Merge pull request 'Update to 1.52.2:' (#3) from mcepl/CVE-2025-22868-update-golang-oauth2 into factory

2025-03-12 04:05:04 +01:00 · 2025-03-12 04:05:04 +01:00 · 4ff3339215
commit 4ff3339215
parent 94c7ed343a 9164cf55ac
6 changed files with 61 additions and 6 deletions
--- a/fake-gcs-server-1.52.1.tar.gz
+++ b/fake-gcs-server-1.52.1.tar.gz
--- a/fake-gcs-server-1.52.2.tar.gz
+++ b/fake-gcs-server-1.52.2.tar.gz
--- a/fake-gcs-server.changes
+++ b/fake-gcs-server.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Mar 11 08:23:03 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
+
+- Update to 1.52.2:
+  - fix: typos
+  - Use default temporary directory in tests
+  - Go 1.24 is out, drop Go 1.22
+- bsc#1239200 (CVE-2025-22868): revendor
+  to use golang.org/x/oauth2 v0.28.0
+  (https://pkg.go.dev/vuln/GO-2025-3488).
+
 -------------------------------------------------------------------
 Tue Jan 28 22:48:18 UTC 2025 - Matej Cepl <mcepl@cepl.eu>

--- a/fake-gcs-server.spec
+++ b/fake-gcs-server.spec
@ -21,13 +21,16 @@
 %global provider_prefix github.com/fsouza/fake-gcs-server/fakestorage
 %global import_path     %{provider_prefix}
 Name:           fake-gcs-server
-Version:        1.52.1
+Version:        1.52.2
 Release:        0
 Summary:        Google Cloud Storage emulator & testing library
 License:        BSD-2-Clause
 URL:            https://github.com/fsouza/fake-gcs-server
 Source0:        https://github.com/fsouza/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        vendor.tar.xz
+# PATCH-FIX-UPSTREAM update-golang-oauth2.patch bsc#[0-9]+ mcepl@suse.com
+# update vendored golang-oauth2 (CVE-2025-22868, GO-2025-3488)
+Patch0:         update-golang-oauth2.patch
 BuildRequires:  fdupes
 BuildRequires:  go >= 1.23.0
 BuildRequires:  golang-packaging
--- a/update-golang-oauth2.patch
+++ b/update-golang-oauth2.patch
@ -0,0 +1,41 @@
+---
+ go.mod |    6 ++++--
+ go.sum |    4 ++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+Index: fake-gcs-server-1.52.2/go.mod
+===================================================================
+--- fake-gcs-server-1.52.2.orig/go.mod	2025-02-16 04:33:40.000000000 +0100
+++ fake-gcs-server-1.52.2/go.mod	2025-03-11 10:36:31.416633475 +0100
+@@ -10,7 +10,7 @@
+ 	github.com/minio/minio-go/v7 v7.0.86
+ 	github.com/pkg/xattr v0.4.10
+ 	github.com/stretchr/testify v1.10.0
+-	golang.org/x/oauth2 v0.26.0
+	golang.org/x/oauth2 v0.28.0
+ 	google.golang.org/api v0.215.0
+ )
+ 
+@@ -77,4 +77,6 @@
+ 	gopkg.in/yaml.v3 v3.0.1 // indirect
+ )
+ 
+-go 1.23
+go 1.23.0
+
+toolchain go1.24.1
+Index: fake-gcs-server-1.52.2/go.sum
+===================================================================
+--- fake-gcs-server-1.52.2.orig/go.sum	2025-02-16 04:33:40.000000000 +0100
+++ fake-gcs-server-1.52.2/go.sum	2025-03-11 10:36:39.413614515 +0100
+@@ -187,8 +187,8 @@
+ golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+ golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
+ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+-golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
+-golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
+golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
--- a/vendor.tar.xz
+++ b/vendor.tar.xz