Hello community,
here is the log from the commit of package osc for openSUSE:Factory checked in at 2015-03-16 07:00:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/osc (Old)
and /work/SRC/openSUSE:Factory/.osc.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "osc"
Changes:
--------
--- /work/SRC/openSUSE:Factory/osc/osc.changes 2015-01-14 11:46:03.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.osc.new/osc.changes 2015-03-16 07:00:47.000000000 +0100
@@ -1,0 +2,9 @@
+Thu Mar 12 09:36:27 UTC 2015 - adrian@suse.de
+
+- 0.151.0
+ - fixed shell command injection via crafted _service files CVE-2015-0778 boo#901643
+ - fix times when data comes from OBS backend
+ - support updateing the link in target package for submit requests
+ - various minor bugfixes
+
+-------------------------------------------------------------------
Old:
----
osc-0.150.1.tar.gz
New:
----
osc-0.151.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ osc.spec ++++++
--- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100
+++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package osc
#
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: osc
-Version: 0.150.1
+Version: 0.151.0
Release: 0
Summary: openSUSE Build Service Commander
License: GPL-2.0+
++++++ PKGBUILD ++++++
--- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100
+++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100
@@ -1,5 +1,5 @@
pkgname=osc
-pkgver=0.150.1
+pkgver=0.151.0
pkgrel=0
pkgdesc="Open Build Service client"
arch=('i686' 'x86_64')
@@ -8,7 +8,7 @@
groups=('base-devel')
depends=('python2' 'python2-m2crypto' 'urlgrabber')
source=(osc-${pkgver}.tar.gz)
-md5sums=('24a5313d364d46a1a03c443c50bfbc2b')
+md5sums=('877b9e4fc2c55b8950d3e642241ff6aa')
package() {
msg "Installing osc ..."
++++++ _service ++++++
--- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100
+++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100
@@ -1,7 +1,7 @@
<services>
<service name="tar_scm" mode="disabled">
- <param name="version">0.150.1</param>
- <param name="revision">0.150</param>
+ <param name="version">0.151.0</param>
+ <param name="revision">0.151.0</param>
<param name="url">git://github.com/openSUSE/osc.git</param>
<param name="scm">git</param>
</service>
++++++ debian.changelog ++++++
--- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100
+++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100
@@ -1,4 +1,4 @@
-osc (0.150.1) unstable; urgency=low
+osc (0.151.0) unstable; urgency=low
- Update to 0.135.0
-- Adrian Schroeter Wed, 28 Jun 2012 10:00:00 +0200
++++++ osc-0.150.1.tar.gz -> osc-0.151.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/osc-0.150.1/NEWS new/osc-0.151.0/NEWS
--- old/osc-0.150.1/NEWS 2015-01-13 16:53:00.000000000 +0100
+++ new/osc-0.151.0/NEWS 2015-03-12 19:50:41.000000000 +0100
@@ -1,3 +1,9 @@
+0.151
+ - fixed shell command injection via crafted _service files (CVE-2015-0778)
+ - fix times when data comes from OBS backend
+ - support updateing the link in target package for submit requests
+ - various minor bugfixes
+
0.150
- support local builds using builenv (for same build environment as a former build)
- add "osc api --edit" option to be able to edit some meta files directly
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/osc-0.150.1/osc/commandline.py new/osc-0.151.0/osc/commandline.py
--- old/osc-0.150.1/osc/commandline.py 2015-01-13 16:53:00.000000000 +0100
+++ new/osc-0.151.0/osc/commandline.py 2015-03-12 19:50:41.000000000 +0100
@@ -47,7 +47,7 @@
* http://en.opensuse.org/openSUSE:Build_Service_Tutorial
* http://en.opensuse.org/openSUSE:OSC
.PP
-You can modify osc commands, or roll you own, via the plugin API:
+You can modify osc commands, or roll your own, via the plugin API:
* http://en.opensuse.org/openSUSE:OSC_plugins
.SH AUTHOR
osc was written by several authors. This man page is automatically generated.
