Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package binwalk for openSUSE:Factory checked in at 2023-01-30 17:11:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/binwalk (Old) and /work/SRC/openSUSE:Factory/.binwalk.new.32243 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "binwalk" Mon Jan 30 17:11:18 2023 rev:10 rq:1062014 version:2.3.3 Changes: -------- --- /work/SRC/openSUSE:Factory/binwalk/binwalk.changes 2021-09-11 22:24:59.711414092 +0200 +++ /work/SRC/openSUSE:Factory/.binwalk.new.32243/binwalk.changes 2023-01-30 17:19:55.131429023 +0100 @@ -1,0 +2,5 @@ +Mon Jan 30 09:18:51 UTC 2023 - Boris Manojlovic <bo...@steki.net> + +- add CVE-2022-4510 patch file: CVE-2022-4510.patch + +------------------------------------------------------------------- New: ---- CVE-2022-4510.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ binwalk.spec ++++++ --- /var/tmp/diff_new_pack.6E7elW/_old 2023-01-30 17:19:56.183434693 +0100 +++ /var/tmp/diff_new_pack.6E7elW/_new 2023-01-30 17:19:56.191434736 +0100 @@ -1,7 +1,7 @@ # # spec file for package binwalk # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,6 +23,8 @@ License: MIT URL: https://github.com/devttys0/binwalk Source: https://github.com/devttys0/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# PATCH-FIX-UPSTREAM CVE-2022-4510.patch CVE-2022-4510 fix from upstream +Patch0: CVE-2022-4510.patch BuildRequires: fdupes BuildRequires: help2man BuildRequires: python-rpm-macros @@ -73,6 +75,7 @@ %prep %setup -q +%patch0 %build %python3_build ++++++ CVE-2022-4510.patch ++++++ Index: src/binwalk/plugins/unpfs.py =================================================================== --- src/binwalk/plugins/unpfs.py.orig 2021-09-10 19:46:40.000000000 +0200 +++ src/binwalk/plugins/unpfs.py 2023-01-30 10:17:15.441077931 +0100 @@ -104,7 +104,7 @@ class PFSExtractor(binwalk.core.plugin.P data = binwalk.core.common.BlockFile(fname, 'rb') data.seek(fs.get_end_of_meta_data()) for entry in fs.entries(): - outfile_path = os.path.join(out_dir, entry.fname) + outfile_path = os.path.abspath(os.path.join(out_dir, entry.fname)) if not outfile_path.startswith(out_dir): binwalk.core.common.warning("Unpfs extractor detected directory traversal attempt for file: '%s'. Refusing to extract." % outfile_path) else: