Accepting request 1235049 from security

- Fixes GHSA-4fg7-vxc8-qx5w - Update to version 0.11.1+0: * Fixed a security vulnerability that could allow an attacker to execute an arbitrary binary under certain conditions. Plugin names are now required to only contain alphanumeric characters or the four special characters +-._. * Replace the test `NoCallbacks` with the library version * Restrict set of valid characters for plugin names * Add tests for invalid plugin name chars Fixed: OBS-URL: https://build.opensuse.org/request/show/1235049 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rage-encryption?expand=0&rev=20
2025-01-07 19:51:25 +00:00 · 2025-01-07 19:51:25 +00:00 · 47ead6f81b
commit 47ead6f81b
parent d28ec3bef5 a817f0b2f2
7 changed files with 22 additions and 9 deletions
--- a/2
+++ b/2
@ -3,7 +3,7 @@
    <param name="url">https://github.com/str4d/rage.git</param>
    <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
    <param name="scm">git</param>
-    <param name="revision">v0.11.0</param>
+    <param name="revision">v0.11.1</param>
    <param name="match-tag">*</param>
    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
    <param name="versionrewrite-replacement">\1</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/str4d/rage.git</param>
-              <param name="changesrevision">17446612f865c705e44fe392d9d41dd102fed137</param></service></servicedata>
+              <param name="changesrevision">07808823074013acab5417de9d6ad176133312c6</param></service></servicedata>
--- a/rage-0.11.0+0.tar.gz
+++ b/rage-0.11.0+0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e5896b280a872d407b6bdd50dbc3324421a08177d094565e1a58ac5c603073b1
-size 1664647
--- a/rage-0.11.1+0.tar.gz
+++ b/rage-0.11.1+0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c393108b925c50b7e819f3af64025d054a4de0eb8d4dbb89ac4b734c2837cd2c
+size 1666088
--- a/rage-encryption.changes
+++ b/rage-encryption.changes
@ -1,10 +1,23 @@
+-------------------------------------------------------------------
+Fri Dec 20 06:39:30 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
+
+- Fixes GHSA-4fg7-vxc8-qx5w
+- Update to version 0.11.1+0:
+  * Fixed a security vulnerability that could allow an attacker to
+    execute an arbitrary binary under certain conditions. Plugin
+    names are now required to only contain alphanumeric characters
+    or the four special characters +-._.
+  * Replace the test `NoCallbacks` with the library version
+  * Restrict set of valid characters for plugin names
+  * Add tests for invalid plugin name chars
+
 -------------------------------------------------------------------
 Sun Nov  3 19:04:23 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>

 - Update to 0.11.0+0:
  Added:
  * Partial French translation!
-Fixed:
+  Fixed:
  * [Unix] Files can now be encrypted with rage --passphrase when
    piped over stdin, without requiring an explicit - argument as
    INPUT.
--- a/rage-encryption.spec
+++ b/rage-encryption.spec
@ -20,7 +20,7 @@

 Name:           rage-encryption
 #               This will be set by osc services, that will run after this.
-Version:        0.11.0+0
+Version:        0.11.1+0
 Release:        0
 Summary:        X25519-based, simple, modern, and secure file encryption tool
 #               If you know the license, put it's SPDX string here.
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e159f7c24abc8e3525da96ff31290b404434241f9a6321db162bdb3086fdfd72
-size 28348059
+oid sha256:3434e8d3ecef00bac49d9e1b5ac35150ee0aae65fb35071c988195c4139fb76d
+size 28376778