Hello community, here is the log from the commit of package patch.3458 for openSUSE:13.1:Update checked in at 2015-02-03 10:03:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/patch.3458 (Old) and /work/SRC/openSUSE:13.1:Update/.patch.3458.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "patch.3458" Changes: -------- New Changes file: --- /dev/null 2014-12-25 22:38:16.200041506 +0100 +++ /work/SRC/openSUSE:13.1:Update/.patch.3458.new/patch.changes 2015-02-03 10:03:33.000000000 +0100 @@ -0,0 +1,484 @@ +------------------------------------------------------------------- +Fri Jan 23 01:00:22 UTC 2015 - andreas.stieger@gmx.de + +- patch 2.7.3 + Contains a security fix for a directory traversal flaw when + handling git-style patches. This could allow an attacker to + overwrite arbitrary files by applying a specially crafted patch. + [boo#913678] [CVE-2015-1196] + + With git-style patches, symlinks that point outside the working + directory will no longer be created (CVE-2015-1196). + + When a file isn't being deleted because the file contents don't + match the patch, the resulting message is now "Not deleting + file ... as content differs from patch" instead of "File ... + is not empty after patch; not deleting". + + Function names in hunks (from diff -p) are now preserved in + reject files [boo#904519] +- Version 2.7.2 differed from the above only slightly. +- packaging changes: + + Verify source signatures + + Removed patches now upstream: + * error-report-crash.patch + + run spec-cleaner + +------------------------------------------------------------------- +Tue May 20 07:44:03 UTC 2014 - schwab@suse.de + +- error-report-crash.patch: fix crash after reporting error during option + parsing + +------------------------------------------------------------------- +Thu Dec 6 16:19:25 CET 2012 - jdelvare@suse.de + +- Back to bz2 archive format as old products lack xz. + +------------------------------------------------------------------- +Thu Dec 6 15:34:14 CET 2012 - jdelvare@suse.de + +- Version 2.7.1 + + Patch no longer gets a failed assertion for certain mangled + patches. + + Ignore destination file names that are absolute or that contain + a component of "..", except when working in the root directory. + This addresses CVE-2010-4651. + + Support for most features of the "diff --git" format, including + renames and copies, permission changes, and symlink diffs. + Binary diffs are not supported yet; patch will complain and + skip them. + + Support for double-quoted filenames: when a filename starts + with a double quote, it is interpreted as a C string literal. + The escape sequences \\, \", \a, \b, \f, \n, \r, \t, \v, and + \ooo (a three-digit octal number between 0 and 255) are + recognized. + + Refuse to apply a normal patch to a symlink. (Previous versions + of patch were replacing the symlink with a regular file.) + + New --follow-symlinks option to allow to treat symlinks as + files: this was patch's behavior before version 2.7. + + When trying to modify a read-only file, warn about the + potential problem by default. The --read-only command line + option allows to change this behavior. + + Files to be deleted are deleted once the entire input has been + processed, not immediately. This fixes a bug with numbered + backup files. + + When a timestamp specifies a time zone, honor that instead of + assuming the local time zone (--set-date) or Universal + Coordinated Time (--set-utc). + + Support for nanosecond precision timestamps. + + Many bug fixes. + + Clarify the message printed when a patch is expected to empty + out and delete a file, but the file does not become empty. + + Various improvements to messages when applying a patch to a + file of different type (regular file vs. symlink), when there + are line ending differences (LF vs. CRLF), and when in + --dry-run mode. + + Ignore when extended attributes cannot be preserved because + they are unsupported or because permission to set them is + denied. +- patch-revert-e0f70752.patch: Dropped, original bug fixed + upstream. +- patch-stdio.in.patch: Dropped, merged upstream. + +------------------------------------------------------------------- +Tue Jul 17 08:40:27 UTC 2012 - aj@suse.de + +- patch-stdio.in.patch: + Fix build with missing gets declaration (glibc 2.16) + +------------------------------------------------------------------- +Fri Apr 6 14:22:12 CEST 2012 - jdelvare@suse.de + +- patch-revert-e0f70752.patch: Revert broken upstream commit + (bnc#755136). + +------------------------------------------------------------------- +Wed Apr 4 19:03:25 CEST 2012 - jdelvare@suse.de + +- Version 2.6.1.136 + +------------------------------------------------------------------- +Wed Oct 5 12:33:53 UTC 2011 - uli@suse.com + +- cross-build fix: use %configure macro + +------------------------------------------------------------------- +Mon Apr 4 15:11:04 CEST 2011 - jdelvare@suse.de + +- Version 