From 270e449fecb04ac1711a28f3787cc0ef92f5a0146d43295b53197293dfacfa13 Mon Sep 17 00:00:00 2001 From: Richard Rahl Date: Fri, 28 Nov 2025 12:29:28 +0000 Subject: [PATCH] - Do not make config file group-readable. * remove-config-file-group-readwrite-permission-856.patch OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/gitea-tea?expand=0&rev=31 --- .gitattributes | 23 +++ .gitignore | 1 + _service | 18 ++ fix-CVE-2025-47911.patch | 64 ++++++ fix-CVE-2025-58190.patch | 99 ++++++++++ gitea-tea-0.11.0.tar.gz | 3 + gitea-tea-0.11.1.tar.gz | 3 + gitea-tea.changes | 182 ++++++++++++++++++ gitea-tea.spec | 105 ++++++++++ ...-file-group-readwrite-permission-856.patch | 28 +++ vendor.tar.gz | 3 + 11 files changed, 529 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 fix-CVE-2025-47911.patch create mode 100644 fix-CVE-2025-58190.patch create mode 100644 gitea-tea-0.11.0.tar.gz create mode 100644 gitea-tea-0.11.1.tar.gz create mode 100644 gitea-tea.changes create mode 100644 gitea-tea.spec create mode 100644 remove-config-file-group-readwrite-permission-856.patch create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..895c03c --- /dev/null +++ b/_service @@ -0,0 +1,18 @@ + + + + https://gitea.com/gitea/tea.git + git + 61d4e571a7e086f53f5f8a7713151839e1a32151 + gitea-tea + @PARENT_TAG@+@TAG_OFFSET@ + v(.*)\+0 + \1 + + + *.tar + gz + + + + diff --git a/fix-CVE-2025-47911.patch b/fix-CVE-2025-47911.patch new file mode 100644 index 0000000..3619d31 --- /dev/null +++ b/fix-CVE-2025-47911.patch @@ -0,0 +1,64 @@ +diff -rubN vendor/golang.org/x/net/html/escape.go vendor-patched/golang.org/x/net/html/escape.go +--- a/vendor/golang.org/x/net/html/escape.go 2025-06-06 12:16:37.000000000 +0200 ++++ b/vendor-patched/golang.org/x/net/html/escape.go 2025-10-09 10:38:44.325052734 +0200 +@@ -299,7 +299,7 @@ + case '\r': + esc = " " + default: +- panic("unrecognized escape character") ++ panic("html: unrecognized escape character") + } + s = s[i+1:] + if _, err := w.WriteString(esc); err != nil { +diff -rubN vendor/golang.org/x/net/html/parse.go vendor-patched/golang.org/x/net/html/parse.go +--- a/vendor/golang.org/x/net/html/parse.go 2025-10-09 10:39:56.705570069 +0200 ++++ b/vendor-patched/golang.org/x/net/html/parse.go 2025-10-09 10:38:59.062361676 +0200 +@@ -231,7 +231,14 @@ + } + + if n.Type == ElementNode { ++ p.insertOpenElement(n) ++ } ++} ++ ++func (p *parser) insertOpenElement(n *Node) { + p.oe = append(p.oe, n) ++ if len(p.oe) > 512 { ++ panic("html: open stack of elements exceeds 512 nodes") + } + } + +@@ -810,7 +817,7 @@ + p.im = inFramesetIM + return true + case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title: +- p.oe = append(p.oe, p.head) ++ p.insertOpenElement(p.head) + defer p.oe.remove(p.head) + return inHeadIM(p) + case a.Head: +@@ -2324,9 +2331,13 @@ + } + } + +-func (p *parser) parse() error { ++func (p *parser) parse() (err error) { ++ defer func() { ++ if panicErr := recover(); panicErr != nil { ++ err = fmt.Errorf("%s", panicErr) ++ } ++ }() + // Iterate until EOF. Any other error will cause an early return. +- var err error + for err != io.EOF { + // CDATA sections are allowed only in foreign content. + n := p.oe.top() +@@ -2355,6 +2366,8 @@ + // s. Conversely, explicit s in r's data can be silently dropped, + // with no corresponding node in the resulting tree. + // ++// Parse will reject HTML that is nested deeper than 512 elements. ++// + // The input is assumed to be UTF-8 encoded. + func Parse(r io.Reader) (*Node, error) { + return ParseWithOptions(r) diff --git a/fix-CVE-2025-58190.patch b/fix-CVE-2025-58190.patch new file mode 100644 index 0000000..15067b6 --- /dev/null +++ b/fix-CVE-2025-58190.patch @@ -0,0 +1,99 @@ +diff -rubN vendor/golang.org/x/net/html/parse.go vendor-patched/golang.org/x/net/html/parse.go +--- a/vendor/golang.org/x/net/html/parse.go 2025-06-06 12:16:37.000000000 +0200 ++++ b/vendor-patched/golang.org/x/net/html/parse.go 2025-10-09 10:12:41.984298856 +0200 +@@ -136,7 +136,7 @@ + return -1 + } + default: +- panic("unreachable") ++ panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s)) + } + } + switch s { +@@ -179,7 +179,7 @@ + return + } + default: +- panic("unreachable") ++ panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s)) + } + } + } +@@ -1678,7 +1678,7 @@ + return inTableIM(p) + } + +-// Section 12.2.6.4.14. ++// Section 