pool/python-jaraco.context
SHA256
19
0
Fork 2
Code Issues Pull Requests Activity

Compare commits

base: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
..
compare: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

6 Commits
slfo-1.2 ... factory

Author SHA256 Message Date
Ana Guerrero
259e97e60c Accepting request 1328242 from devel:languages:python 
OBS-URL: https://build.opensuse.org/request/show/1328242
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-jaraco.context?expand=0&rev=11
 2026-01-21 13:12:02 +00:00
Markéta Machová
475f78069c - Update to 6.1.0 (fixes CVE-2026-23949, bsc#1256954) 
* In tarfile.context, ensure that the default filter honors the data filter
    to avoid path traversal vulnerabilities.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-jaraco.context?expand=0&rev=24
 2026-01-20 10:33:12 +00:00
Ana Guerrero
cba260527d Accepting request 1307772 from devel:languages:python 
- update to 6.0.1:
  * Removed type declarations as suggested by Gemini.

OBS-URL: https://build.opensuse.org/request/show/1307772
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-jaraco.context?expand=0&rev=10
 2025-09-30 15:35:01 +00:00
Dirk Mueller
156589f4d8 - update to 6.0.1: 
* Removed type declarations as suggested by Gemini.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-jaraco.context?expand=0&rev=22
 2025-09-29 11:52:04 +00:00
Ana Guerrero
b3cf3815b0 Accepting request 1295102 from devel:languages:python 
OBS-URL: https://build.opensuse.org/request/show/1295102
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-jaraco.context?expand=0&rev=9
 2025-07-23 14:32:57 +00:00
Dirk Mueller
9ccf7c7525 - update to 6.0.1 
* Removed type declarations as suggested by Gemini. (#13)
- update to 6.0.0
  * Fixed bug in repo_context where standard output from git would not be
    hidden (because git emits standard output on the stderr stream).
  * Removed deprecated 'tarball_context', 'infer_compression', and 'null' 
    contexts.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-jaraco.context?expand=0&rev=20
 2025-07-22 13:07:33 +00:00
5 changed files with 36 additions and 138 deletions
Expand all files Collapse all files

122
CVE-2026-23949.patch
View File

@@ -1,122 +0,0 @@
From f567f1be4c2cbcb43d54d9417d85c303abac28ca Mon Sep 17 00:00:00 2001
From: "Jason R. Coombs" <jaraco@jaraco.com>
Date: Mon, 12 Jan 2026 20:09:03 -0500
Subject: [PATCH 1/9] Add repro as provided by tsigouris007
---
tests/test_safety.py | 146 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 146 insertions(+)
create mode 100644 tests/test_safety.py
Index: jaraco.context-5.3.0/tests/test_safety.py
===================================================================
--- /dev/null
+++ jaraco.context-5.3.0/tests/test_safety.py
@@ -0,0 +1,72 @@
+import io
+import sys
+import types
+from contextlib import nullcontext as does_not_raise
+
+import pytest
+
+import jaraco.context
+from jaraco.context import tarfile
+
+
+def make_tarball_with(member):
+ tar_data = io.BytesIO()
+ with tarfile.open(fileobj=tar_data, mode='w') as tar:
+ tarinfo = tarfile.TarInfo(name=member.path)
+ content = f'content for {member.path}'
+ bin_content = content.encode('ascii')
+ tarinfo.size = len(bin_content)
+ tar.addfile(tarinfo, io.BytesIO(bin_content))
+
+ tar_data.seek(0)
+ return tar_data
+
+
+cases = [
+ types.SimpleNamespace(
+ path='dummy_dir/legitimate_file.txt',
+ expect=does_not_raise(),
+ ),
+ pytest.param(
+ types.SimpleNamespace(
+ path='dummy_dir/subdir/../legitimate_file.txt',
+ expect=does_not_raise(),
+ ),
+ marks=pytest.mark.skipif(
+ (3, 11) < sys.version_info < (3, 13),
+ reason='Fails with FileExistsError on Python 3.12',
+ ),
+ ),
+ types.SimpleNamespace(
+ path='dummy_dir/../../tmp/pwned_by_zipslip.txt',
+ expect=pytest.raises(tarfile.OutsideDestinationError),
+ ),
+ types.SimpleNamespace(
+ path='dummy_dir/../../../../home/pwned_home.txt',
+ expect=pytest.raises(tarfile.OutsideDestinationError),
+ ),
+ types.SimpleNamespace(
+ path='dummy_dir/../escaped.txt',
+ expect=pytest.raises(tarfile.OutsideDestinationError),
+ ),
+]
+
+
+@pytest.fixture(params=cases)
+def tarfile_case(request):
+ with tarfile.open(fileobj=make_tarball_with(request.param), mode='r') as tf:
+ yield types.SimpleNamespace(
+ tarfile=tf,
+ expect=request.param.expect,
+ )
+
+
+def test_zipslip_exploit(tmp_path, tarfile_case):
+ """
+ Ensure that protections from the default tarfile filter are applied.
+ """
+ (member,) = tarfile_case.tarfile
+ with tarfile_case.expect:
+ tarfile_case.tarfile.extract(
+ member, path=tmp_path, filter=jaraco.context._default_filter
+ )
Index: jaraco.context-5.3.0/jaraco/context.py
===================================================================
--- jaraco.context-5.3.0.orig/jaraco/context.py
+++ jaraco.context-5.3.0/jaraco/context.py
@@ -62,12 +62,19 @@ def tarball(
try:
req = urllib.request.urlopen(url)
with tarfile.open(fileobj=req, mode='r|*') as tf:
- tf.extractall(path=target_dir, filter=strip_first_component)
+ tf.extractall(path=target_dir, filter=_default_filter)
yield target_dir
finally:
shutil.rmtree(target_dir)
+def _compose_tarfile_filters(*filters):
+ def compose_two(f1, f2):
+ return lambda member, path: f1(f2(member, path), path)
+
+ return functools.reduce(compose_two, filters, lambda member, path: member)
+
+
def strip_first_component(
member: tarfile.TarInfo,
path,
@@ -76,6 +83,9 @@ def strip_first_component(
return member
+_default_filter = _compose_tarfile_filters(tarfile.data_filter, strip_first_component)
+
+
def _compose(*cmgrs):
"""
Compose any number of dependent context managers into a single one.