@@ -67,7 +67,7 @@
* http://en.opensuse.org/openSUSE:Build_Service_Tutorial
* http://en.opensuse.org/openSUSE:OSC
- You can modify osc commands, or roll you own, via the plugin API:
+ You can modify osc commands, or roll your own, via the plugin API:
* http://en.opensuse.org/openSUSE:OSC_plugins
"""
name = 'osc'
@@ -948,6 +948,8 @@
help='never remove source package on accept, but update its content')
@cmdln.option('--no-update', action='store_true',
help='never touch source package on accept (will break source links)')
+ @cmdln.option('--update-link', action='store_true',
+ help='This transfers the source including the _link file.')
@cmdln.option('-d', '--diff', action='store_true',
help='show diff only instead of creating the actual request')
@cmdln.option('--yes', action='store_true',
@@ -1026,9 +1028,12 @@
sr_ids = []
# for single request
actionxml = ""
- options_block = ""
+ options_block = "<options>"
if src_update:
- options_block = """<options><sourceupdate>%s</sourceupdate></options> """ % (src_update)
+ options_block += """<sourceupdate>%s</sourceupdate>""" % (src_update)
+ if opts.update_link:
+ options_block + """<updatelink>true</updatelink></options> """
+ options_block += "</options>"
# loop via all packages for checking their state
for p in meta_get_packagelist(apiurl, project):
@@ -1242,7 +1247,8 @@
result = create_submit_request(apiurl,
src_project, src_package,
dst_project, dst_package,
- opts.message, orev=rev, src_update=src_update)
+ opts.message, orev=rev,
+ src_update=src_update, dst_updatelink=opts.update_link)
if supersede_existing:
for req in reqs:
change_request_state(apiurl, req.reqid, 'superseded',
@@ -4139,6 +4145,7 @@
'M' Modified
'?' item is not under version control
'!' item is missing (removed by non-osc command) or incomplete
+ 'S' item is skipped (item exceeds a file size limit or is _service:* file)
'F' Frozen (use "osc pull" to merge conflicts) (package-only state)
examples:
@@ -5657,9 +5664,6 @@
if not os.path.isdir(d):
raise oscerr.WrongOptions('Preferred package location \'%s\' is not a directory' % d)
- if opts.noinit and opts.offline:
- raise oscerr.WrongOptions('--noinit and --offline are mutually exclusive')
-
if opts.offline and opts.preload:
raise oscerr.WrongOptions('--offline and --preload are mutually exclusive')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/osc-0.150.1/osc/core.py new/osc-0.151.0/osc/core.py
--- old/osc-0.150.1/osc/core.py 2015-01-13 16:53:00.000000000 +0100
+++ new/osc-0.151.0/osc/core.py 2015-03-12 19:50:41.000000000 +0100
@@ -5,7 +5,7 @@
from __future__ import print_function
-__version__ = '0.150'
+__version__ = '0.151'
# __store_version__ is to be incremented when the format of the working copy
# "store" changes in an incompatible way. Please add any needed migration
@@ -273,18 +273,22 @@
for service in services:
name = service.get('name')
+ if len(name) < 3 or '/' in name:
+ raise oscerr.APIError("invalid service name")
mode = service.get('mode', None)
data = { 'name' : name, 'mode' : '' }
if mode:
data['mode'] = mode
try:
+ command = [ name ]
for param in service.findall('param'):
option = param.get('name', None)
value = ""
if param.text:
value = param.text
- name += " --" + option + " '" + value + "'"
- data['command'] = name
+ command.append("--"+option)
+ command.append(value)
+ data['command'] = command
self.services.append(data)
except:
