commit yast2-ruby-bindings for openSUSE:Factory

root Mon, 31 Dec 2018 00:45:12 -0800

Hello community,

here is the log from the commit of package yast2-ruby-bindings for 
openSUSE:Factory checked in at 2018-12-31 09:44:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/yast2-ruby-bindings (Old)
 and      /work/SRC/openSUSE:Factory/.yast2-ruby-bindings.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "yast2-ruby-bindings"

Mon Dec 31 09:44:42 2018 rev:91 rq:659955 version:4.1.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/yast2-ruby-bindings/yast2-ruby-bindings.changes  
2018-11-01 19:03:39.734011296 +0100
+++ 
/work/SRC/openSUSE:Factory/.yast2-ruby-bindings.new.28833/yast2-ruby-bindings.changes
       2018-12-31 09:44:43.834298112 +0100
@@ -1,0 +2,7 @@
+Tue Dec 18 15:30:14 UTC 2018 - jlo...@suse.com
+
+- Configure $PATH environment variable to execute external commands
+  only from safe paths (part of bsc#1118291).
+- 4.1.1
+
+-------------------------------------------------------------------

Old:
----
  yast2-ruby-bindings-4.1.0.tar.bz2

New:
----
  yast2-ruby-bindings-4.1.1.tar.bz2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ yast2-ruby-bindings.spec ++++++
--- /var/tmp/diff_new_pack.Mvkw0g/_old  2018-12-31 09:44:44.170297837 +0100
+++ /var/tmp/diff_new_pack.Mvkw0g/_new  2018-12-31 09:44:44.170297837 +0100
@@ -17,7 +17,7 @@
 
 
 Name:           yast2-ruby-bindings
-Version:        4.1.0
+Version:        4.1.1
 Release:        0
 Url:            https://github.com/yast/yast-ruby-bindings
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

++++++ yast2-ruby-bindings-4.1.0.tar.bz2 -> yast2-ruby-bindings-4.1.1.tar.bz2 
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-ruby-bindings-4.1.0/package/yast2-ruby-bindings.changes 
new/yast2-ruby-bindings-4.1.1/package/yast2-ruby-bindings.changes
--- old/yast2-ruby-bindings-4.1.0/package/yast2-ruby-bindings.changes   
2018-10-23 16:03:14.000000000 +0200
+++ new/yast2-ruby-bindings-4.1.1/package/yast2-ruby-bindings.changes   
2018-12-19 09:24:47.000000000 +0100
@@ -1,4 +1,11 @@
 -------------------------------------------------------------------
+Tue Dec 18 15:30:14 UTC 2018 - jlo...@suse.com
+
+- Configure $PATH environment variable to execute external commands
+  only from safe paths (part of bsc#1118291).
+- 4.1.1
+
+-------------------------------------------------------------------
 Tue Oct 23 09:52:53 UTC 2018 - jreidin...@suse.com
 
 - Fix encoding-related problems by assuming that file contents is
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-ruby-bindings-4.1.0/package/yast2-ruby-bindings.spec 
new/yast2-ruby-bindings-4.1.1/package/yast2-ruby-bindings.spec
--- old/yast2-ruby-bindings-4.1.0/package/yast2-ruby-bindings.spec      
2018-10-23 16:03:14.000000000 +0200
+++ new/yast2-ruby-bindings-4.1.1/package/yast2-ruby-bindings.spec      
2018-12-19 09:24:47.000000000 +0100
@@ -17,7 +17,7 @@
 
 
 Name:           yast2-ruby-bindings
-Version:        4.1.0
+Version:        4.1.1
 Url:            https://github.com/yast/yast-ruby-bindings
 Release:        0
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/yast2-ruby-bindings-4.1.0/src/ruby/yast/y2start_helpers.rb 
new/yast2-ruby-bindings-4.1.1/src/ruby/yast/y2start_helpers.rb
--- old/yast2-ruby-bindings-4.1.0/src/ruby/yast/y2start_helpers.rb      
2018-10-23 16:03:14.000000000 +0200
+++ new/yast2-ruby-bindings-4.1.1/src/ruby/yast/y2start_helpers.rb      
2018-12-19 09:24:47.000000000 +0100
@@ -1,5 +1,17 @@
 module Yast
   module Y2StartHelpers
+    # Configure global environment for YaST
+    #
+    # Currently it only sets values for $PATH.
+    #
+    # By configuring $PATH, it ensures that correct external programs are 
executed when
+    # relative paths are given, so possible CVEs are avoided when running YaST.
+    #
+    # Note that forked processes will inherit the environment configuration, 
for example
+    # when executing commands via SCR or Cheetah.
+    def self.config_env
+      ENV["PATH"] = "/sbin:/usr/sbin:/usr/bin:/bin"
+    end
 
     # Parses ARGV of y2start. it returns map with keys:
     #
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/yast2-ruby-bindings-4.1.0/src/y2start/y2start 
new/yast2-ruby-bindings-4.1.1/src/y2start/y2start
--- old/yast2-ruby-bindings-4.1.0/src/y2start/y2start   2018-10-23 
16:03:14.000000000 +0200
+++ new/yast2-ruby-bindings-4.1.1/src/y2start/y2start   2018-12-19 
09:24:47.000000000 +0100
@@ -13,6 +13,10 @@
 
 Yast::Y2StartHelpers.setup_signals
 
+# Configure global YaST environment. For example, it sets $PATH to ensure that
+# external commands are only executed from safe paths.
+Yast::Y2StartHelpers.config_env
+
 File.umask(0o022)
 
 Yast.y2milestone("y2base called with #{ARGV.inspect}")

commit yast2-ruby-bindings for openSUSE:Factory

Reply via email to