Accepting request 989861 from devel:languages:python
OBS-URL: https://build.opensuse.org/request/show/989861 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pyenv?expand=0&rev=13
This commit is contained in:
Richard Brown
Git OBS Bridge
commit
4c1221b359
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:57a0676ddbd32f5d99265d5bf297912652af5a484afba55b977c85450545f47b
|
|
||||||
size 708346
|
|
||||||
3
pyenv-2.3.2.tar.gz
Normal file
3
pyenv-2.3.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:150ac8f7161c00e8e613bf5e273306f674b60037e3dace9c6bb7611dceb17144
|
||||||
|
size 713692
|
||||||
58
pyenv-CVE-2022-35861.patch
Normal file
58
pyenv-CVE-2022-35861.patch
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
From 22fa683571d98b59ea16e5fe48ac411c67939653 Mon Sep 17 00:00:00 2001
|
||||||
|
From: James Stronz <j.a.stronz@gmail.com>
|
||||||
|
Date: Sat, 16 Jul 2022 15:01:04 -0700
|
||||||
|
Subject: [PATCH] CVE-2022-35861: Fixed relative path traversal due to using
|
||||||
|
version string in path (#2412)
|
||||||
|
|
||||||
|
---
|
||||||
|
libexec/pyenv-version-file-read | 13 ++++++++++---
|
||||||
|
test/version-file-read.bats | 12 ++++++++++++
|
||||||
|
2 files changed, 22 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libexec/pyenv-version-file-read b/libexec/pyenv-version-file-read
|
||||||
|
index 5dcc40fc..faaf1596 100755
|
||||||
|
--- a/libexec/pyenv-version-file-read
|
||||||
|
+++ b/libexec/pyenv-version-file-read
|
||||||
|
@@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then
|
||||||
|
IFS="${IFS}"$'\r'
|
||||||
|
sep=
|
||||||
|
while read -n 1024 -r version _ || [[ $version ]]; do
|
||||||
|
- [[ -z $version || $version == \#* ]] && continue
|
||||||
|
- printf "%s%s" "$sep" "$version"
|
||||||
|
- sep=:
|
||||||
|
+ if [[ -z $version || $version == \#* ]]; then
|
||||||
|
+ # Skip empty lines and comments
|
||||||
|
+ continue
|
||||||
|
+ elif [ "$version" = ".." ] || [[ $version == */* ]]; then
|
||||||
|
+ # The version string is used to construct a path and we skip dubious values.
|
||||||
|
+ # This prevents issues such as path traversal (CVE-2022-35861).
|
||||||
|
+ continue
|
||||||
|
+ fi
|
||||||
|
+ printf "%s%s" "$sep" "$version"
|
||||||
|
+ sep=:
|
||||||
|
done <"$VERSION_FILE"
|
||||||
|
[[ $sep ]] && { echo; exit; }
|
||||||
|
fi
|
||||||
|
diff --git a/test/version-file-read.bats b/test/version-file-read.bats
|
||||||
|
index a7b184de..18cfe131 100644
|
||||||
|
--- a/test/version-file-read.bats
|
||||||
|
+++ b/test/version-file-read.bats
|
||||||
|
@@ -82,3 +82,15 @@ IN
|
||||||
|
run pyenv-version-file-read my-version
|
||||||
|
assert_success "3.9.3:3.8.9:2.7.16"
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+@test "skips relative path traversal" {
|
||||||
|
+ cat > my-version <<IN
|
||||||
|
+3.9.3
|
||||||
|
+3.8.9
|
||||||
|
+ ..
|
||||||
|
+./*
|
||||||
|
+2.7.16
|
||||||
|
+IN
|
||||||
|
+ run pyenv-version-file-read my-version
|
||||||
|
+ assert_success "3.9.3:3.8.9:2.7.16"
|
||||||
|
+}
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jul 18 09:35:05 UTC 2022 - Thomas Schraitle <thomas.schraitle@suse.com> - 2.3.2
|
||||||
|
|
||||||
|
- Update to 2.3.2
|
||||||
|
- Add CPython 3.11.0b2 by @saaketp in #2380
|
||||||
|
- Honor CFLAGS_EXTRA for MicroPython #2006 by @yggdr in #2007
|
||||||
|
- Add post-install checks for curses, ctypes, lzma, and tkinter
|
||||||
|
by @aphedges in #2353
|
||||||
|
- Add CPython 3.11.0b3 by @edgarrmondragon in #2382
|
||||||
|
- Add flags for Homebrew into python-config --ldflags by @native-api
|
||||||
|
in #2384
|
||||||
|
- Add CPython 3.10.5 by @illia-v in #2386
|
||||||
|
- Add Anaconda 2019.10, 2021.04, 2022.05; support Anaconda in
|
||||||
|
add_miniconda.py by @native-api in #2385
|
||||||
|
- Add Pyston-2.3.4 by @dand-oss in #2390
|
||||||
|
- Update Anaconda3-2022.05 MacOSX arm64 md5 by @bkbncn in #2391
|
||||||
|
- Fix bsc#1201582 to fix CVE-2022-35861 (from commit 22fa683, file
|
||||||
|
pyenv-CVE-2022-35861.patch)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed May 4 15:43:51 UTC 2022 - Thomas Schraitle <thomas.schraitle@suse.com> - 2.3.0
|
Wed May 4 15:43:51 UTC 2022 - Thomas Schraitle <thomas.schraitle@suse.com> - 2.3.0
|
||||||
|
|
||||||
|
|||||||
@ -19,13 +19,17 @@
|
|||||||
%define pyenv_dir %{_libexecdir}/pyenv
|
%define pyenv_dir %{_libexecdir}/pyenv
|
||||||
#
|
#
|
||||||
Name: pyenv
|
Name: pyenv
|
||||||
Version: 2.3.0
|
Version: 2.3.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Python Version Management
|
Summary: Python Version Management
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: Development/Languages/Python
|
Group: Development/Languages/Python
|
||||||
URL: https://github.com/pyenv/pyenv
|
URL: https://github.com/pyenv/pyenv
|
||||||
Source: https://github.com/pyenv/pyenv/archive/refs/tags/v%{version}.tar.gz#/pyenv-%{version}.tar.gz
|
Source: https://github.com/pyenv/pyenv/archive/refs/tags/v%{version}.tar.gz#/pyenv-%{version}.tar.gz
|
||||||
|
#
|
||||||
|
# PATCH-FIX-OPENSUSE
|
||||||
|
# https://github.com/pyenv/pyenv/commit/22fa6835.patch
|
||||||
|
Patch0: %{name}-CVE-2022-35861.patch
|
||||||
BuildRequires: bash-completion
|
BuildRequires: bash-completion
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: fish
|
BuildRequires: fish
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user