Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libzypp for openSUSE:Factory checked in at 2026-06-09 14:17:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libzypp (Old) and /work/SRC/openSUSE:Factory/.libzypp.new.2375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libzypp" Tue Jun 9 14:17:32 2026 rev:534 rq:1357995 version:17.38.13 Changes: -------- --- /work/SRC/openSUSE:Factory/libzypp/libzypp.changes 2026-05-31 18:28:35.284842711 +0200 +++ /work/SRC/openSUSE:Factory/.libzypp.new.2375/libzypp.changes 2026-06-09 14:21:33.767713096 +0200 @@ -1,0 +2,17 @@ +Mon Jun 8 14:54:34 CEST 2026 - [email protected] + +- A .repo files "path=" entry must not refer to a location + outside the repo (bsc#1267874, CVE-2026-44942) + A "path=" entry may solely denote a sub-directory of the baseurl + where the metadata are located. A relative path trying to access + data outside the baseurl is reported and sanitized. +- version 17.38.13 (35) + +------------------------------------------------------------------- +Fri Jun 5 14:13:21 CEST 2026 - [email protected] + +- Repo "keyhint" must denote a filename, no path (bsc#1267426, + CVE-2026-44941) +- version 17.38.12 (35) + +------------------------------------------------------------------- Old: ---- libzypp-17.38.11.tar.bz2 New: ---- libzypp-17.38.13.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libzypp.spec ++++++ --- /var/tmp/diff_new_pack.7dWl9N/_old 2026-06-09 14:21:37.751876882 +0200 +++ /var/tmp/diff_new_pack.7dWl9N/_new 2026-06-09 14:21:37.767877540 +0200 @@ -98,7 +98,7 @@ %endif Name: libzypp -Version: 17.38.11 +Version: 17.38.13 Release: 0 License: GPL-2.0-or-later URL: https://github.com/openSUSE/libzypp ++++++ libzypp-17.38.11.tar.bz2 -> libzypp-17.38.13.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.11/po/uk.po new/libzypp-17.38.13/po/uk.po --- old/libzypp-17.38.11/po/uk.po 2026-05-12 16:28:08.000000000 +0200 +++ new/libzypp-17.38.13/po/uk.po 2026-06-08 08:00:14.000000000 +0200 @@ -14,8 +14,8 @@ "Project-Id-Version: zypp.uk\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2026-05-12 15:45+0200\n" -"PO-Revision-Date: 2025-07-22 15:02+0000\n" -"Last-Translator: Julia Faltenbacher <[email protected]>\n" +"PO-Revision-Date: 2026-06-07 17:12+0000\n" +"Last-Translator: Eugene Krater <[email protected]>\n" "Language-Team: Ukrainian <https://l10n.opensuse.org/projects/libzypp/master/"; "uk/>\n" "Language: uk\n" @@ -24,7 +24,7 @@ "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n" -"X-Generator: Weblate 5.12.2\n" +"X-Generator: Weblate 2026.6.1\n" #. translators: an annotation to a gpg keys expiry date #: zypp-logic/zypp-common/PublicKey.cc:65 @@ -145,11 +145,11 @@ #: zypp-logic/zypp-core/ng/io/forkspawnengine.cc:243 #: zypp-logic/zypp-core/ng/io/forkspawnengine.cc:487 msgid "Invalid spawn arguments given." -msgstr "" +msgstr "Вказано неправильні аргументи запуску." #: zypp-logic/zypp-core/ng/io/forkspawnengine.cc:299 msgid "Unable to create control pipe." -msgstr "" +msgstr "Неможливо створити канал контролю." #: zypp-logic/zypp-core/ng/io/forkspawnengine.cc:366 #, c-format, boost-format @@ -181,22 +181,22 @@ #: zypp-logic/zypp-core/ng/io/forkspawnengine.cc:432 #, c-format, boost-format msgid "Can't exec '%s', chdir failed (%s)." -msgstr "" +msgstr "Неможливо виконати “%s”, помилка під час зміни каталогу (%s)." #: zypp-logic/zypp-core/ng/io/forkspawnengine.cc:435 #, c-format, boost-format msgid "Can't exec '%s', chroot failed (%s)." -msgstr "" +msgstr "Не вдається виконати “%s”, помилка chroot (%s)." #: zypp-logic/zypp-core/ng/io/forkspawnengine.cc:438 #, c-format, boost-format msgid "Can't exec '%s', exec failed (%s)." -msgstr "" +msgstr "Не вдається виконати “%s”, помилка exec (%s)." #: zypp-logic/zypp-core/ng/io/forkspawnengine.cc:442 #, c-format, boost-format msgid "Can't exec '%s', unexpected error." -msgstr "" +msgstr "Не вдається виконати “%s”, сталася несподівана помилка." #: zypp-logic/zypp-core/url/UrlBase.cc:221 #, c-format, boost-format @@ -342,15 +342,15 @@ #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:254 msgid "No error" -msgstr "" +msgstr "Помилок немає" #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:256 msgid "Internal Error" -msgstr "" +msgstr "Внутрішня помилка" #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:258 msgid "The request was cancelled" -msgstr "" +msgstr "Запит було скасовано" #: zypp-logic/zypp-curl/ng/network/networkrequesterror.cc:260 msgid "The request exceeded the maximum download size" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.11/zypp/VERSION.cmake new/libzypp-17.38.13/zypp/VERSION.cmake --- old/libzypp-17.38.11/zypp/VERSION.cmake 2026-05-29 18:08:11.000000000 +0200 +++ new/libzypp-17.38.13/zypp/VERSION.cmake 2026-06-08 14:57:13.000000000 +0200 @@ -61,8 +61,8 @@ SET(LIBZYPP_MAJOR "17") SET(LIBZYPP_COMPATMINOR "35") SET(LIBZYPP_MINOR "38") -SET(LIBZYPP_PATCH "11") +SET(LIBZYPP_PATCH "13") # -# LAST RELEASED: 17.38.11 (35) +# LAST RELEASED: 17.38.13 (35) # (The number in parenthesis is LIBZYPP_COMPATMINOR) #======= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.11/zypp/package/libzypp.changes new/libzypp-17.38.13/zypp/package/libzypp.changes --- old/libzypp-17.38.11/zypp/package/libzypp.changes 2026-05-29 18:08:11.000000000 +0200 +++ new/libzypp-17.38.13/zypp/package/libzypp.changes 2026-06-08 14:57:13.000000000 +0200 @@ -1,4 +1,21 @@ ------------------------------------------------------------------- +Mon Jun 8 14:54:34 CEST 2026 - [email protected] + +- A .repo files "path=" entry must not refer to a location + outside the repo (bsc#1267874, CVE-2026-44942) + A "path=" entry may solely denote a sub-directory of the baseurl + where the metadata are located. A relative path trying to access + data outside the baseurl is reported and sanitized. +- version 17.38.13 (35) + +------------------------------------------------------------------- +Fri Jun 5 14:13:21 CEST 2026 - [email protected] + +- Repo "keyhint" must denote a filename, no path (bsc#1267426, + CVE-2026-44941) +- version 17.38.12 (35) + +------------------------------------------------------------------- Fri May 29 18:07:39 CEST 2026 - [email protected] - Fix potential crash on malformed or malicious repository diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.11/zypp/zypp/RepoInfo.cc new/libzypp-17.38.13/zypp/zypp/RepoInfo.cc --- old/libzypp-17.38.11/zypp/zypp/RepoInfo.cc 2026-05-12 15:30:09.000000000 +0200 +++ new/libzypp-17.38.13/zypp/zypp/RepoInfo.cc 2026-06-08 14:57:13.000000000 +0200 @@ -135,7 +135,7 @@ repo::RepoType type() const { if ( _type == repo::RepoType::NONE && not metadataPath().empty() ) - setProbedType( probeCache( metadataPath() / path ) ); + setProbedType( probeCache( metadataPath() / _path ) ); return _type; } @@ -156,9 +156,9 @@ filesystem::Glob g; // TODO: REPOMD: this assumes we know the name of the tarball. In fact // we'd need to get the file from repomd.xml (<data type="license[-name_r]">) - g.add( metadataPath() / path / ("repodata/*"+licenseStem+".tar.gz") ); + g.add( metadataPath() / _path / ("repodata/*"+licenseStem+".tar.gz") ); if ( g.empty() ) - g.add( metadataPath() / path / (licenseStem+".tar.gz") ); + g.add( metadataPath() / _path / (licenseStem+".tar.gz") ); if ( !g.empty() ) ret = *g.begin(); @@ -216,8 +216,8 @@ && repo::RepoMirrorList::urlSupportsMirrorLink( *_baseUrls.transformedBegin() ) ) { mlurl = *_baseUrls.transformedBegin (); - if ( !path.emptyOrRoot () ) - mlurl.setPathName(path); + if ( !