commit testng for openSUSE:Factory

Tue, 22 Nov 2022 07:11:18 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package testng for openSUSE:Factory checked 
in at 2022-11-22 16:11:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/testng (Old)
 and      /work/SRC/openSUSE:Factory/.testng.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "testng"

Tue Nov 22 16:11:00 2022 rev:4 rq:1037286 version:7.4.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/testng/testng.changes    2022-05-25 
20:35:42.408323474 +0200
+++ /work/SRC/openSUSE:Factory/.testng.new.1597/testng.changes  2022-11-22 
16:11:03.634297150 +0100
@@ -1,0 +2,9 @@
+Tue Nov 22 12:13:04 UTC 2022 - Fridrich Strba <fst...@suse.com>
+
+- Added patch:
+  * testng-CVE-2022-4065.patch
+    + Issues in sanitization of zip files could lead to path
+      traversal and potentially code execution (bsc#1205628,
+      CVE-2022-4065)
+
+-------------------------------------------------------------------

New:
----
  testng-CVE-2022-4065.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ testng.spec ++++++
--- /var/tmp/diff_new_pack.XaB8V3/_old  2022-11-22 16:11:04.362300844 +0100
+++ /var/tmp/diff_new_pack.XaB8V3/_new  2022-11-22 16:11:04.366300864 +0100
@@ -28,6 +28,7 @@
 Source2:        %{name}-build.xml
 Patch0:         0001-Avoid-accidental-javascript-in-javadoc.patch
 Patch1:         0002-Replace-bundled-jquery-with-CDN-link.patch
+Patch2:         testng-CVE-2022-4065.patch
 BuildRequires:  ant
 BuildRequires:  beust-jcommander
 BuildRequires:  bsh2
@@ -59,6 +60,7 @@
 
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 sed 's/@VERSION@/%{version}/' %{SOURCE1} > pom.xml
 cp %{SOURCE2} build.xml

++++++ testng-CVE-2022-4065.patch ++++++
diff --git a/src/main/java/org/testng/JarFileUtils.java 
b/src/main/java/org/testng/JarFileUtils.java
index 683a8b5..2f2ed8f 100644
--- a/src/main/java/org/testng/JarFileUtils.java
+++ b/src/main/java/org/testng/JarFileUtils.java
@@ -77,6 +77,9 @@ class JarFileUtils {
         if (Parser.canParse(jeName.toLowerCase())) {
           InputStream inputStream = jf.getInputStream(je);
           File copyFile = new File(file, jeName);
+          if 
(!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
+            throw new IOException("Bad zip entry");
+          }
           Files.copyFile(inputStream, copyFile);
           if (matchesXmlPathInJar(je)) {
             suitePath = copyFile.toString();

Reply via email to