pyenv/pyenv-CVE-2022-35861.patch

From 22fa683571d98b59ea16e5fe48ac411c67939653 Mon Sep 17 00:00:00 2001
From: James Stronz <j.a.stronz@gmail.com>
Date: Sat, 16 Jul 2022 15:01:04 -0700
Subject: [PATCH] CVE-2022-35861: Fixed relative path traversal due to using
 version string in path (#2412)

---
 libexec/pyenv-version-file-read | 13 ++++++++++---
 test/version-file-read.bats     | 12 ++++++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/libexec/pyenv-version-file-read b/libexec/pyenv-version-file-read
index 5dcc40fc..faaf1596 100755
--- a/libexec/pyenv-version-file-read
+++ b/libexec/pyenv-version-file-read
@@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then
   IFS="${IFS}"$'\r'
   sep=
   while read -n 1024 -r version _ || [[ $version ]]; do
-      [[ -z $version || $version == \#* ]] && continue
-      printf "%s%s" "$sep" "$version"
-      sep=:
+    if [[ -z $version || $version == \#* ]]; then
+      # Skip empty lines and comments
+      continue
+    elif [ "$version" = ".." ] || [[ $version == */* ]]; then
+      # The version string is used to construct a path and we skip dubious values.
+      # This prevents issues such as path traversal (CVE-2022-35861).
+      continue
+    fi
+    printf "%s%s" "$sep" "$version"
+    sep=:
   done <"$VERSION_FILE"
   [[ $sep ]] && { echo; exit; }
 fi
diff --git a/test/version-file-read.bats b/test/version-file-read.bats
index a7b184de..18cfe131 100644
--- a/test/version-file-read.bats
+++ b/test/version-file-read.bats
@@ -82,3 +82,15 @@ IN
   run pyenv-version-file-read my-version
   assert_success "3.9.3:3.8.9:2.7.16"
 }
+
+@test "skips relative path traversal" {
+  cat > my-version <<IN
+3.9.3
+3.8.9
+  ..
+./*
+2.7.16
+IN
+  run pyenv-version-file-read my-version
+  assert_success "3.9.3:3.8.9:2.7.16"
+}
-- 
2.35.3
Accepting request 989841 from home:thomas-schraitle:branches:devel:languages:python - Update to 2.3.2 - Add CPython 3.11.0b2 by @saaketp in #2380 - Honor CFLAGS_EXTRA for MicroPython #2006 by @yggdr in #2007 - Add post-install checks for curses, ctypes, lzma, and tkinter by @aphedges in #2353 - Add CPython 3.11.0b3 by @edgarrmondragon in #2382 - Add flags for Homebrew into python-config --ldflags by @native-api in #2384 - Add CPython 3.10.5 by @illia-v in #2386 - Add Anaconda 2019.10, 2021.04, 2022.05; support Anaconda in add_miniconda.py by @native-api in #2385 - Add Pyston-2.3.4 by @dand-oss in #2390 - Update Anaconda3-2022.05 MacOSX arm64 md5 by @bkbncn in #2391 - Fix bsc#1201582 to fix CVE-2022-35861 (from commit 22fa683, file pyenv-CVE-2022-35861.patch) OBS-URL: https://build.opensuse.org/request/show/989841 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/pyenv?expand=0&rev=33 2022-07-18 13:37:49 +02:00			`From 22fa683571d98b59ea16e5fe48ac411c67939653 Mon Sep 17 00:00:00 2001`
			`From: James Stronz <j.a.stronz@gmail.com>`
			`Date: Sat, 16 Jul 2022 15:01:04 -0700`
			`Subject: [PATCH] CVE-2022-35861: Fixed relative path traversal due to using`
			`version string in path (#2412)`

			`---`
			`libexec/pyenv-version-file-read \| 13 ++++++++++---`
			`test/version-file-read.bats \| 12 ++++++++++++`
			`2 files changed, 22 insertions(+), 3 deletions(-)`

			`diff --git a/libexec/pyenv-version-file-read b/libexec/pyenv-version-file-read`
			`index 5dcc40fc..faaf1596 100755`
			`--- a/libexec/pyenv-version-file-read`
			`+++ b/libexec/pyenv-version-file-read`
			`@@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then`
			`IFS="${IFS}"$'\r'`
			`sep=`
			`while read -n 1024 -r version _ \|\| [[ $version ]]; do`
			`- [[ -z $version \|\| $version == \#* ]] && continue`
			`- printf "%s%s" "$sep" "$version"`
			`- sep=:`
			`+ if [[ -z $version \|\| $version == \#* ]]; then`
			`+ # Skip empty lines and comments`
			`+ continue`
			`+ elif [ "$version" = ".." ] \|\| [[ $version == / ]]; then`
			`+ # The version string is used to construct a path and we skip dubious values.`
			`+ # This prevents issues such as path traversal (CVE-2022-35861).`
			`+ continue`
			`+ fi`
			`+ printf "%s%s" "$sep" "$version"`
			`+ sep=:`
			`done <"$VERSION_FILE"`
			`[[ $sep ]] && { echo; exit; }`
			`fi`
			`diff --git a/test/version-file-read.bats b/test/version-file-read.bats`
			`index a7b184de..18cfe131 100644`
			`--- a/test/version-file-read.bats`
			`+++ b/test/version-file-read.bats`
			`@@ -82,3 +82,15 @@ IN`
			`run pyenv-version-file-read my-version`
			`assert_success "3.9.3:3.8.9:2.7.16"`
			`}`
			`+`
			`+@test "skips relative path traversal" {`
			`+ cat > my-version <<IN`
			`+3.9.3`
			`+3.8.9`
			`+ ..`
			`+./*`
			`+2.7.16`
			`+IN`
			`+ run pyenv-version-file-read my-version`
			`+ assert_success "3.9.3:3.8.9:2.7.16"`
			`+}`
			`--`
			`2.35.3`