msg = 'invalid service format:\n%s' % ET.tostring(serviceinfo_node, encoding=ET_ENCODING)
@@ -372,7 +376,7 @@
allservices = self.services or []
if singleservice and not singleservice in allservices:
# set array to the manual specified singleservice, if it is not part of _service file
- data = { 'name' : singleservice, 'command' : singleservice, 'mode' : '' }
+ data = { 'name' : singleservice, 'command' : [ singleservice ], 'mode' : '' }
allservices = [data]
# set environment when using OBS 2.3 or later
@@ -393,17 +397,17 @@
continue
if service['mode'] != "trylocal" and service['mode'] != "localonly" and callmode == "trylocal":
continue
- call = service['command']
temp_dir = None
try:
temp_dir = tempfile.mkdtemp()
- name = call.split(None, 1)[0]
- if not os.path.exists("/usr/lib/obs/service/"+name):
- raise oscerr.PackageNotInstalled("obs-service-"+name)
- cmd = "/usr/lib/obs/service/" + call + " --outdir " + temp_dir
+ cmd = service['command']
+ if not os.path.exists("/usr/lib/obs/service/"+cmd[0]):
+ raise oscerr.PackageNotInstalled("obs-service-%s"%cmd[0])
+ cmd[0] = "/usr/lib/obs/service/"+cmd[0]
+ cmd = cmd + [ "--outdir", temp_dir ]
if conf.config['verbose'] > 1 or verbose:
print("Run source service:", cmd)
- r = run_external(cmd, shell=True)
+ r = run_external(*cmd)
if r != 0:
print("Aborting: service call failed: " + cmd)
@@ -2413,6 +2417,8 @@
class RequestHistory(AbstractState):
"""Represents a history element of a request"""
+ re_name = re.compile(r'^Request (?:got )?([^\s]+)$')
+
def __init__(self, history_node):
AbstractState.__init__(self, history_node.tag)
self.who = history_node.get('who')
@@ -2428,6 +2434,17 @@
if not history_node.find('comment') is None and \
history_node.find('comment').text:
self.comment = history_node.find('comment').text.strip()
+ self.name = self._parse_name(history_node)
+
+ def _parse_name(self, history_node):
+ name = history_node.get('name', None)
+ if name is not None:
+ # OBS 2.5 and before
+ return name
+ mo = self.re_name.search(self.description)
+ if mo is not None:
+ return mo.group(1)
+ return self.description
def get_node_attrs(self):
return ('who', 'when')
@@ -2767,7 +2784,9 @@
tgt_package = ''
d['target'] = prj_pkg_join(action.tgt_project, tgt_package)
if action.opt_makeoriginolder:
- d['target'] = d['target'] + ' ***makeoriginolder***'
+ d['target'] = d['target'] + ' ***make origin older***'
+ if action.opt_updatelink:
+ d['target'] = d['target'] + ' ***update link***'
elif action.type == 'add_role':
roles = []
if action.person_name and action.person_role:
@@ -2885,11 +2904,11 @@
"""
import time
- if time.localtime()[0] == time.localtime(t)[0]:
+ if time.gmtime()[0] == time.gmtime(t)[0]:
# same year
- return time.strftime('%b %d %H:%M', time.localtime(t))
+ return time.strftime('%b %d %H:%M %Z', time.gmtime(t))
else:
- return time.strftime('%b %d %Y', time.localtime(t))
+ return time.strftime('%b %d %Y', time.gmtime(t))
def is_project_dir(d):
@@ -3908,19 +3927,23 @@
r.create(apiurl, addrevision=True)
return r
-# This creates an old style submit request for server api 1.0
def create_submit_request(apiurl,
src_project, src_package=None,
dst_project=None, dst_package=None,
- message="", orev=None, src_update=None):
+ message="", orev=None, src_update=None, dst_updatelink=None):
import cgi
options_block = ""
package = ""
if src_package:
package = """package="%s" """ % (src_package)
