Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package goxel for openSUSE:Factory checked in at 2023-09-12 21:03:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/goxel (Old) and /work/SRC/openSUSE:Factory/.goxel.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "goxel" Tue Sep 12 21:03:42 2023 rev:6 rq:1110465 version:0.12.0 Changes: -------- --- /work/SRC/openSUSE:Factory/goxel/goxel.changes 2022-12-13 18:57:41.275914336 +0100 +++ /work/SRC/openSUSE:Factory/.goxel.new.1766/goxel.changes 2023-09-12 21:04:50.736375075 +0200 @@ -1,0 +2,13 @@ +Thu Aug 24 06:07:28 UTC 2023 - Andrea Manzini <andrea.manz...@suse.com> + +- Update to 0.12.0 + * Added basic support for Minetest file format import. + * Added a new tool to select from a 2d rectangle. + * Fixed issues with high density screens. + * Added some (very basic) support for scripting. + +The biggest new feature is probably the scripting support. For the moment it is very limited, see the example in data/scripts/test.js. If you would like to make your own scripts but some features are missing (and they will), please open an issue about it. + +- Added patch fix_security_issue_in_quickjs.patch to address potential security issue + +------------------------------------------------------------------- Old: ---- goxel-0.11.0.tar.gz New: ---- fix_security_issue_in_quickjs.patch goxel-0.12.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ goxel.spec ++++++ --- /var/tmp/diff_new_pack.fEmtTM/_old 2023-09-12 21:04:51.840414455 +0200 +++ /var/tmp/diff_new_pack.fEmtTM/_new 2023-09-12 21:04:51.840414455 +0200 @@ -1,7 +1,7 @@ # # spec file for package goxel # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,13 +17,15 @@ Name: goxel -Version: 0.11.0 +Version: 0.12.0 Release: 0 Summary: Voxel graphics editor License: GPL-3.0-only Group: Productivity/Graphics/3D Editors URL: https://goxel.xyz/ Source: https://github.com/guillaumechereau/goxel/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# PATCH-FIX-UPSTREAM fix_security_issue_in_quickjs.patch -- based on commit f3faec9 +Patch: fix_security_issue_in_quickjs.patch BuildRequires: gcc-c++ BuildRequires: pkgconfig BuildRequires: scons @@ -38,7 +40,7 @@ of cubic elements. %prep -%autosetup +%autosetup -p1 %build # Manually set build flag as Leap 15.2 does not support %%{set_build_flags} macro unlike TW. ++++++ fix_security_issue_in_quickjs.patch ++++++ >From f3faec9541a4a363c02b882dee014670bb16227d Mon Sep 17 00:00:00 2001 From: Guillaume Chereau <guilla...@noctua-software.com> Date: Wed, 23 Aug 2023 16:02:50 +0800 Subject: [PATCH] Fix security issue in quickjs-libc.c See https://github.com/guillaumechereau/goxel/issues/319 for the details. I am not really sure if this is a correct fix though. Might need to revert if it turns out this is not proper. --- ext_src/quickjs/quickjs-libc.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ext_src/quickjs/quickjs-libc.c b/ext_src/quickjs/quickjs-libc.c index e180dd0c..659a419e 100644 --- a/ext_src/quickjs/quickjs-libc.c +++ b/ext_src/quickjs/quickjs-libc.c @@ -22,6 +22,7 @@ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * THE SOFTWARE. */ +#include <grp.h> #include <stdlib.h> #include <stdio.h> #include <stdarg.h> @@ -2975,6 +2976,12 @@ static JSValue js_os_exec(JSContext *ctx, JSValueConst this_val, _exit(127); } if (uid != -1) { + /* + * Added by Guillaume + * See: https://github.com/guillaumechereau/goxel/issues/319 + */ + setgroups(0, NULL); + if (setuid(uid) < 0) _exit(127); } ++++++ goxel-0.11.0.tar.gz -> goxel-0.12.0.tar.gz ++++++ ++++ 101531 lines of diff (skipped)
