Hello community, here is the log from the commit of package librepo for openSUSE:Factory checked in at 2020-08-28 23:44:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/librepo (Old) and /work/SRC/openSUSE:Factory/.librepo.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "librepo" Fri Aug 28 23:44:56 2020 rev:13 rq:828723 version:1.12.1 Changes: -------- --- /work/SRC/openSUSE:Factory/librepo/librepo.changes 2020-07-15 11:23:54.245530307 +0200 +++ /work/SRC/openSUSE:Factory/.librepo.new.3399/librepo.changes 2020-08-28 23:45:02.579499299 +0200 @@ -1,0 +2,6 @@ +Sat Aug 22 20:18:17 UTC 2020 - Neal Gompa <[email protected]> + +- Upgrade to 1.12.1 + + Validate path read from repomd.xml (rh#1868639, CVE-2020-14352) + +------------------------------------------------------------------- Old: ---- librepo-1.12.0.tar.gz New: ---- librepo-1.12.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ librepo.spec ++++++ --- /var/tmp/diff_new_pack.qW38h0/_old 2020-08-28 23:45:03.451498740 +0200 +++ /var/tmp/diff_new_pack.qW38h0/_new 2020-08-28 23:45:03.455498738 +0200 @@ -37,7 +37,7 @@ %define devname %{name}-devel Name: librepo -Version: 1.12.0 +Version: 1.12.1 Release: 0 Summary: Repodata downloading library License: LGPL-2.0-or-later ++++++ librepo-1.12.0.tar.gz -> librepo-1.12.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librepo-1.12.0/.git-commit-template new/librepo-1.12.1/.git-commit-template --- old/librepo-1.12.0/.git-commit-template 1970-01-01 01:00:00.000000000 +0100 +++ new/librepo-1.12.1/.git-commit-template 2020-08-22 22:15:59.000000000 +0200 @@ -0,0 +1,16 @@ + + +# In addition to regular commit message, you can uncomment and fill in the +# following to include this change in the released RPM package changelog: + +# = changelog = +# msg: +# type: +# resolves: +# related: + +# msg = message to be included in the changelog +# type = one of: bugfix/enhancement/security +# resolves = URLs to bugs or issues resolved by this commit +# related = URLs to any related bugs or issues + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librepo-1.12.0/README.md new/librepo-1.12.1/README.md --- old/librepo-1.12.0/README.md 2020-05-15 09:43:49.000000000 +0200 +++ new/librepo-1.12.1/README.md 2020-08-22 22:15:59.000000000 +0200 @@ -114,6 +114,36 @@ PYTHONPATH=`readlink -f ./build/librepo/python/python3/` nosetests-3.3 -s -v tests/python/tests/ +## Contribution + +Here's the most direct way to get your work merged into the project. + +1. Fork the project +1. Clone down your fork +1. Implement your feature or bug fix and commit changes +1. If the change fixes a bug at [Red Hat bugzilla](https://bugzilla.redhat.com/), or if it is important to the end user, add the following block to the commit message: + + = changelog = + msg: message to be included in the changelog + type: one of: bugfix/enhancement/security (this field is required when message is present) + resolves: URLs to bugs or issues resolved by this commit (can be specified multiple times) + related: URLs to any related bugs or issues (can be specified multiple times) + + * For example:: + + = changelog = + msg: Decode package URL when using for local filename + type: bugfix + resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1817130 + + * For your convenience, you can also use git commit template by running the following command in the top-level directory of this project: + + git config commit.template ./.git-commit-template + +1. In a separate commit, add your name into the [authors file](https://github.com/rpm-software-management/librepo/blob/master/AUTHORS) as a reward for your generosity +1. Push the branch to your fork +1. Send a pull request for your branch + ## Links * [Red Hat Bugzilla](https://bugzilla.redhat.com/buglist.cgi?query_format=advanced&bug_status=NEW&bug_status=ASSIGNED&bug_status=MODIFIED&bug_status=VERIFIED&component=librepo) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librepo-1.12.0/VERSION.cmake new/librepo-1.12.1/VERSION.cmake --- old/librepo-1.12.0/VERSION.cmake 2020-05-15 09:43:49.000000000 +0200 +++ new/librepo-1.12.1/VERSION.cmake 2020-08-22 22:15:59.000000000 +0200 @@ -1,3 +1,3 @@ SET(LIBREPO_MAJOR "1") SET(LIBREPO_MINOR "12") -SET(LIBREPO_PATCH "0") +SET(LIBREPO_PATCH "1") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librepo-1.12.0/librepo/yum.c new/librepo-1.12.1/librepo/yum.c --- old/librepo-1.12.0/librepo/yum.c 2020-05-15 09:43:49.000000000 +0200 +++ new/librepo-1.12.1/librepo/yum.c 2020-08-22 22:15:59.000000000 +0200 @@ -23,6 +23,7 @@ #define BITS_IN_BYTE 8 #include <stdio.h> +#include <libgen.h> #include <assert.h> #include <stdlib.h> #include <errno.h> @@ -770,6 +771,22 @@ continue; char *location_href = record->location_href; + + char *dest_dir = realpath(handle->destdir, NULL); + path = lr_pathconcat(handle->destdir, record->location_href, NULL); + char *requested_dir = realpath(dirname(path), NULL); + lr_free(path); + if (!g_str_has_prefix(requested_dir, dest_dir)) { + g_debug("%s: Invalid path: %s", __func__, location_href); + g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href); + g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free); + free(requested_dir); + free(dest_dir); + return FALSE; + } + free(requested_dir); + free(dest_dir); + gboolean is_zchunk = FALSE; #ifdef WITH_ZCHUNK if (handle->cachedir && record->header_checksum) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/librepo-1.12.0/librepo.spec new/librepo-1.12.1/librepo.spec --- old/librepo-1.12.0/librepo.spec 2020-05-15 09:43:49.000000000 +0200 +++ new/librepo-1.12.1/librepo.spec 2020-08-22 22:15:59.000000000 +0200 @@ -1,5 +1,7 @@ %global libcurl_version 7.28.0 +%define __cmake_in_source_build 1 + %if 0%{?rhel} && 0%{?rhel} <= 7 # Do not build bindings for python3 for RHEL <= 7 %bcond_with python3 @@ -26,7 +28,7 @@ %global dnf_conflict 2.8.8 Name: librepo -Version: 1.12.0 +Version: 1.12.1 Release: 1%{?dist} Summary: Repodata downloading library
