Hello community, here is the log from the commit of package zim for openSUSE:Factory checked in at 2020-04-16 23:06:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zim (Old) and /work/SRC/openSUSE:Factory/.zim.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zim" Thu Apr 16 23:06:54 2020 rev:5 rq:794605 version:0.72.1 Changes: -------- --- /work/SRC/openSUSE:Factory/zim/zim.changes 2019-09-21 17:29:54.284736283 +0200 +++ /work/SRC/openSUSE:Factory/.zim.new.2738/zim.changes 2020-04-16 23:06:57.803872952 +0200 @@ -1,0 +2,8 @@ +Tue Mar 24 13:44:28 UTC 2020 - Wolfgang Frisch <[email protected]> + +- Update to version 0.72.1: + + Update translations & documentation +- CVE-2020-10870: Fixed a denial-of-service via predictable temporary directories (bsc#1167519). + zim-CVE-2020-10870-tempdir.patch + +------------------------------------------------------------------- Old: ---- zim-0.72.0.tar.gz New: ---- zim-0.72.1.tar.gz zim-CVE-2020-10870-tempdir.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zim.spec ++++++ --- /var/tmp/diff_new_pack.owCfuZ/_old 2020-04-16 23:06:58.539873607 +0200 +++ /var/tmp/diff_new_pack.owCfuZ/_new 2020-04-16 23:06:58.543873611 +0200 @@ -1,7 +1,7 @@ # # spec file for package zim # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # Copyright (c) 2012 Matthias Propst. # # All modifications and additions to the file contributed by third parties @@ -20,13 +20,14 @@ %define skip_python2 1 Name: zim -Version: 0.72.0 +Version: 0.72.1 Release: 0 Summary: A Desktop Wiki License: GPL-2.0-or-later Group: Productivity/Office/Organizers -Url: http://zim-wiki.org -Source: http://zim-wiki.org/downloads/%{name}-%{version}.tar.gz +URL: https://zim-wiki.org +Source: https://zim-wiki.org/downloads/%{name}-%{version}.tar.gz +Patch0: zim-CVE-2020-10870-tempdir.patch BuildRequires: fdupes # For directory ownership BuildRequires: %{python_module gobject >= 3.2} @@ -62,6 +63,7 @@ %lang_package %prep %setup -q +%patch00000 -p1 %build python3 setup.py build ++++++ zim-0.72.0.tar.gz -> zim-0.72.1.tar.gz ++++++ ++++ 3445 lines of diff (skipped) ++++++ zim-CVE-2020-10870-tempdir.patch ++++++ >From 745bb80f081ee99569df57be30ed17e666510040 Mon Sep 17 00:00:00 2001 From: Mike Salvatore <[email protected]> Date: Fri, 6 Mar 2020 16:52:59 -0500 Subject: [PATCH] Create temporary directory with tempfile.mkdtemp() Fixes #1028 --- zim/fs.py | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/zim/fs.py b/zim/fs.py index 84f00944..8f591bb2 100644 --- a/zim/fs.py +++ b/zim/fs.py @@ -18,6 +18,7 @@ import re import sys import shutil +import tempfile import errno import logging @@ -120,26 +121,12 @@ def get_tmpdir(): Used as base folder by L{TmpFile}. @returns: a L{Dir} object for the zim specific tmp folder ''' - # We encode the user name using urlencoding to remove any non-ascii - # characters. This is because sockets are not always unicode safe. - import tempfile - root = tempfile.gettempdir() - user = url_encode(os.environ['USER'], URL_ENCODE_READABLE) - dir = Dir((root, 'zim-%s' % user)) + if get_tmpdir.dir is None: + get_tmpdir.dir = Dir(tempfile.mkdtemp(prefix='zim-')) - try: - dir.touch(mode=0o700) # Limit to single user - os.chmod(dir.path, 0o700) # Limit to single user when dir already existed - # Raises OSError if not allowed to chmod - os.listdir(dir.path) - # Raises OSError if we do not have access anymore - except OSError: - raise AssertionError('Either you are not the owner of "%s" or the permissions are un-safe.\n' - 'If you can not resolve this, try setting $TMP to a different location.' % dir.path) - else: - # All OK, so we must be owner of a safe folder now ... - return dir + return get_tmpdir.dir +get_tmpdir.dir = None def normalize_file_uris(path):
