Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-python-rpm-spec for
openSUSE:Factory checked in at 2023-09-14 16:26:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-python-rpm-spec (Old)
and /work/SRC/openSUSE:Factory/.python-python-rpm-spec.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-python-rpm-spec"
Thu Sep 14 16:26:00 2023 rev:6 rq:1111023 version:0.14.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-python-rpm-spec/python-python-rpm-spec.changes
2020-11-23 10:46:03.822336801 +0100
+++
/work/SRC/openSUSE:Factory/.python-python-rpm-spec.new.1766/python-python-rpm-spec.changes
2023-09-14 16:28:56.129590776 +0200
@@ -1,0 +2,44 @@
+Wed Sep 13 15:17:43 UTC 2023 - Martin Schreiner <[email protected]>
+
+- Replace the contents of avoid-DoS-on-carefully-crafted-spec-files.patch
+ with a backwards-compatible patch, written by David Anes.
+
+-------------------------------------------------------------------
+Wed Sep 13 06:08:44 UTC 2023 - Martin Schreiner <[email protected]>
+
+- Add avoid-DoS-on-carefully-crafted-spec-files.patch.
+- Update to v0.14.1:
+ - Changes from v0.14.1:
+ - Fix replace_macro's behavior with user-defined conditional
+ macros.
+ - The parsing of package names was wrong when tab characters where
+ used in %package.
+ - Implement parsing of spec files where sub-packages (%package)
+ have their own sources and patches defined. Previously, the
+ parser would just fail with an error message like
+ AttributeError: 'Package' object has no attribute
+ 'sources'. This is now fixed.
+ - Use SemVer for versioning. git tags are now prefixed with v,
+ e.g. v0.15.0 instead of 0.15.0.
+ - Changes from v0.14:
+ - Teach replace_macro how to deal with macros that are not wrapped
+ in curly braces.
+ - Add type annotations for tools like mypy, your IDE, and your
+ brain.
+ - Changes from v0.13:
+ - Fix parsing of BuildRequires:, Requires:, Conflicts:,
+ Obsoletes:, Provides: with comments at end of line..
+ - Add CI for Python 3.11.
+ - Changes from v0.12:
+ - Fix %description and %changelog with multi-line strings.
+ - Changes from v0.11:
+ - Add type annotations for tools like mypy, your IDE, and your
+ brain.
+ - replace_macros() function now always expects a Spec instance as
+ second argument. Does not make much sense without.
+ - Add support for parsing %description and %changelog.
+ - Add support for ExcludeArch and ExclusiveArch.
+ - Add warnings_enabled knob to issue warnings of type UserWarning
+ during spec file parsing.
+
+-------------------------------------------------------------------
Old:
----
python-rpm-spec-0.10.tar.gz
New:
----
avoid-DoS-on-carefully-crafted-spec-files.patch
python-rpm-spec-0.14.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-python-rpm-spec.spec ++++++
--- /var/tmp/diff_new_pack.hxEb5D/_old 2023-09-14 16:28:57.337633932 +0200
+++ /var/tmp/diff_new_pack.hxEb5D/_new 2023-09-14 16:28:57.341634075 +0200
@@ -1,7 +1,7 @@
#
# spec file for package python-python-rpm-spec
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,15 +17,21 @@
%define skip_python2 1
-%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-python-rpm-spec
-Version: 0.10
+Version: 0.14.1
Release: 0
Summary: Python module for parsing RPM spec files
License: MIT
Group: Development/Libraries/Python
URL: https://github.com/bkircher/python-rpm-spec
Source0:
https://files.pythonhosted.org/packages/source/p/python-rpm-spec/python-rpm-spec-%{version}.tar.gz
+# PATCH-FIX-OPENSUSE avoid-DoS-on-carefully-crafted-spec-files.patch
bsc#1215274
+# this patch fixes an endless loop that could be triggered by carefully
crafting
+# a malicious RPM spec file that uses macro expansions, causing a
denial-of-service
+# PR to upstream code here: https://github.com/bkircher/python-rpm-spec/pull/62
+Patch0: avoid-DoS-on-carefully-crafted-spec-files.patch
+BuildRequires: %{python_module flit}
+BuildRequires: %{python_module pip}
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
@@ -42,12 +48,13 @@
%prep
%setup -q -n python-rpm-spec-%{version}
+%patch0 -p1
%build
-%python_build
+%pyproject_wheel
%install
-%python_install
+%pyproject_install
%python_expand %fdupes %{buildroot}%{$python_sitelib}
%check
@@ -56,5 +63,6 @@
%files %{python_files}
%doc CHANGELOG* README*
%license LICENSE*
-%{python_sitelib}/*
+%{python_sitelib}/python_rpm_spec-%{version}*-info
+%{python_sitelib}/pyrpm
++++++ avoid-DoS-on-carefully-crafted-spec-files.patch ++++++
diff --git a/pyrpm/spec.py b/pyrpm/spec.py
index 42515bf..1a290ba 100644
--- a/pyrpm/spec.py
+++ b/pyrpm/spec.py
@@ -490,7 +490,7 @@ def from_string(cls, string: str) -> "Spec":
return spec
-def replace_macros(string: str, spec: Spec) -> str:
+def replace_macros(string: str, spec: Spec, max_attempts: int = 1000) -> str:
"""Replace all macros in given string with corresponding values.
For example, a string '%{name}-%{version}.tar.gz' will be transformed to
'foo-2.0.tar.gz'.
@@ -555,9 +555,13 @@ def get_replacement_string(match: re.Match) -> str:
# Recursively expand macros
# Note: If macros are not defined in the spec file, this won't try to
# expand them.
- while True:
+ attempt = 0
+ ret = ""
+ while attempt < max_attempts:
+ attempt += 1
ret = re.sub(_macro_pattern, get_replacement_string, string)
if ret != string:
string = ret
continue
- return ret
+ break
+ return ret
\ No newline at end of file
++++++ python-rpm-spec-0.10.tar.gz -> python-rpm-spec-0.14.1.tar.gz ++++++
++++ 8033 lines of diff (skipped)
