Accepting request 1007812 from devel:languages:python

OBS-URL: https://build.opensuse.org/request/show/1007812 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pyenv?expand=0&rev=15
2022-10-04 18:37:57 +00:00 · 2022-10-04 18:37:57 +00:00 · e00255ab8d
commit e00255ab8d
parent 4413795d73 102795b500
5 changed files with 46 additions and 66 deletions
--- a/pyenv-2.3.2.tar.gz
+++ b/pyenv-2.3.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:150ac8f7161c00e8e613bf5e273306f674b60037e3dace9c6bb7611dceb17144
-size 713692
--- a/pyenv-2.3.4.tar.gz
+++ b/pyenv-2.3.4.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e223c0c6a53a87eba2536268ef417af645fa08b983d4345e6e00795bd8b5ef31
+size 715055
--- a/pyenv-CVE-2022-35861.patch
+++ b/pyenv-CVE-2022-35861.patch
@ -1,58 +0,0 @@
-From 22fa683571d98b59ea16e5fe48ac411c67939653 Mon Sep 17 00:00:00 2001
-From: James Stronz <j.a.stronz@gmail.com>
-Date: Sat, 16 Jul 2022 15:01:04 -0700
-Subject: [PATCH] CVE-2022-35861: Fixed relative path traversal due to using
- version string in path (#2412)
-
---
- libexec/pyenv-version-file-read | 13 ++++++++++---
- test/version-file-read.bats     | 12 ++++++++++++
- 2 files changed, 22 insertions(+), 3 deletions(-)
-
-diff --git a/libexec/pyenv-version-file-read b/libexec/pyenv-version-file-read
-index 5dcc40fc..faaf1596 100755
--- a/libexec/pyenv-version-file-read
-+++ b/libexec/pyenv-version-file-read
-@@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then
-   IFS="${IFS}"$'\r'
-   sep=
-   while read -n 1024 -r version _ || [[ $version ]]; do
-      [[ -z $version || $version == \#* ]] && continue
-      printf "%s%s" "$sep" "$version"
-      sep=:
-+    if [[ -z $version || $version == \#* ]]; then
-+      # Skip empty lines and comments
-+      continue
-+    elif [ "$version" = ".." ] || [[ $version == */* ]]; then
-+      # The version string is used to construct a path and we skip dubious values.
-+      # This prevents issues such as path traversal (CVE-2022-35861).
-+      continue
-+    fi
-+    printf "%s%s" "$sep" "$version"
-+    sep=:
-   done <"$VERSION_FILE"
-   [[ $sep ]] && { echo; exit; }
- fi
-diff --git a/test/version-file-read.bats b/test/version-file-read.bats
-index a7b184de..18cfe131 100644
--- a/test/version-file-read.bats
-+++ b/test/version-file-read.bats
-@@ -82,3 +82,15 @@ IN
-   run pyenv-version-file-read my-version
-   assert_success "3.9.3:3.8.9:2.7.16"
- }
-+
-+@test "skips relative path traversal" {
-+  cat > my-version <<IN
-+3.9.3
-+3.8.9
-+  ..
-+./*
-+2.7.16
-+IN
-+  run pyenv-version-file-read my-version
-+  assert_success "3.9.3:3.8.9:2.7.16"
-+}
-- 
-2.35.3
-
--- a/pyenv.changes
+++ b/pyenv.changes
@ -1,3 +1,45 @@
+-------------------------------------------------------------------
+Mon Oct  3 14:51:43 UTC 2022 - Thomas Schraitle <thomas.schraitle@suse.com> - 2.3.4
+
+- Changes in spec file
+  Remove patch pyenv-CVE-2022-35861.patch as this was already
+  integrated in 2.3.3
+  See PR pyenv/pyenv#2412
+
+- Update to 2.3.4
+  - Add CPython 3.11.0rc1 by @edgarrmondragon in #2434
+  - Add support for multiple versions in pyenv uninstall
+    by @hardikpnsp in #2432
+  - Add micropython 1.18 and 1.19.1 by @dmitriy-serdyuk in #2443
+  - CI: support Micropython, deleted scripts; build with -v
+    by @native-api in #2447
+  - Re-allow paths in .python-version while still preventing CVE-2022-35861
+    by @comrumino in #2442
+  - CI: Bump OS versions by @native-api in #2448
+  - Add Cinder 3.8 by @filips123 in #2433
+  - Add support for multiple versions in pyenv uninstall in #2432
+  - Add micropython 1.18 and 1.19.1 in #2443
+  - Add Cinder 3.8 in #2433
+
+- Changes in 2.3.3
+  - Use version sort in pyenv versions by @fofoni in #2405
+  - Add CPython 3.11.0b4 by @majorgreys in #2411
+  - Python-build: Replace deprecated git protocol use with https in docs
+    by @ssbarnea in #2413
+  - Fix relative path traversal due to using version string in path
+    by @comrumino in #2412
+  - Allow pypy2 and pypy3 patching by @brogon in #2421, #2419
+  - Add CPython 3.11.0b5 by @edgarrmondragon in #2420
+  - Add GraalPython 22.2.0 by @msimacek in #2425
+  - Add CPython 3.10.6 by @edgarrmondragon in #2428
+  - Add CPython 3.11.0b4 by @majorgreys in #2411
+  - Replace deprecated git protocol use with https
+    by @ssbarnea in docs #2413
+  - Fix relative path traversal due to using version string in path
+    by @comrumino in #2412
+  - Fix patterns for pypy2.*/pypy3.* versions by @brogon in #2419
+
+
 -------------------------------------------------------------------
 Mon Oct  3 09:12:20 UTC 2022 - Thomas Schraitle <thomas.schraitle@suse.com> - 2.3.2

@ -5,7 +47,6 @@ Mon Oct  3 09:12:20 UTC 2022 - Thomas Schraitle <thomas.schraitle@suse.com> - 2.
  Don't buildrequire Sphinx. This dependency pulls other dependencies
  which makes it impossible to build for Python 3.6 (and openSUSE Leap 15.4).

-
 -------------------------------------------------------------------
 Mon Jul 18 09:35:05 UTC 2022 - Thomas Schraitle <thomas.schraitle@suse.com> - 2.3.2

--- a/pyenv.spec
+++ b/pyenv.spec
@ -19,7 +19,7 @@
 %define pyenv_dir      %{_libexecdir}/pyenv
 #
 Name:           pyenv
-Version:        2.3.2
+Version:        2.3.4
 Release:        0
 Summary:        Python Version Management
 License:        MIT
@ -27,9 +27,6 @@ Group:          Development/Languages/Python
 URL:            https://github.com/pyenv/pyenv
 Source:         https://github.com/pyenv/pyenv/archive/refs/tags/v%{version}.tar.gz#/pyenv-%{version}.tar.gz
 #
-# PATCH-FIX-OPENSUSE
-# https://github.com/pyenv/pyenv/commit/22fa6835.patch
-Patch0:         %{name}-CVE-2022-35861.patch
 BuildRequires:  bash-completion
 BuildRequires:  fdupes
 BuildRequires:  fish