Hello community, here is the log from the commit of package crawl for openSUSE:Leap:15.2 checked in at 2020-04-17 13:38:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/crawl (Old) and /work/SRC/openSUSE:Leap:15.2/.crawl.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "crawl" Fri Apr 17 13:38:45 2020 rev:10 rq:794776 version:0.24.0 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/crawl/crawl.changes 2020-01-15 14:51:03.165438473 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.crawl.new.2738/crawl.changes 2020-04-17 13:39:09.748292962 +0200 @@ -1,0 +2,48 @@ +Tue Apr 14 11:22:21 UTC 2020 - Ferdinand Thiessen <[email protected]> + +- Added CVE-2020-11722.patch to fix CVE-2020-11722, boo#1169381 + * Fixes a remote code evaluation issue with lua loadstring + +------------------------------------------------------------------- +Wed Mar 18 12:54:41 UTC 2020 - Jon Brightwell <[email protected]> + +- Update to version 0.24.0 + * Vampire species simplified + * Thrown weapons streamlined + * Fedhas reimagined + * Sif Muna reworked +- removed crawl-0.17.1-datetime.patch as fixed upstream + +------------------------------------------------------------------- +Sun Jul 21 16:44:16 UTC 2019 - Simon Puchert <[email protected]> + +- Update to version 0.23.2 + * Trap system overhaul + * New Gauntlet portal to replace Labyrinths + * Nemelex Xobeh rework + * Nine unrandarts reworked and the new "Rift" unrandart added + * Support for seeded dungeon play + * build requires python and python-pyYAML + +------------------------------------------------------------------- +Sat Aug 25 17:45:20 UTC 2018 - [email protected] + +- Spec cleanup + * Dropped defattr as more recent rpms add a default %defattr line + if none is present in the rpm %files section +- Fixed source (used corret one from upstream) + +------------------------------------------------------------------- +Fri Aug 10 15:14:29 UTC 2018 - [email protected] + +- Update to 0.22.0 + * Player ghosts now only appear in sealed ghost vaults + * New spell library interface + * User interface revamp for Tiles and WebTiles + +------------------------------------------------------------------- +Sat Jul 14 16:05:43 UTC 2018 - [email protected] + +- Update to 0.21.1 + +------------------------------------------------------------------- Old: ---- crawl-0.17.1-datetime.patch stone_soup-0.20.1-nodeps.tar.xz New: ---- CVE-2020-11722.patch stone_soup-0.24.0-nodeps.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ crawl.spec ++++++ --- /var/tmp/diff_new_pack.OmEpcI/_old 2020-04-17 13:39:11.184294042 +0200 +++ /var/tmp/diff_new_pack.OmEpcI/_new 2020-04-17 13:39:11.188294045 +0200 @@ -1,7 +1,7 @@ # # spec file for package crawl # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # Copyright (c) 2011 Sascha Peilicke <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -13,24 +13,28 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # -%define major_ver 0.20 + +%define major_ver 0.24 +%define about Crawl is a fun game in the grand tradition of games like Rogue, Hack, and Moria.\ +Your objective is to travel deep into a subterranean cave complex and retrieve the Orb of Zot, \ +which is guarded by many horrible and hideous creatures. Name: crawl -Version: %{major_ver}.1 +Version: %{major_ver}.0 Release: 0 Summary: Roguelike dungeon exploration game -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Amusements/Games/RPG -Url: http://crawl.develz.org/ -Source: http://crawl.develz.org/release/%{major_ver}/stone_soup-%{version}-nodeps.tar.xz -# PATCH-FIX-OPENSUSE for reproducible builds -Patch0: %{name}-0.17.1-datetime.patch +URL: https://crawl.develz.org/ +Source: https://crawl.develz.org/release/%{major_ver}/stone_soup-%{version}-nodeps.tar.xz # PATCH-FIX-UPSTREAM https://github.com/crawl/crawl/pull/464 -Patch1: desktop.patch -Patch2: icon.patch -Patch3: appdata.patch +Patch0: desktop.patch +Patch1: icon.patch +Patch2: appdata.patch +# PATCH-FIX-UPSTREAM CVE-2020-11722, boo#1169381, disable LUA loadstring +Patch3: CVE-2020-11722.patch BuildRequires: dejavu-fonts BuildRequires: desktop-file-utils BuildRequires: fdupes @@ -39,29 +43,26 @@ BuildRequires: libpng-devel BuildRequires: lua51-devel BuildRequires: ncurses-devel -BuildRequires: pkg-config +BuildRequires: pkgconfig BuildRequires: pngcrush +BuildRequires: python +BuildRequires: python-PyYAML BuildRequires: update-desktop-files BuildRequires: pkgconfig(SDL2_image) BuildRequires: pkgconfig(freetype2) BuildRequires: pkgconfig(glu) BuildRequires: pkgconfig(sdl2) BuildRequires: pkgconfig(sqlite3) -BuildRoot: %{_tmppath}/%{name}-%{version}-build +Requires: %{name}-data = %{version} %if 0%{?suse_version} >= 1330 Requires: group(games) Requires: user(games) %else Requires(pre): pwdutils %endif -Requires: %{name}-data = %{version} - -%define about Crawl is a fun game in the grand tradition of games like Rogue, Hack, and Moria.