13.2.6.4.14. + func inRowIM(p *parser) bool { + switch p.tok.Type { + case StartTagToken: +@@ -1690,7 +1690,9 @@ + p.im = inCellIM + return true + case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr: +- if p.popUntil(tableScope, a.Tr) { ++ if p.elementInScope(tableScope, a.Tr) { ++ p.clearStackToContext(tableRowScope) ++ p.oe.pop() + p.im = inTableBodyIM + return false + } +@@ -1700,22 +1702,28 @@ + case EndTagToken: + switch p.tok.DataAtom { + case a.Tr: +- if p.popUntil(tableScope, a.Tr) { ++ if p.elementInScope(tableScope, a.Tr) { ++ p.clearStackToContext(tableRowScope) ++ p.oe.pop() + p.im = inTableBodyIM + return true + } + // Ignore the token. + return true + case a.Table: +- if p.popUntil(tableScope, a.Tr) { ++ if p.elementInScope(tableScope, a.Tr) { ++ p.clearStackToContext(tableRowScope) ++ p.oe.pop() + p.im = inTableBodyIM + return false + } + // Ignore the token. + return true + case a.Tbody, a.Tfoot, a.Thead: +- if p.elementInScope(tableScope, p.tok.DataAtom) { +- p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String()) ++ if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) { ++ p.clearStackToContext(tableRowScope) ++ p.oe.pop() ++ p.im = inTableBodyIM + return false + } + // Ignore the token. +@@ -2222,16 +2230,20 @@ + p.acknowledgeSelfClosingTag() + } + case EndTagToken: +- for i := len(p.oe) - 1; i >= 0; i-- { +- if p.oe[i].Namespace == "" { +- return p.im(p) ++ if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) { ++ p.oe = p.oe[:len(p.oe)-1] ++ return true + } ++ for i := len(p.oe) - 1; i >= 0; i-- { + if strings.EqualFold(p.oe[i].Data, p.tok.Data) { + p.oe = p.oe[:i] ++ return true ++ } ++ if i > 0 && p.oe[i-1].Namespace == "" { + break + } + } +- return true ++ return p.im(p) + default: + // Ignore the token. + } diff --git a/gitea-tea-0.11.0.tar.gz b/gitea-tea-0.11.0.tar.gz new file mode 100644 index 0000000..95b3f5a --- /dev/null +++ b/gitea-tea-0.11.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:88e87cf49a78c355b34aa205ecf9d2488418687ad5391c517a22a39353a3bebb +size 745942 diff --git a/gitea-tea-0.11.1.tar.gz b/gitea-tea-0.11.1.tar.gz new file mode 100644 index 0000000..8bc8f42 --- /dev/null +++ b/gitea-tea-0.11.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cb173e6ad5d06372196c90cc08f7039f5925ea6a0854a19d40e77b4d3977f107 +size 745960 diff --git a/gitea-tea.changes b/gitea-tea.changes new file mode 100644 index 0000000..24dd79b --- /dev/null +++ b/gitea-tea.changes @@ -0,0 +1,182 @@ +------------------------------------------------------------------- +Fri Nov 28 09:35:29 UTC 2025 - Michal Suchanek + +- Do not make config file group-readable. + * remove-config-file-group-readwrite-permission-856.patch + +------------------------------------------------------------------- +Sat Nov 8 12:34:56 UTC 2025 - olaf@aepfle.de + +- CLI.md is supposed to be a text file +- Use fixed git revision to refer to version 0.11.1 +- Remove bogus part from package description + +------------------------------------------------------------------- +Sat Oct 18 06:04:09 UTC 2025 - Johannes Kastl + +- update to 0.11.1: + * 61d4e57 Fix Pr Create crash (#823) + * 4f33146 add test for matching logins (#820) + * 08b8398 Update README.md (#819) + +------------------------------------------------------------------- +Thu Oct 9 10:16:45 UTC 2025 - Richard Rahl + +- add fix-CVE-2025-58190.patch, fixing bsc#1251663 +- add fix-CVE-2025-47911.patch, fixing bsc#1251471 + +------------------------------------------------------------------- +Fri Sep 19 20:33:30 UTC 2025 - Richard Rahl + +- fix version to something simpler + +------------------------------------------------------------------- +Fri Sep 19 12:41:16 UTC 2025 - Johannes Kastl + +- update to 0.11.0: + * Fix yaml output single quote (#814) + * generate man page (#811) + * feat: add validation for object-format flag in repo create + command (#741) + * Fix release version (#815) + * update gitea sdk to v0.22 (#813) + * don't fallback login directly (#806) + * Check duplicated login name in interact mode when creating new + login (#803) + * Fix bug when output json with special chars (#801) + * add debug mode and update readme (#805) + * update go.mod to retract the wrong tag v1.3.3 (#802) + * revert completion scripts removal (#808) + * Remove pagination from context (#807) + * Continue auth when