_path.emptyOrRoot () ) + mlurl.setPathName(_path); mlurl.pathNameSetTrailingSlash(); mlurl.setQueryParam("mirrorlist", std::string() ); @@ -466,7 +466,7 @@ public: TriBool keeppackages; - Pathname path; + Pathname _path; std::string service; std::string targetDistro; @@ -798,7 +798,7 @@ } void RepoInfo::setPath( const Pathname &path ) - { _pimpl->path = path; } + { _pimpl->_path = path.absolutename(); /* must not refer to ../ */ } void RepoInfo::setType( const repo::RepoType &t ) { _pimpl->setType( t ); } @@ -877,7 +877,7 @@ { return _pimpl->baseUrls().raw(); } Pathname RepoInfo::path() const - { return _pimpl->path; } + { return _pimpl->_path; } std::string RepoInfo::service() const { return _pimpl->service; } @@ -1120,7 +1120,7 @@ } } - if ( ! _pimpl->path.empty() ) + if ( ! path().empty() ) str << "path="<< path() << endl; if ( ! _pimpl->cfgMirrorlistUrl().raw().asString().empty() ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.11/zypp/zypp/parser/RepoFileReader.cc new/libzypp-17.38.13/zypp/zypp/parser/RepoFileReader.cc --- old/libzypp-17.38.11/zypp/zypp/parser/RepoFileReader.cc 2026-05-12 15:30:09.000000000 +0200 +++ new/libzypp-17.38.13/zypp/zypp/parser/RepoFileReader.cc 2026-06-08 15:13:20.000000000 +0200 @@ -10,6 +10,7 @@ * */ #include <iostream> +#include <zypp/ZYppCallbacks.h> #include <zypp-core/base/LogTools.h> #include <zypp-core/base/String.h> #include <zypp-core/base/StringV.h> @@ -157,8 +158,16 @@ info.setEnabled( str::strToTrue( it->second ) ); else if ( it->first == "priority" ) info.setPriority( str::strtonum<unsigned>( it->second ) ); - else if ( it->first == "path" ) - info.setPath( Pathname(it->second) ); + else if ( it->first == "path" ) { + Pathname location { it->second }; + if ( location.relativeDotDot() ) { + // Don't accept downloadable data outside repo root + JobReport::warning( str::sconcat( *its,": hostile path=",location," => ", location.absolutename() ) ); + pWAR( "Hostile path=", location, "=>", location.absolutename() ); + location = location.absolutename(); + } + info.setPath( location ); + } else if ( it->first == "type" ) ; // bsc#1177427 et.al.: type in a .repo file is legacy - ignore it and let RepoManager probe else if ( it->first == "autorefresh" ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libzypp-17.38.11/zypp/zypp/parser/yum/RepomdFileReader.cc new/libzypp-17.38.13/zypp/zypp/parser/yum/RepomdFileReader.cc --- old/libzypp-17.38.11/zypp/zypp/parser/yum/RepomdFileReader.cc 2026-05-27 17:50:41.000000000 +0200 +++ new/libzypp-17.38.13/zypp/zypp/parser/yum/RepomdFileReader.cc 2026-06-05 14:14:03.000000000 +0200 @@ -233,7 +233,8 @@ if ( tag.compare( 0,10,"gpg-pubkey" ) != 0 ) continue; - static const str::regex rx( "^(gpg-pubkey([^?]*))(\\?fpr=([[:xdigit:]]{8,}))?$" ); + // bsc#1267426: Do not accept a '/' in keyfile. It must not be a path. + static const str::regex rx( "^(gpg-pubkey([^/?]*))(\\?fpr=([[:xdigit:]]{8,}))?$" ); str::smatch what; if ( str::regex_match( tag.c_str(), what, rx ) ) { std::string keyfile { what[1] };