+ options_block = "<options>"
if src_update:
- options_block = """<options><sourceupdate>%s</sourceupdate></options> """ % (src_update)
+ options_block += """<sourceupdate>%s</sourceupdate>""" % (src_update)
+ if dst_updatelink:
+ options_block += """<updatelink>true</updatelink>"""
+ options_block += "</options>"
+
# Yes, this kind of xml construction is horrible
targetxml = ""
@@ -3931,12 +3954,12 @@
targetxml = """ """ % ( dst_project, packagexml )
# XXX: keep the old template for now in order to work with old obs instances
xml = """\
-<request type="submit">
- <submit>
+<request>
+ <action type="submit">
%s
%s
- </submit>
+ </action>
<state name="new"/>
<description>%s</description>
</request>
@@ -5701,20 +5724,21 @@
r = []
for node in root.findall('entry'):
- rev = int(node.get('rev'))
+ rev = node.get('rev')
srcmd5 = node.get('srcmd5')
versrel = node.get('versrel')
bcnt = int(node.get('bcnt'))
- t = time.localtime(int(node.get('time')))
- t = time.strftime('%Y-%m-%d %H:%M:%S', t)
+ t = time.gmtime(int(node.get('time')))
+ t = time.strftime('%Y-%m-%d %H:%M:%S %Z', t)
if format == 'csv':
- r.append('%s|%s|%d|%s.%d' % (t, srcmd5, rev, versrel, bcnt))
+ r.append('%s|%s|%s|%s.%d' % (t, srcmd5, rev, versrel, bcnt))
else:
- r.append('%s %s %6d %s.%d' % (t, srcmd5, rev, versrel, bcnt))
+ bversrel='%s.%d' % (versrel, bcnt)
+ r.append('%s %s %s %s' % (t, srcmd5, bversrel.ljust(16)[:16], rev))
if format == 'text':
- r.insert(0, 'time srcmd5 rev vers-rel.bcnt')
+ r.insert(0, 'time srcmd5 vers-rel.bcnt rev')
return r
@@ -5739,11 +5763,11 @@
reason = "unknown"
code = node.get('code')
rt = int(node.get('readytime'))
- readyt = time.localtime(rt)
- readyt = time.strftime('%Y-%m-%d %H:%M:%S', readyt)
+ readyt = time.gmtime(rt)
+ readyt = time.strftime('%Y-%m-%d %H:%M:%S %Z', readyt)
st = int(node.get('starttime'))
et = int(node.get('endtime'))
- endtime = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(et))
+ endtime = time.strftime('%Y-%m-%d %H:%M:%S %Z', time.gmtime(et))
waittm = time.gmtime(et-st)
if waittm.tm_mday > 1:
waitbuild = "%1dd %2dh %2dm %2ds" % (waittm.tm_mday-1, waittm.tm_hour, waittm.tm_min, waittm.tm_sec)
@@ -5804,8 +5828,8 @@
requestid = node.find('requestid').text.encode(locale.getpreferredencoding(), 'replace')
except:
requestid = ""
- t = time.localtime(int(node.find('time').text))
- t = time.strftime('%Y-%m-%d %H:%M:%S', t)
+ t = time.gmtime(int(node.find('time').text))
+ t = time.strftime('%Y-%m-%d %H:%M:%S %Z', t)
if format == 'csv':
s = '%s|%s|%s|%s|%s|%s|%s' % (rev, user, t, srcmd5, version,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/osc-0.150.1/tests/test_request.py new/osc-0.151.0/tests/test_request.py
--- old/osc-0.150.1/tests/test_request.py 2015-01-13 16:53:00.000000000 +0100
+++ new/osc-0.151.0/tests/test_request.py 2015-03-12 19:50:41.000000000 +0100
@@ -470,7 +470,7 @@
exp = """\
Request: #123
- submit: xyz/abc(cleanup) -> foo
+ submit: xyz/abc(cleanup) -> foo ***update link***
add_role: person: bar as maintainer, group: groupxyz as reader home:foo
++++++ osc.dsc ++++++
--- /var/tmp/diff_new_pack.QLoCZt/_old 2015-03-16 07:00:48.000000000 +0100
+++ /var/tmp/diff_new_pack.QLoCZt/_new 2015-03-16 07:00:48.000000000 +0100
@@ -1,6 +1,6 @@
Format: 1.0
Source: osc
-Version: 0.150.1
+Version: 0.151.0
Binary: osc
Maintainer: Adrian Schroeter
Architecture: any
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org