failed to open browser (#794) + * Fix bug (#793) + * Fix tea login add with ssh public key bug (#789) + * Add temporary authentication via environment variables (#639) + * Fix attachment size (#787) + * deploy image when tagging (#792) + * Add Zip URL for release list (#788) + * Use bubbletea instead of survey for interacting with TUI (#786) + * capitalize a few items + * rm out of date comparison file + * README: Document logging in to gitea (#790) + * remove autocomplete command (#782) + * chore(deps): update ghcr.io/devcontainers/features/git-lfs + docker tag to v1.2.5 (#773) + * replace arch package url (#783) + * fix: Reenable -p and --limit switches (#778) + +------------------------------------------------------------------- +Mon Sep 15 16:22:12 UTC 2025 - Michal Suchanek + +- Install up-to-date autocompletion files. + +------------------------------------------------------------------- +Fri Sep 12 20:27:00 UTC 2025 - Matej Cepl + +- Update to 0.10.1+git.1757695903.cc20b52: + - feat: add validation for object-format flag in repo create + command (see gh#openSUSE/openSUSE-git#60) + - Fix release version + - update gitea sdk to v0.22 + - don't fallback login directly + - Check duplicated login name in interact mode when creating + new login + - Fix bug when output json with special chars + - add debug mode and update readme + - update go.mod to retract the wrong tag v1.3.3 + - revert completion scripts removal + - Remove pagination from context + - Continue auth when failed to open browser + - Fix bug + - Fix tea login add with ssh public key bug + - Add temporary authentication via environment variables + - Fix attachment size + - deploy image when tagging + - Add Zip URL for release list + - Use bubbletea instead of survey for interacting with TUI + - capitalize a few items + - rm out of date comparison file + - README: Document logging in to gitea + - remove autocomplete command + - chore(deps): update ghcr.io/devcontainers/features/git-lfs + docker tag to v1.2.5 + - replace arch package url + - fix: Reenable `-p` and `--limit` switches +- Remove upstreamed patch: + - fix-Reenable-p-and-limit-switches-778.patch + +------------------------------------------------------------------- +Wed Jul 23 17:44:40 UTC 2025 - Michal Suchanek + +- Fix argument parsing fix-Reenable-p-and-limit-switches-778.patch + +------------------------------------------------------------------- +Tue Jun 17 10:50:31 UTC 2025 - Johannes Kastl + +- update to 0.10.1: + * 8212d5f Update release ci (#768) + * d536242 chore(deps): update crazy-max/ghaction-import-gpg action + to v6 (#736) + * ffff540 fix(deps): update module github.com/urfave/cli/v3 to + v3.3.8 (#766) + +------------------------------------------------------------------- +Tue Jun 10 18:06:49 UTC 2025 - Richard Rahl + +- update to 0.10.0: + * fix: support SSH remotes with non-standard ports + * minor helper fixes + * Bump Table Dep + * Login via oauth2 flow + * Feat: interactive issue edit command + * Use flakes vs devbox + * Fix helper panic + * Add --note-file flag to read release notes from a file + * Fix/Login Edit Use Editor Env + * Gitea Actions support + * Expose --labels option + * Add git helper + * Support auto detecting branch for PRs + * context: move human readable note to stderr + * Add repos rm/delete command + * Release Asset Management + * tea branches list/protect/unprotect + * Add OTP and scopes to login + * Initial CLI docs + * Fix for go tools called from make + * fix interactive login add + * issues list can show filtered by owner/org instead of repo too + * fix: non-standard ssh port URL's repo can't be recognized + * updated dependencies +- remove newer-dependencies.patch, as upstream updated them + +------------------------------------------------------------------- +Thu Apr 24 16:47:19 UTC 2025 - Richard Rahl + +- update newer-dependencies.patch, fixing bsc#1241819 + +------------------------------------------------------------------- +Wed Mar 12 13:03:30 UTC 2025 - Richard Rahl + +- update newer-dependencies.patch, fixes bsc#1235367 bsc#1239493 bsc#1234598 + +------------------------------------------------------------------- +Tue Feb 25 13:51:13 UTC 2025 - Richard Rahl + +- adding newer-dependencies.patch, for updating dependencies, + fixing bsc#1234598 + +------------------------------------------------------------------- +Thu