Compare commits
5 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 8f30b68ab8 | |||
| 8182cc565d | |||
| 32df8c936e | |||
| ec924cc997 | |||
| 96cd42eeb4 |
@@ -1,122 +0,0 @@
|
||||
From f567f1be4c2cbcb43d54d9417d85c303abac28ca Mon Sep 17 00:00:00 2001
|
||||
From: "Jason R. Coombs" <jaraco@jaraco.com>
|
||||
Date: Mon, 12 Jan 2026 20:09:03 -0500
|
||||
Subject: [PATCH 1/9] Add repro as provided by tsigouris007
|
||||
|
||||
---
|
||||
tests/test_safety.py | 146 +++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 146 insertions(+)
|
||||
create mode 100644 tests/test_safety.py
|
||||
|
||||
Index: jaraco.context-5.3.0/tests/test_safety.py
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ jaraco.context-5.3.0/tests/test_safety.py
|
||||
@@ -0,0 +1,72 @@
|
||||
+import io
|
||||
+import sys
|
||||
+import types
|
||||
+from contextlib import nullcontext as does_not_raise
|
||||
+
|
||||
+import pytest
|
||||
+
|
||||
+import jaraco.context
|
||||
+from jaraco.context import tarfile
|
||||
+
|
||||
+
|
||||
+def make_tarball_with(member):
|
||||
+ tar_data = io.BytesIO()
|
||||
+ with tarfile.open(fileobj=tar_data, mode='w') as tar:
|
||||
+ tarinfo = tarfile.TarInfo(name=member.path)
|
||||
+ content = f'content for {member.path}'
|
||||
+ bin_content = content.encode('ascii')
|
||||
+ tarinfo.size = len(bin_content)
|
||||
+ tar.addfile(tarinfo, io.BytesIO(bin_content))
|
||||
+
|
||||
+ tar_data.seek(0)
|
||||
+ return tar_data
|
||||
+
|
||||
+
|
||||
+cases = [
|
||||
+ types.SimpleNamespace(
|
||||
+ path='dummy_dir/legitimate_file.txt',
|
||||
+ expect=does_not_raise(),
|
||||
+ ),
|
||||
+ pytest.param(
|
||||
+ types.SimpleNamespace(
|
||||
+ path='dummy_dir/subdir/../legitimate_file.txt',
|
||||
+ expect=does_not_raise(),
|
||||
+ ),
|
||||
+ marks=pytest.mark.skipif(
|
||||
+ (3, 11) < sys.version_info < (3, 13),
|
||||
+ reason='Fails with FileExistsError on Python 3.12',
|
||||
+ ),
|
||||
+ ),
|
||||
+ types.SimpleNamespace(
|
||||
+ path='dummy_dir/../../tmp/pwned_by_zipslip.txt',
|
||||
+ expect=pytest.raises(tarfile.OutsideDestinationError),
|
||||
+ ),
|
||||
+ types.SimpleNamespace(
|
||||
+ path='dummy_dir/../../../../home/pwned_home.txt',
|
||||
+ expect=pytest.raises(tarfile.OutsideDestinationError),
|
||||
+ ),
|
||||
+ types.SimpleNamespace(
|
||||
+ path='dummy_dir/../escaped.txt',
|
||||
+ expect=pytest.raises(tarfile.OutsideDestinationError),
|
||||
+ ),
|
||||
+]
|
||||
+
|
||||
+
|
||||
+@pytest.fixture(params=cases)
|
||||
+def tarfile_case(request):
|
||||
+ with tarfile.open(fileobj=make_tarball_with(request.param), mode='r') as tf:
|
||||
+ yield types.SimpleNamespace(
|
||||
+ tarfile=tf,
|
||||
+ expect=request.param.expect,
|
||||
+ )
|
||||
+
|
||||
+
|
||||
+def test_zipslip_exploit(tmp_path, tarfile_case):
|
||||
+ """
|
||||
+ Ensure that protections from the default tarfile filter are applied.
|
||||
+ """
|
||||
+ (member,) = tarfile_case.tarfile
|
||||
+ with tarfile_case.expect:
|
||||
+ tarfile_case.tarfile.extract(
|
||||
+ member, path=tmp_path, filter=jaraco.context._default_filter
|
||||
+ )
|
||||
Index: jaraco.context-5.3.0/jaraco/context.py
|
||||
===================================================================
|
||||
--- jaraco.context-5.3.0.orig/jaraco/context.py
|
||||
+++ jaraco.context-5.3.0/jaraco/context.py
|
||||
@@ -62,12 +62,19 @@ def tarball(
|
||||
try:
|
||||
req = urllib.request.urlopen(url)
|
||||
with tarfile.open(fileobj=req, mode='r|*') as tf:
|
||||
- tf.extractall(path=target_dir, filter=strip_first_component)
|
||||
+ tf.extractall(path=target_dir, filter=_default_filter)
|
||||
yield target_dir
|
||||
finally:
|
||||
shutil.rmtree(target_dir)
|
||||
|
||||
|
||||
+def _compose_tarfile_filters(*filters):
|
||||
+ def compose_two(f1, f2):
|
||||
+ return lambda member, path: f1(f2(member, path), path)
|
||||
+
|
||||
+ return functools.reduce(compose_two, filters, lambda member, path: member)
|
||||
+
|
||||
+
|
||||
def strip_first_component(
|
||||
member: tarfile.TarInfo,
|
||||
path,
|
||||
@@ -76,6 +83,9 @@ def strip_first_component(
|
||||
return member
|
||||
|
||||
|
||||
+_default_filter = _compose_tarfile_filters(tarfile.data_filter, strip_first_component)
|
||||
+
|
||||
+
|
||||
def _compose(*cmgrs):
|
||||
"""
|
||||
Compose any number of dependent context managers into a single one.
