diff --git a/pyenv-2.3.0.tar.gz b/pyenv-2.3.0.tar.gz deleted file mode 100644 index 86d4882..0000000 --- a/pyenv-2.3.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:57a0676ddbd32f5d99265d5bf297912652af5a484afba55b977c85450545f47b -size 708346 diff --git a/pyenv-2.3.2.tar.gz b/pyenv-2.3.2.tar.gz new file mode 100644 index 0000000..59cdf2d --- /dev/null +++ b/pyenv-2.3.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:150ac8f7161c00e8e613bf5e273306f674b60037e3dace9c6bb7611dceb17144 +size 713692 diff --git a/pyenv-CVE-2022-35861.patch b/pyenv-CVE-2022-35861.patch new file mode 100644 index 0000000..3f35b8d --- /dev/null +++ b/pyenv-CVE-2022-35861.patch @@ -0,0 +1,58 @@ +From 22fa683571d98b59ea16e5fe48ac411c67939653 Mon Sep 17 00:00:00 2001 +From: James Stronz +Date: Sat, 16 Jul 2022 15:01:04 -0700 +Subject: [PATCH] CVE-2022-35861: Fixed relative path traversal due to using + version string in path (#2412) + +--- + libexec/pyenv-version-file-read | 13 ++++++++++--- + test/version-file-read.bats | 12 ++++++++++++ + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/libexec/pyenv-version-file-read b/libexec/pyenv-version-file-read +index 5dcc40fc..faaf1596 100755 +--- a/libexec/pyenv-version-file-read ++++ b/libexec/pyenv-version-file-read +@@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then + IFS="${IFS}"$'\r' + sep= + while read -n 1024 -r version _ || [[ $version ]]; do +- [[ -z $version || $version == \#* ]] && continue +- printf "%s%s" "$sep" "$version" +- sep=: ++ if [[ -z $version || $version == \#* ]]; then ++ # Skip empty lines and comments ++ continue ++ elif [ "$version" = ".." ] || [[ $version == */* ]]; then ++ # The version string is used to construct a path and we skip dubious values. ++ # This prevents issues such as path traversal (CVE-2022-35861). ++ continue ++ fi ++ printf "%s%s" "$sep" "$version" ++ sep=: + done <"$VERSION_FILE" + [[ $sep ]] && { echo; exit; } + fi +diff --git a/test/version-file-read.bats b/test/version-file-read.bats +index a7b184de..18cfe131 100644 +--- a/test/version-file-read.bats ++++ b/test/version-file-read.bats +@@ -82,3 +82,15 @@ IN + run pyenv-version-file-read my-version + assert_success "3.9.3:3.8.9:2.7.16" + } ++ ++@test "skips relative path traversal" { ++ cat > my-version < - 2.3.2 + +- Update to 2.3.2 + - Add CPython 3.11.0b2 by @saaketp in #2380 + - Honor CFLAGS_EXTRA for MicroPython #2006 by @yggdr in #2007 + - Add post-install checks for curses, ctypes, lzma, and tkinter + by @aphedges in #2353 + - Add CPython 3.11.0b3 by @edgarrmondragon in #2382 + - Add flags for Homebrew into python-config --ldflags by @native-api + in #2384 + - Add CPython 3.10.5 by @illia-v in #2386 + - Add Anaconda 2019.10, 2021.04, 2022.05; support Anaconda in + add_miniconda.py by @native-api in #2385 + - Add Pyston-2.3.4 by @dand-oss in #2390 + - Update Anaconda3-2022.05 MacOSX arm64 md5 by @bkbncn in #2391 +- Fix bsc#1201582 to fix CVE-2022-35861 (from commit 22fa683, file + pyenv-CVE-2022-35861.patch) + ------------------------------------------------------------------- Wed May 4 15:43:51 UTC 2022 - Thomas Schraitle - 2.3.0 diff --git a/pyenv.spec b/pyenv.spec index 440c31d..5882678 100644 --- a/pyenv.spec +++ b/pyenv.spec @@ -19,13 +19,17 @@ %define pyenv_dir %{_libexecdir}/pyenv # Name: pyenv -Version: 2.3.0 +Version: 2.3.2 Release: 0 Summary: Python Version Management License: MIT Group: Development/Languages/Python URL: https://github.com/pyenv/pyenv Source: https://github.com/pyenv/pyenv/archive/refs/tags/v%{version}.tar.gz#/pyenv-%{version}.tar.gz +# +# PATCH-FIX-OPENSUSE +# https://github.com/pyenv/pyenv/commit/22fa6835.patch +Patch0: %{name}-CVE-2022-35861.patch BuildRequires: bash-completion BuildRequires: fdupes BuildRequires: fish