2.6.1.116: + + Patch now ignores destination file names that are absolute or + that contain a component of ".." (CVE-2010-4651, bnc#662957). +- Drop unified-reject-files-compat.diff. Compatibility has been + provided for the past 18 months, hopefully nobody is relying on + it any longer. + +------------------------------------------------------------------- +Fri Jul 2 06:57:49 UTC 2010 - jengelh@medozas.de + +- Use %_smp_mflags + +------------------------------------------------------------------- +Wed May 5 01:28:12 CEST 2010 - agruen@suse.de + +- Version 2.6.1.81: + + Fix backup file detection for deleted files + + Allow to create and delete empty files + + Stick to the best name in the reversed-patch check + + Various portability improvements + +------------------------------------------------------------------- +Sun May 2 15:57:54 CEST 2010 - agruen@suse.de + +- Fix the linker library order. + +------------------------------------------------------------------- +Sun May 2 14:40:09 CEST 2010 - agruen@suse.de + +- Be more verbose when %verbose is defined. + +------------------------------------------------------------------- +Sun May 2 14:01:47 CEST 2010 - agruen@suse.de + +- Version 2.6.1.64: + + Support for most features of the "diff --git" format: renames + and copies, permission changes, symlink diffs. (Binary diffs + are not supported yet; patch will complain and skip them.) + + Support for double-quoted filenames: when a filename in a + context diff starts with a double quote, it is interpreted as + a C string literal. The escape sequences \\, \", \a, \b, \f, \n, + \r, \t, \v, and \ooo (a three-digit octal number between 0 and + 255) are recognized. + + Refuse to patch read-only files by default, or at least warn + when patching such files with --force or --batch. + + Refuse to apply a normal patch to a symlink. (Previous + versions of patch were wrongly replacing the symlink with a + regular file.) + + When a timestamp specifies a time zone, honor that instead of + assuming the local time zone (--set-date) or Universal + Coordinated Time (--set-utc). + + Support for nanosecond precision timestamps. + + Many portability and bug fixes. + +------------------------------------------------------------------- +Sun Jan 31 16:22:05 CET 2010 - agruen@suse.de + +- Version 2.6.1.9: + + Skip another ed-dependent test when ed isn't installed. + + More portability fixes. +------------------------------------------------------------------- +Wed Dec 30 17:14:24 CET 2009 - agruen@suse.de + +- Version 2.6.1: + + Support for diff3(1) style merges which show the old, original, + and new lines of a conflict has been added (--merge=diff3). + The default still is the merge(1) format (--merge or + --merge=merge). + + Bug and portability fixes. + +------------------------------------------------------------------- +Sun Dec 6 17:32:57 CET 2009 - jengelh + +- enable parallel building + +------------------------------------------------------------------- +Fri Nov 13 15:45:06 CET 2009 - agruen@suse.de + +- Version 2.6. + +------------------------------------------------------------------- +Mon Sep 7 13:30:46 CEST 2009 - agruen@suse.de + +- Version 2.5.9.122: + + Try to preserve the owning group of patched files. +- Add --unified-reject-files backwards-compatibility patch to + older SUSE versions of patch. + +------------------------------------------------------------------- +Mon Jul 20 10:12:48 CEST 2009 - agruen@suse.de + +- Version 2.5.9.120: ++++ 287 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.patch.3458.new/patch.changes New: ---- patch-2.7.3.tar.bz2 patch-2.7.3.tar.bz2.sig patch.changes patch.keyring patch.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ patch.spec ++++++ # # spec file for package patch # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: patch Version: 2.7.3 Release: 0 Summary: GNU patch License: GPL-3.0+ Group: Productivity/Text/Utilities Url: http://ftp.gnu.org/gnu/patch/ Source: http://ftp.gnu.org/gnu/patch/%{name}-%{version}.tar.bz2 Source2: http://ftp.gnu.org/gnu/patch/%{name}-%{version}.tar.bz2.sig Source3: http://savannah.gnu.org/project/memberlist-gpgkeys.php?group=patch&download=1#/patch.keyring BuildRoot: %{_tmppath}/%{name}-%{version}-build # See bnc#662957. The fix for CVE-2010-4651 breaks the way interdiff was # invoking patch, so interdiff had to be fixed too. Conflicts: patchutils < 0.3.2 %description The GNU patch program is used to apply diffs between original and changed files (generated by the diff command) to the original files. %prep %setup -q %build export CFLAGS="%{optflags} -Wall -O2 -pipe" %configure make %{?_smp_mflags} %{verbose:V=1}; %check make %{?_smp_mflags} check %{verbose:V=1} %install make install DESTDIR=%{buildroot} %{verbose:V=1} %files %defattr(-,root,root) %doc NEWS README %{_bindir}/patch %doc %{_mandir}/man1/patch.1.gz %changelog -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org