Accepting request 989841 from home:thomas-schraitle:branches:devel:languages:python

- Update to 2.3.2 - Add CPython 3.11.0b2 by @saaketp in #2380 - Honor CFLAGS_EXTRA for MicroPython #2006 by @yggdr in #2007 - Add post-install checks for curses, ctypes, lzma, and tkinter by @aphedges in #2353 - Add CPython 3.11.0b3 by @edgarrmondragon in #2382 - Add flags for Homebrew into python-config --ldflags by @native-api in #2384 - Add CPython 3.10.5 by @illia-v in #2386 - Add Anaconda 2019.10, 2021.04, 2022.05; support Anaconda in add_miniconda.py by @native-api in #2385 - Add Pyston-2.3.4 by @dand-oss in #2390 - Update Anaconda3-2022.05 MacOSX arm64 md5 by @bkbncn in #2391 - Fix bsc#1201582 to fix CVE-2022-35861 (from commit 22fa683, file pyenv-CVE-2022-35861.patch) OBS-URL: https://build.opensuse.org/request/show/989841 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/pyenv?expand=0&rev=33
2022-07-18 11:37:49 +00:00 · 2022-07-18 11:37:49 +00:00 · d49e23cb79
commit d49e23cb79
parent 950b76e0a9
5 changed files with 85 additions and 4 deletions
--- a/pyenv-2.3.0.tar.gz
+++ b/pyenv-2.3.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:57a0676ddbd32f5d99265d5bf297912652af5a484afba55b977c85450545f47b
-size 708346
--- a/pyenv-2.3.2.tar.gz
+++ b/pyenv-2.3.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:150ac8f7161c00e8e613bf5e273306f674b60037e3dace9c6bb7611dceb17144
+size 713692
--- a/pyenv-CVE-2022-35861.patch
+++ b/pyenv-CVE-2022-35861.patch
@ -0,0 +1,58 @@
+From 22fa683571d98b59ea16e5fe48ac411c67939653 Mon Sep 17 00:00:00 2001
+From: James Stronz <j.a.stronz@gmail.com>
+Date: Sat, 16 Jul 2022 15:01:04 -0700
+Subject: [PATCH] CVE-2022-35861: Fixed relative path traversal due to using
+ version string in path (#2412)
+
+---
+ libexec/pyenv-version-file-read | 13 ++++++++++---
+ test/version-file-read.bats     | 12 ++++++++++++
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/libexec/pyenv-version-file-read b/libexec/pyenv-version-file-read
+index 5dcc40fc..faaf1596 100755
+--- a/libexec/pyenv-version-file-read
+++ b/libexec/pyenv-version-file-read
+@@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then
+   IFS="${IFS}"$'\r'
+   sep=
+   while read -n 1024 -r version _ || [[ $version ]]; do
+-      [[ -z $version || $version == \#* ]] && continue
+-      printf "%s%s" "$sep" "$version"
+-      sep=:
+    if [[ -z $version || $version == \#* ]]; then
+      # Skip empty lines and comments
+      continue
+    elif [ "$version" = ".." ] || [[ $version == */* ]]; then
+      # The version string is used to construct a path and we skip dubious values.
+      # This prevents issues such as path traversal (CVE-2022-35861).
+      continue
+    fi
+    printf "%s%s" "$sep" "$version"
+    sep=:
+   done <"$VERSION_FILE"
+   [[ $sep ]] && { echo; exit; }
+ fi
+diff --git a/test/version-file-read.bats b/test/version-file-read.bats
+index a7b184de..18cfe131 100644
+--- a/test/version-file-read.bats
+++ b/test/version-file-read.bats
+@@ -82,3 +82,15 @@ IN
+   run pyenv-version-file-read my-version
+   assert_success "3.9.3:3.8.9:2.7.16"
+ }
+
+@test "skips relative path traversal" {
+  cat > my-version <<IN
+3.9.3
+3.8.9
+  ..
+./*
+2.7.16
+IN
+  run pyenv-version-file-read my-version
+  assert_success "3.9.3:3.8.9:2.7.16"
+}
+-- 
+2.35.3
+
--- a/pyenv.changes
+++ b/pyenv.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Jul 18 09:35:05 UTC 2022 - Thomas Schraitle <thomas.schraitle@suse.com> - 2.3.2
+
+- Update to 2.3.2
+  - Add CPython 3.11.0b2 by @saaketp in #2380
+  - Honor CFLAGS_EXTRA for MicroPython #2006 by @yggdr in #2007
+  - Add post-install checks for curses, ctypes, lzma, and tkinter
+    by @aphedges in #2353
+  - Add CPython 3.11.0b3 by @edgarrmondragon in #2382
+  - Add flags for Homebrew into python-config --ldflags by @native-api
+    in #2384
+  - Add CPython 3.10.5 by @illia-v in #2386
+  - Add Anaconda 2019.10, 2021.04, 2022.05; support Anaconda in
+    add_miniconda.py by @native-api in #2385
+  - Add Pyston-2.3.4 by @dand-oss in #2390
+  - Update Anaconda3-2022.05 MacOSX arm64 md5 by @bkbncn in #2391
+- Fix bsc#1201582 to fix CVE-2022-35861 (from commit 22fa683, file
+  pyenv-CVE-2022-35861.patch)
+
 -------------------------------------------------------------------
 Wed May  4 15:43:51 UTC 2022 - Thomas Schraitle <thomas.schraitle@suse.com> - 2.3.0

--- a/pyenv.spec
+++ b/pyenv.spec
@ -19,13 +19,17 @@
 %define pyenv_dir      %{_libexecdir}/pyenv
 #
 Name:           pyenv
-Version:        2.3.0
+Version:        2.3.2
 Release:        0
 Summary:        Python Version Management
 License:        MIT
 Group:          Development/Languages/Python
 URL:            https://github.com/pyenv/pyenv
 Source:         https://github.com/pyenv/pyenv/archive/refs/tags/v%{version}.tar.gz#/pyenv-%{version}.tar.gz
+#
+# PATCH-FIX-OPENSUSE
+# https://github.com/pyenv/pyenv/commit/22fa6835.patch
+Patch0:         %{name}-CVE-2022-35861.patch
 BuildRequires:  bash-completion
 BuildRequires:  fdupes
 BuildRequires:  fish