BIN
jaraco.context-5.3.0.tar.gz LFS
View File

Binary file not shown.

3
jaraco_context-6.1.0.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:129a341b0a85a7db7879e22acd66902fda67882db771754574338898b2d5d86f
size 15850

24
python-jaraco.context.changes
View File

@@ -1,7 +1,27 @@
-------------------------------------------------------------------
Tue Jan 20 11:23:53 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
Tue Jan 20 09:52:54 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
- Add CVE-2026-23949.patch to fix CVE-2026-23949 (bsc#1256954)
- Update to 6.1.0 (fixes CVE-2026-23949, bsc#1256954)
* In tarfile.context, ensure that the default filter honors the data filter
to avoid path traversal vulnerabilities.
-------------------------------------------------------------------
Mon Sep 29 11:52:00 UTC 2025 - Dirk Müller <dmueller@suse.com>
- update to 6.0.1:
* Removed type declarations as suggested by Gemini.
-------------------------------------------------------------------
Fri Jul 18 13:57:07 UTC 2025 - Felix Stegmeier <felix.stegmeier@suse.com>
- update to 6.0.1
* Removed type declarations as suggested by Gemini. (#13)
- update to 6.0.0
* Fixed bug in repo_context where standard output from git would not be
hidden (because git emits standard output on the stderr stream).
* Removed deprecated 'tarball_context', 'infer_compression', and 'null'
contexts.
-------------------------------------------------------------------
Tue Apr 1 15:34:31 UTC 2025 - Markéta Machová <mmachova@suse.com>

22
python-jaraco.context.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python-jaraco.context
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,19 +18,18 @@
%{?sle15_python_module_pythons}
Name: python-jaraco.context
Version: 5.3.0
Version: 6.1.0
Release: 0
Summary: Tools to work with functools
License: MIT
URL: https://github.com/jaraco/jaraco.context
Source0: https://files.pythonhosted.org/packages/source/j/jaraco.context/jaraco.context-%{version}.tar.gz
# PATCH-FIX-UPSTREAM CVE-2026-23949.patch bsc#1256954 gh#jaraco/jaraco.context#7b26a42
Patch0: CVE-2026-23949.patch
Source0: https://files.pythonhosted.org/packages/source/j/jaraco.context/jaraco_context-%{version}.tar.gz
BuildRequires: %{python_module backports.tarfile}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module portend}
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module pytest >= 6}
BuildRequires: %{python_module setuptools_scm}
BuildRequires: %{python_module setuptools}
BuildRequires: %{python_module toml}
BuildRequires: %{python_module wheel}
BuildRequires: fdupes
@@ -44,7 +43,7 @@ jaraco.functools Tools for working with functools.
Additional functools in the spirit of stdlibs functools.
%prep
%autosetup -p1 -n jaraco.context-%{version}
%autosetup -p1 -n jaraco_context-%{version}
%build
%pyproject_wheel
@@ -54,15 +53,16 @@ Additional functools in the spirit of stdlibs functools.
%python_expand %fdupes %{buildroot}%{$python_sitelib}
%check
%pytest
%pytest -k "not repo_context"
%files %{python_files}
%license LICENSE
%doc docs/*.rst README.rst NEWS.rst
%{python_sitelib}/jaraco[_.]context-%{version}.dist-info
%dir %{python_sitelib}/jaraco
%{python_sitelib}/jaraco/context.py*
%dir %{python_sitelib}/jaraco/__pycache__
%pycache_only %{python_sitelib}/jaraco/__pycache__/context*.py*
%dir %{python_sitelib}/jaraco/context
%{python_sitelib}/jaraco/context/*
%dir %{python_sitelib}/jaraco/context/__pycache__
%pycache_only %{python_sitelib}/jaraco/context/__pycache__/*
%changelog