|
||||
BIN
jaraco.context-5.3.0.tar.gz
LFS
BIN
jaraco.context-5.3.0.tar.gz
LFS
Binary file not shown.
3
jaraco_context-6.0.0.tar.gz
Normal file
3
jaraco_context-6.0.0.tar.gz
Normal file
@@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1a344d9c6b07027883b600aa70c9fd53bff0423ce65a5454dda819e36a133867
|
||||
size 14118
|
||||
@@ -1,7 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 20 11:23:53 UTC 2026 - Nico Krapp <nico.krapp@suse.com>
|
||||
Fri Jul 18 13:57:07 UTC 2025 - Felix Stegmeier <felix.stegmeier@suse.com>
|
||||
|
||||
- Add CVE-2026-23949.patch to fix CVE-2026-23949 (bsc#1256954)
|
||||
- update to 6.0.1
|
||||
* Removed type declarations as suggested by Gemini. (#13)
|
||||
|
||||
- update to 6.0.0
|
||||
* Fixed bug in repo_context where standard output from git would not be
|
||||
hidden (because git emits standard output on the stderr stream).
|
||||
* Removed deprecated 'tarball_context', 'infer_compression', and 'null'
|
||||
contexts.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 1 15:34:31 UTC 2025 - Markéta Machová <mmachova@suse.com>
|
||||
|
||||
@@ -18,19 +18,18 @@
|
||||
|
||||
%{?sle15_python_module_pythons}
|
||||
Name: python-jaraco.context
|
||||
Version: 5.3.0
|
||||
Version: 6.0.0
|
||||
Release: 0
|
||||
Summary: Tools to work with functools
|
||||
License: MIT
|
||||
URL: https://github.com/jaraco/jaraco.context
|
||||
Source0: https://files.pythonhosted.org/packages/source/j/jaraco.context/jaraco.context-%{version}.tar.gz
|
||||
# PATCH-FIX-UPSTREAM CVE-2026-23949.patch bsc#1256954 gh#jaraco/jaraco.context#7b26a42
|
||||
Patch0: CVE-2026-23949.patch
|
||||
Source0: https://files.pythonhosted.org/packages/source/j/jaraco.context/jaraco_context-%{version}.tar.gz
|
||||
BuildRequires: %{python_module backports.tarfile}
|
||||
BuildRequires: %{python_module pip}
|
||||
BuildRequires: %{python_module portend}
|
||||
BuildRequires: %{python_module pytest}
|
||||
BuildRequires: %{python_module pytest >= 6}
|
||||
BuildRequires: %{python_module setuptools_scm}
|
||||
BuildRequires: %{python_module setuptools}
|
||||
BuildRequires: %{python_module toml}
|
||||
BuildRequires: %{python_module wheel}
|
||||
BuildRequires: fdupes
|
||||
@@ -44,7 +43,7 @@ jaraco.functools Tools for working with functools.
|
||||
Additional functools in the spirit of stdlib’s functools.
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n jaraco.context-%{version}
|
||||
%autosetup -p1 -n jaraco_context-%{version}
|
||||
|
||||
%build
|
||||
%pyproject_wheel
|
||||
@@ -54,15 +53,16 @@ Additional functools in the spirit of stdlib’s functools.
|
||||
%python_expand %fdupes %{buildroot}%{$python_sitelib}
|
||||
|
||||
%check
|
||||
%pytest
|
||||
%pytest -k "not repo_context"
|
||||
|
||||
%files %{python_files}
|
||||
%license LICENSE
|
||||
%doc docs/*.rst README.rst NEWS.rst
|
||||
%{python_sitelib}/jaraco[_.]context-%{version}.dist-info
|
||||
%dir %{python_sitelib}/jaraco
|
||||
%{python_sitelib}/jaraco/context.py*
|
||||
%dir %{python_sitelib}/jaraco/__pycache__
|
||||
%pycache_only %{python_sitelib}/jaraco/__pycache__/context*.py*
|
||||
%dir %{python_sitelib}/jaraco/context
|
||||
%{python_sitelib}/jaraco/context/*
|
||||
%dir %{python_sitelib}/jaraco/context/__pycache__
|
||||
%pycache_only %{python_sitelib}/jaraco/context/__pycache__/*
|
||||
|
||||
%changelog
|
||||
|
||||
Reference in New Issue
Block a user