Hello community, here is the log from the commit of package yast2-ruby-bindings for openSUSE:Factory checked in at 2018-12-31 09:44:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-ruby-bindings (Old) and /work/SRC/openSUSE:Factory/.yast2-ruby-bindings.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "yast2-ruby-bindings" Mon Dec 31 09:44:42 2018 rev:91 rq:659955 version:4.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-ruby-bindings/yast2-ruby-bindings.changes 2018-11-01 19:03:39.734011296 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-ruby-bindings.new.28833/yast2-ruby-bindings.changes 2018-12-31 09:44:43.834298112 +0100 @@ -1,0 +2,7 @@ +Tue Dec 18 15:30:14 UTC 2018 - jlopez@suse.com + +- Configure $PATH environment variable to execute external commands + only from safe paths (part of bsc#1118291). +- 4.1.1 + +------------------------------------------------------------------- Old: ---- yast2-ruby-bindings-4.1.0.tar.bz2 New: ---- yast2-ruby-bindings-4.1.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-ruby-bindings.spec ++++++ --- /var/tmp/diff_new_pack.Mvkw0g/_old 2018-12-31 09:44:44.170297837 +0100 +++ /var/tmp/diff_new_pack.Mvkw0g/_new 2018-12-31 09:44:44.170297837 +0100 @@ -17,7 +17,7 @@ Name: yast2-ruby-bindings -Version: 4.1.0 +Version: 4.1.1 Release: 0 Url: https://github.com/yast/yast-ruby-bindings BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ yast2-ruby-bindings-4.1.0.tar.bz2 -> yast2-ruby-bindings-4.1.1.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-ruby-bindings-4.1.0/package/yast2-ruby-bindings.changes new/yast2-ruby-bindings-4.1.1/package/yast2-ruby-bindings.changes --- old/yast2-ruby-bindings-4.1.0/package/yast2-ruby-bindings.changes 2018-10-23 16:03:14.000000000 +0200 +++ new/yast2-ruby-bindings-4.1.1/package/yast2-ruby-bindings.changes 2018-12-19 09:24:47.000000000 +0100 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Tue Dec 18 15:30:14 UTC 2018 - jlopez@suse.com + +- Configure $PATH environment variable to execute external commands + only from safe paths (part of bsc#1118291). +- 4.1.1 + +------------------------------------------------------------------- Tue Oct 23 09:52:53 UTC 2018 - jreidinger@suse.com - Fix encoding-related problems by assuming that file contents is diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-ruby-bindings-4.1.0/package/yast2-ruby-bindings.spec new/yast2-ruby-bindings-4.1.1/package/yast2-ruby-bindings.spec --- old/yast2-ruby-bindings-4.1.0/package/yast2-ruby-bindings.spec 2018-10-23 16:03:14.000000000 +0200 +++ new/yast2-ruby-bindings-4.1.1/package/yast2-ruby-bindings.spec 2018-12-19 09:24:47.000000000 +0100 @@ -17,7 +17,7 @@ Name: yast2-ruby-bindings -Version: 4.1.0 +Version: 4.1.1 Url: https://github.com/yast/yast-ruby-bindings Release: 0 BuildRoot: %{_tmppath}/%{name}-%{version}-build diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-ruby-bindings-4.1.0/src/ruby/yast/y2start_helpers.rb new/yast2-ruby-bindings-4.1.1/src/ruby/yast/y2start_helpers.rb --- old/yast2-ruby-bindings-4.1.0/src/ruby/yast/y2start_helpers.rb 2018-10-23 16:03:14.000000000 +0200 +++ new/yast2-ruby-bindings-4.1.1/src/ruby/yast/y2start_helpers.rb 2018-12-19 09:24:47.000000000 +0100 @@ -1,5 +1,17 @@ module Yast module Y2StartHelpers + # Configure global environment for YaST + # + # Currently it only sets values for $PATH. + # + # By configuring $PATH, it ensures that correct external programs are executed when + # relative paths are given, so possible CVEs are avoided when running YaST. + # + # Note that forked processes will inherit the environment configuration, for example + # when executing commands via SCR or Cheetah. + def self.config_env + ENV["PATH"] = "/sbin:/usr/sbin:/usr/bin:/bin" + end # Parses ARGV of y2start. it returns map with keys: # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-ruby-bindings-4.1.0/src/y2start/y2start new/yast2-ruby-bindings-4.1.1/src/y2start/y2start --- old/yast2-ruby-bindings-4.1.0/src/y2start/y2start 2018-10-23 16:03:14.000000000 +0200 +++ new/yast2-ruby-bindings-4.1.1/src/y2start/y2start 2018-12-19 09:24:47.000000000 +0100 @@ -13,6 +13,10 @@ Yast::Y2StartHelpers.setup_signals +# Configure global YaST environment. For example, it sets $PATH to ensure that +# external commands are only executed from safe paths. +Yast::Y2StartHelpers.config_env + File.umask(0o022) Yast.y2milestone("y2base called with #{ARGV.inspect}")
participants (1)
-
root