\ -Your objective is to travel deep into a subterranean cave complex and retrieve the Orb of Zot, \ -which is guarded by many horrible and hideous creatures. %description -%about +%{about} This is the Stone Soup version of Dungeon Crawl. @@ -73,7 +74,7 @@ Requires: %{name} = %{version} %description sdl -%about +%{about} This is the (SDL-based) tiled Stone Soup version of Dungeon Crawl. @@ -82,20 +83,20 @@ %package data Summary: Roguelike dungeon exploration game (Data files) Group: Amusements/Games/RPG -BuildArch: noarch Requires: %{name} = %{version} +BuildArch: noarch %description data -%about +%{about} These are the data files for Dungeon Crawl Stone Soup. %prep %setup -q -n stone_soup-%{version} -%patch0 -p1 +%patch0 -p2 %patch1 -p2 %patch2 -p2 -%patch3 -p2 +%patch3 -p1 %build cd source @@ -106,11 +107,11 @@ # note that --disable-altivec not supported by gcc 4.8 tmpflags="$tmpflags -U__ALTIVEC__" %endif -make clean -make %{?_smp_flags} prefix=%{_prefix} bin_prefix=bin DATADIR="%{_datadir}/%{name}/" BINDIR=%{_bindir} EXTRA_FLAGS="${tmpflags}" +%make_build clean +%make_build prefix=%{_prefix} bin_prefix=bin DATADIR="%{_datadir}/%{name}/" BINDIR=%{_bindir} EXTRA_FLAGS="${tmpflags}" mv crawl crawl.tty # avoid name clashes temporarily -make clean -make %{?_smp_flags} prefix=%{_prefix} bin_prefix=bin DATADIR="%{_datadir}/%{name}/" BINDIR=%{_bindir} EXTRA_FLAGS="${tmpflags}" TILES="1" +%make_build clean +%make_build prefix=%{_prefix} bin_prefix=bin DATADIR="%{_datadir}/%{name}/" BINDIR=%{_bindir} EXTRA_FLAGS="${tmpflags}" TILES="1" mv crawl crawl-sdl mv crawl.tty crawl @@ -118,14 +119,14 @@ %if 0%{?suse_version} < 1330 # Anything after Leap 42.x / SLE12 base uses user/group package dependencies getent group games >/dev/null || groupadd -r games -getent passwd games >/dev/null || useradd -r -g games -d /var/games -s /sbin/nologin +getent passwd games >/dev/null || useradd -r -g games -d %{_localstatedir}/games -s /sbin/nologin %endif # move old saves -if [ -d /var/games/crawl ]; then +if [ -d %{_localstatedir}/games/crawl ]; then if [ -d /root/.crawl ]; then mv /root/.crawl /root/.crawl_old fi - mv /var/games/crawl /root/.crawl + mv %{_localstatedir}/games/crawl /root/.crawl fi %install @@ -144,7 +145,6 @@ %icon_theme_cache_postun %files sdl -%defattr (-,root,root) %attr(0755,root,root) %{_bindir}/%{name}-sdl %{_datadir}/applications/%{name}.desktop %{_datadir}/icons/hicolor/scalable/apps/%{name}.svg @@ -152,12 +152,10 @@ %{_datadir}/appdata/%{name}.appdata.xml %files data -%defattr (-,root,root) -%doc CREDITS.txt licence.txt %{_datadir}/%{name} %files -%defattr(-,root,root) +%license LICENSE %attr(0755,root,root) %{_bindir}/%{name} %{_mandir}/man6/* ++++++ CVE-2020-11722.patch ++++++ Fix CVE CVE-2020-11722 before version 0.25 Contains upstream commits 768f60da87a3fa0b5561da5ade9309577c176d04 and fc522ff6eb1bbb85e3de60c60a45762571e48c28 diff -Nur stone_soup-0.24.0/source/clua.cc new/source/clua.cc --- stone_soup-0.24.0/source/clua.cc 2019-04-21 07:54:24.000000000 +0200 +++ new/source/clua.cc 2020-04-14 13:38:19.579713046 +0200 @@ -315,6 +315,9 @@ while (!f.eof()) script += f.get_line() + "\n"; + if (script[0] == 0x1b) + abort(); + // prefixing with @ stops lua from adding [string "%s"] return luaL_loadbuffer(ls, &script[0], script.length(), ("@" + file).c_str()); @@ -729,6 +732,20 @@ return !err; } +static int lua_loadstring(lua_State *ls) +{ + const auto lua = luaL_checkstring(ls, 1); + if (lua[0] == 0x1b) + abort(); + lua_settop(ls, 0); + if (luaL_loadstring(ls, lua)) + { + lua_pushnil(ls); + lua_insert(ls, 1); + } + return lua_gettop(ls); +} + void CLua::init_lua() { if (_state) @@ -751,6 +768,11 @@ lua_stack_cleaner clean(_state); + lua_pushcfunction(_state, lua_loadstring); + lua_setglobal(_state, "loadstring"); + lua_pushnil(_state); + lua_setglobal(_state, "load"); + lua_atpanic(_state, _clua_panic); #ifdef CLUA_UNRESTRICTED_LIBS ++++++ stone_soup-0.20.1-nodeps.tar.xz -> stone_soup-0.24.0-nodeps.tar.xz ++++++ /work/SRC/openSUSE:Leap:15.2/crawl/stone_soup-0.20.1-nodeps.tar.xz /work/SRC/openSUSE:Leap:15.2/.crawl.new.2738/stone_soup-0.24.0-nodeps.tar.xz differ: char 26, line 1
