Hello community, here is the log from the commit of package cobbler for openSUSE:Factory checked in at 2017-10-06 11:05:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cobbler (Old) and /work/SRC/openSUSE:Factory/.cobbler.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cobbler" Fri Oct 6 11:05:01 2017 rev:39 rq:531790 version:2.6.6 Changes: -------- --- /work/SRC/openSUSE:Factory/cobbler/cobbler.changes 2017-08-10 14:12:48.146545999 +0200 +++ /work/SRC/openSUSE:Factory/.cobbler.new/cobbler.changes 2017-10-06 11:05:06.174347953 +0200 @@ -1,0 +2,14 @@ +Thu Oct 5 15:10:39 UTC 2017 - [email protected] + +- fix script endpoint security bug CVE-2016-9605 (bsc#1030582) + Add: + * fix-script-endpoint-security-bug-1030582.patch + +------------------------------------------------------------------- +Wed Oct 4 13:53:18 UTC 2017 - [email protected] + +- fix setup.py to identify SUSE OS correctly bsc#1046679 + Added: + * fix-os-release.patch + +------------------------------------------------------------------- New: ---- fix-os-release.patch fix-script-endpoint-security-bug-1030582.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cobbler.spec ++++++ --- /var/tmp/diff_new_pack.kbtPiF/_old 2017-10-06 11:05:09.237884603 +0200 +++ /var/tmp/diff_new_pack.kbtPiF/_new 2017-10-06 11:05:09.273879159 +0200 @@ -17,7 +17,9 @@ %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%if 0%{?fedora} >= 11 || 0%{?rhel} >= 6 %{!?pyver: %define pyver %(%{__python} -c "import sys ; print sys.version[:3]" || echo 0)} +%endif %if 0%{?suse_version} %define www_path /srv/ @@ -65,6 +67,10 @@ Patch21: update-outdated-apache-config-bsc956264.patch # PATCH-FIX-OPENSUSE fix-cobbler-loaders-server-bsc980577.patch bsc#980577 [email protected] Patch22: fix-cobbler-loaders-server-bsc980577.patch +# PATCH-FIX-UPSTREAM https://github.com/cobbler/cobbler/pull/1840 (not merged yet) +Patch23: fix-os-release.patch +# PATCH-FIX-UPSTREAM https://github.com/cobbler/cobbler/pull/1811 (not merged yet) +Patch24: fix-script-endpoint-security-bug-1030582.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -178,6 +184,8 @@ %patch20 -p1 %patch21 -p0 %patch22 -p0 +%patch23 -p1 +%patch24 -p1 mv vendor-files/cobbler.1.gz docs ++++++ fix-os-release.patch ++++++ Index: cobbler-2.6.6/setup.py =================================================================== --- cobbler-2.6.6.orig/setup.py +++ cobbler-2.6.6/setup.py @@ -508,6 +508,18 @@ class savestate(statebase): self._copy(os.path.join(etcpath, 'rsync.template'), self.statepath) +def parse_os_release(): + out = {} + osreleasepath = "/etc/os-release" + if os.path.exists(osreleasepath): + with open(osreleasepath, 'rb') as os_release: + out.update( + map( + lambda line: [it.strip('"\n') for it in line.split('=', 1)], + [line for line in os_release.xreadlines() if not line.startswith('#')] + ) + ) + return out @@ -526,7 +538,13 @@ if __name__ == "__main__": logpath = "/var/log/" statepath = "/tmp/cobbler_settings/devinstall" - if os.path.exists("/etc/SuSE-release"): + os_release = parse_os_release() + suse_release = ( + os.path.exists("/etc/SuSE-release") or + os_release.get('ID_LIKE', '').lower() == 'suse' + ) + + if suse_release: webconfig = "/etc/apache2/conf.d" webroot = "/srv/www/" http_user = "wwwrun" ++++++ fix-script-endpoint-security-bug-1030582.patch ++++++ Index: cobbler-2.6.6/cobbler/pxegen.py =================================================================== --- cobbler-2.6.6.orig/cobbler/pxegen.py +++ cobbler-2.6.6/cobbler/pxegen.py @@ -1256,9 +1256,16 @@ class PXEGen: else: blended['img_path'] = os.path.join("/images",distro.name) - template = os.path.normpath(os.path.join("/var/lib/cobbler/scripts",script_name)) - if not os.path.exists(template): - return "# script template %s not found" % script_name + scripts_path = "/var/lib/cobbler/scripts" + template = os.path.normpath(os.path.join(scripts_path,script_name)) + + available_scripts = [] + for root, folders, files in os.walk(scripts_path): + for file in files: + available_scripts.append(os.path.join(root, file)) + + if not template in available_scripts: + return "# script %s not found" % script_name template_fh = open(template) template_data = template_fh.read()