Aug 22 22:33:56 UTC 2024 - Richard Rahl + +- fix build for non x86_64 and aarch64 (CGO_ENABLED=0 was set as default) + +------------------------------------------------------------------- +Thu Mar 7 03:51:49 UTC 2024 - Richard Rahl + +- rename binary to tea (actual name) and conflict tea text edidor + +------------------------------------------------------------------- +Sat Jul 8 22:31:24 UTC 2023 - Luciano Santos + +- Upstream version 0.9.2: Initial openSUSE package. diff --git a/gitea-tea.spec b/gitea-tea.spec new file mode 100644 index 0000000..a64804a --- /dev/null +++ b/gitea-tea.spec @@ -0,0 +1,105 @@ +# +# spec file for package gitea-tea +# +# Copyright (c) 2025 SUSE LLC and contributors +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: gitea-tea +Version: 0.11.1 +Release: 0 +Summary: A command line tool to interact with Gitea servers +License: MIT +URL: https://gitea.com/gitea/tea +Source0: %{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Patch0: fix-CVE-2025-58190.patch +Patch1: fix-CVE-2025-47911.patch +Patch3: remove-config-file-group-readwrite-permission-856.patch +BuildRequires: golang(API) >= 1.24 +Conflicts: tea + +%description +Tea can be used to manage most entities on one or multiple Gitea +instances and provides local helpers like 'tea pr checkout'. + +It tries to make use of context provided by the repository in $PWD +if available. And works best in a upstream/fork workflow, when the +local main branch tracks the upstream repo. It also assumes that +local git state is published on the remote before doing operations. +Configuration lives in $XDG_CONFIG_HOME/tea. + +%package bash-completion +Summary: Bash Completion for Gitea's tea CLI +BuildRequires: bash-completion +Requires: %{name} = %{version} +Requires: bash-completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description bash-completion +Bash command line completion support for Gitea's tea CLI. + +%package zsh-completion +Summary: Zsh Completion for Gitea's tea CLI +BuildRequires: zsh +Requires: %{name} = %{version} +Requires: zsh +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description zsh-completion +Zsh command line completion support for Gitea's tea CLI. + +%prep +%autosetup -a1 -p1 + +%build +go build \ + -o tea \ + -mod=vendor \ + -buildmode=pie \ + -ldflags "-X main.Version=%{version}" + +# building docs +go run \ + docs/docs.go \ + -o docs/CLI.md \ + -mod=vendor \ + -buildmode=pie \ + -ldflags "-X main.Version=%{version}" + +%install +install -v -m 0755 -D -t %{buildroot}%{_bindir} tea + +./tea completion bash > contrib/autocomplete.sh +install -v -m 0644 -D contrib/autocomplete.sh \ + %{buildroot}%{_datadir}/bash-completion/completions/tea + +./tea completion zsh > contrib/autocomplete.zsh +install -v -m 0644 -D contrib/autocomplete.zsh \ + %{buildroot}%{_datadir}/zsh/site-functions/_tea + +%files +%license LICENSE +%doc CHANGELOG.md docs/CLI.md CONTRIBUTING.md README.md +%{_bindir}/tea + +%files bash-completion +%{_datadir}/bash-completion/completions/tea + +%files zsh-completion +%{_datadir}/zsh/site-functions/_tea + +%changelog diff --git a/remove-config-file-group-readwrite-permission-856.patch b/remove-config-file-group-readwrite-permission-856.patch new file mode 100644 index 0000000..afe0c00 --- /dev/null +++ b/remove-config-file-group-readwrite-permission-856.patch @@ -0,0 +1,28 @@ +From f6d4b5fa4fdf4ebb777cc465f9c3ec30c8024548 Mon Sep 17 00:00:00 2001 +From: TheFox0x7 +Date: Thu, 27 Nov 2025 22:45:25 +0000 +Subject: [PATCH] remove group readwrite permission (#856) + +closes: https://gitea.com/gitea/tea/issues/855 +Reviewed-on: https://gitea.com/gitea/tea/pulls/856 +Reviewed-by: Lunny Xiao +Co-authored-by: TheFox0x7 +Co-committed-by: TheFox0x7 +--- + modules/config/config.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/config/config.go b/modules/config/config.go +index 70443ca..30b59f3 100644 +--- a/modules/config/config.go ++++ b/modules/config/config.go +@@ -104,5 +104,5 @@ func saveConfig() error { + if err != nil { + return err + } +- return os.WriteFile(ymlPath, bs, 0o660) ++ return os.WriteFile(ymlPath, bs, 0o600) + } +-- +2.51.0 + diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..2aa80f4 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:479325be2a78e9e1064f73f5db26482a0d5e6e1bb9c399008e37f604bad11fa9 +size 6061961 -- 2.51.1