr "Filen '%s' er ikke signeret, fortsæt?" #. TranslatorExplanation: speaking of a file #: zypp/zypp/ng/reporthelper.cc:72 #, c-format, boost-format msgid "File '%s' from repository '%s' is unsigned, continue?" -msgstr "" +msgstr "Filen '%s' fra repo '%s' er ikke signeret, fortsæt?" #: zypp/zypp/ng/reporthelper.cc:89 msgid "Do you want to reject the key, trust temporarily, or trust always?" msgstr "" +"Vil du afvise nøglen, acceptere den midlertidigt, eller altid stole på den?" #: zypp/zypp/ng/reporthelper.cc:115 #, boost-format msgid "Key Name: %1%" -msgstr "" +msgstr "Nøgle-navn: %1%" #: zypp/zypp/ng/reporthelper.cc:127 #, boost-format diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.10/zypp/VERSION.cmake new/libzypp-17.38.11/zypp/VERSION.cmake --- old/libzypp-17.38.10/zypp/VERSION.cmake 2026-05-27 17:50:40.000000000 +0200 +++ new/libzypp-17.38.11/zypp/VERSION.cmake 2026-05-29 18:08:11.000000000 +0200 @@ -61,8 +61,8 @@ SET(LIBZYPP_MAJOR "17") SET(LIBZYPP_COMPATMINOR "35") SET(LIBZYPP_MINOR "38") -SET(LIBZYPP_PATCH "10") +SET(LIBZYPP_PATCH "11") # -# LAST RELEASED: 17.38.10 (35) +# LAST RELEASED: 17.38.11 (35) # (The number in parenthesis is LIBZYPP_COMPATMINOR) #======= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.10/zypp/package/libzypp.changes new/libzypp-17.38.11/zypp/package/libzypp.changes --- old/libzypp-17.38.10/zypp/package/libzypp.changes 2026-05-27 17:50:41.000000000 +0200 +++ new/libzypp-17.38.11/zypp/package/libzypp.changes 2026-05-29 18:08:11.000000000 +0200 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Fri May 29 18:07:39 CEST 2026 - [email protected] + +- Fix potential crash on malformed or malicious repository + metadata (fixes #740) +- version 17.38.11 (35) + +------------------------------------------------------------------- Wed May 27 17:09:30 CEST 2026 - [email protected] - Repo metadata: discard entries referring to a location outside diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.10/zypp/zypp/parser/susetags/ContentFileReader.cc new/libzypp-17.38.11/zypp/zypp/parser/susetags/ContentFileReader.cc --- old/libzypp-17.38.10/zypp/zypp/parser/susetags/ContentFileReader.cc 2026-05-27 17:50:41.000000000 +0200 +++ new/libzypp-17.38.11/zypp/zypp/parser/susetags/ContentFileReader.cc 2026-05-29 18:08:11.000000000 +0200 @@ -52,8 +52,6 @@ std::string sanitizeEntry( Pathname path_r ) { - if ( path_r.empty() ) - return {}; // HASH SHA1 d423ad41e93a51195a6264961e4a074c6d89359d boot/../x86_64/bind => x86_64/bind // HASH SHA1 d423ad41e93a51195a6264961e4a074c6d89359d boot/../../x86_64/bind => ../* discarded // Turning it into a Pathname normalizes the representation. @@ -63,7 +61,15 @@ pWAR( "Hostile location:", path_r, "=>", "discard data entry" ); return {}; } - return path_r.asString().substr( path_r.absolute() ? 1 : 2 ); // skip leading "/" or "./" + // Skip leading "/" or "./" trying to retain the original string format + std::string ret = path_r.asString(); + if ( ret.size() <= 1 ) + return ret; // is "", "." or "/" + if ( ret[0] == '/' ) + ret = ret.substr( 1 ); // skip leading "/" + else + ret = ret.substr( 2 ); // skip leading "./" + return ret; } }
