diff --git a/bash-git-prompt.changes b/bash-git-prompt.changes index 38dfc81..ea7e165 100644 --- a/bash-git-prompt.changes +++ b/bash-git-prompt.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Sep 22 13:59:46 UTC 2025 - Matthias Gerstner + +- add use-safe-tempfile.diff: this fixes bsc#1247489 CVE-2025-61659, an + insecure predictable /tmp file usage in bash-git-prompt. + ------------------------------------------------------------------- Sun May 10 08:51:18 UTC 2020 - Michal Suchanek diff --git a/bash-git-prompt.spec b/bash-git-prompt.spec index 5d78966..7634838 100644 --- a/bash-git-prompt.spec +++ b/bash-git-prompt.spec @@ -1,7 +1,7 @@ # # spec file for package bash-git-prompt # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,7 @@ License: BSD-2-Clause Group: Development/Tools/Version Control URL: https://github.com/magicmonty/bash-git-prompt Source0: https://github.com/magicmonty/%{name}/archive/%{version}/%{name}-%{version}.tar.gz +Patch0: use-safe-tempfile.diff Requires: git-core Requires(post): %fillup_prereq BuildArch: noarch @@ -40,6 +41,7 @@ install. It will disable the prompt accordingly after uninstall. %prep %setup -q +%autopatch -p1 %build sed -i -e 's,#!/usr/bin/env bash,#!/bin/bash,' $(find . -name \*.sh) diff --git a/use-safe-tempfile.diff b/use-safe-tempfile.diff new file mode 100644 index 0000000..ed7e38c --- /dev/null +++ b/use-safe-tempfile.diff @@ -0,0 +1,27 @@ +Index: bash-git-prompt-2.7.1/gitprompt.sh +=================================================================== +--- bash-git-prompt-2.7.1.orig/gitprompt.sh ++++ bash-git-prompt-2.7.1/gitprompt.sh +@@ -466,8 +466,11 @@ function createPrivateIndex { + else + __GIT_INDEX_FILE="$GIT_INDEX_FILE" + fi +- __GIT_INDEX_PRIVATE="/tmp/git-index-private$$" ++ __GIT_INDEX_PRIVATE=`mktemp "/tmp/git-index-private-$$.XXXX"` + command cp "$__GIT_INDEX_FILE" "$__GIT_INDEX_PRIVATE" 2>/dev/null ++ if [ $? -ne 0 ]; then ++ return ++ fi + echo "$__GIT_INDEX_PRIVATE" + } + +@@ -500,6 +503,9 @@ function updatePrompt() { + local GIT_INDEX_PRIVATE="$(createPrivateIndex)" + #important to define GIT_INDEX_FILE as local: This way it only affects this function (and below) - even with the export afterwards + local GIT_INDEX_FILE ++ if [ -z "$GIT_INDEX_PRIVATE" ]; then ++ return ++ fi + export GIT_INDEX_FILE="$GIT_INDEX_PRIVATE" + + local -a git_status_fields