commit file-roller.1883 for openSUSE:12.3:Update
Hello community, here is the log from the commit of package file-roller.1883 for openSUSE:12.3:Update checked in at 2013-07-31 14:08:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/file-roller.1883 (Old) and /work/SRC/openSUSE:12.3:Update/.file-roller.1883.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "file-roller.1883" Changes: -------- New Changes file: --- /dev/null 2013-07-23 23:44:04.804033756 +0200 +++ /work/SRC/openSUSE:12.3:Update/.file-roller.1883.new/file-roller.changes 2013-07-31 14:08:47.000000000 +0200 @@ -0,0 +1,1590 @@ +------------------------------------------------------------------- +Tue Jul 23 19:56:28 PDT 2013 - federico@suse.com + +- Add file-roller-bnc828328-CVE-2013-4668-sanitize-path-names.patch to + fix bnc#828328. This is for CVE-2013-4668. Sanitize path names + while unpacking, so that a path traversal attack cannot be used to + create files outside the unpack destination directory. + +------------------------------------------------------------------- +Wed Nov 28 20:17:14 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.6.3: + + Crash when pasting a deleted file. (bgo#688627) + + Fixed the 'next' button still activated when it should not. + (bgo#688648) + + zip archives: file-roller doesn't delete directories. + (bgo#632339) + + The properties panel shows an incorrect number of files. + (bgo#688634) + + Match Nautilus behavior for back and forward buttons. + (bgo#578837) + + Fixed crash when using the --extract-to option. (bgo#686321) + + Fixed cut & paste for rar/arj/lhz archives when cutting all the + files in the archive. + + Fixed file deletion for encrypted rar archives. + + Fixed renaming for files starting with '--'. + + Updated translations. + +------------------------------------------------------------------- +Mon Nov 12 21:22:10 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.6.2: + + Fails when tryings create zip files if is in "maximum" + compression level (bgo#686655). + + Updated translations. +- Add file-devel BuildRequires: it is what actually provides + magic.h / libmagic devel files. +- Change --disable-magic configure parameter to --enable-magic in + order to ensure libmagic is being found. + +------------------------------------------------------------------- +Wed Oct 17 21:10:20 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.6.1.1: + + Fixed crash on startup. (bgo#686230, bgo#685108) + + Register .ar files as supported. + + Updated translations. + +------------------------------------------------------------------- +Mon Oct 15 20:06:23 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.6.1: + + Fix creation of hard links when using libarchive (bgo#686061) + + Fix crash when opening multi-volumes rar archives (bgo#685314) + + Fix crash when the package installer is activated (bgo#684941) + + Fix creation of encrypted archives. + + Fix creation of multi-volume archives. + + Updated translations. + +------------------------------------------------------------------- +Mon Sep 24 20:17:49 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.6.0: + + Updated translations. + +------------------------------------------------------------------- +Mon Sep 17 21:08:21 UTC 2012 - zaitor@opensuse.org + +- Update to version 3.5.92: + + Install the app menu only if there's the gnome-shell showing it + (bgo#683759). + + Updated translations. + +------------------------------------------------------------------- +Mon Sep 3 19:41:18 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.5.91: + + Nautilus extension "Compress" doesn't offer .gz anymore + (bgo#682807) + + Fixed build without libarchive support (bgo#682774) + + libarchive: restore the file attributes when extracting + (bgo#682513) + + Updated translations. + +------------------------------------------------------------------- +Sun Sep 2 19:18:12 UTC 2012 - dimstar@opensuse.org + +- Add file-roller-pkg-match.patch: Update the package match list + for PackageKit to be able to install the right packages when + needed (bnc#696530). + +------------------------------------------------------------------- +Mon Aug 20 20:30:12 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.5.90: + + New features and user visible changes: + - Use a single 'Add files' dialog that allows to add both files + and folder instead of having two separated commands + 'Add files' and 'Add folder'. + - Make the "New Archive" dialog look like the "Compress" dialog + (bgo#681232) + - Extract dialog: always ask whether to overwrite existing + files (removed the overwrite option) + - Properties dialog: allow to open the archive's folder. + - 'Add files' dialog: added option to follow symbolic links. + - Edit->Password applies the password to already existing files + in the archive (bgo#144391) + - Password dialog: show an error message when the password is + wrong. + - File list sorting: always keep the directories first, even + when sorting in reverse order. + + Bugs fixed: + - Removed non existant keys from the .convert file (bgo#682022) + - Fixed crash when opening compressed files. (bgo#681766) + - Fixed crash when extracting an archive from the nautilus + context menu. (bgo#681473) + - Fixed crash when extracting from the Extract dialog. + + Updated translations + +------------------------------------------------------------------- +Mon Aug 6 20:18:41 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.5.4: + + New features and user visible changes: + - Optionally use libarchive to handle tar, cpio, lha archives + and ISO images. + - Notify the completion of a long operation with the system + notification system (requires libnotify). + - Removed the Stop action from the View menu. + - Removed the Help buttons from the dialogs. + - Updated the user help. + + Bugs fixed: + - Can't open file inside a .rar archive (with unar) + (bgo#680676) + - Change "Re-create folders" to "Keep directory structure" + (bgo#681235) + + Internal code changes: + - Huge internal code refactoring to allow the use of + libarchive. This can bring some regressions. + + Updated translations. +- Add pkgconfig(libarchive) and pkgconfig(libnotify) BuildRequires, + allowing the new features to be built. +- Rebase file-roller-3.4-change-archiver-priority.patch. +- Pass --disable-magic to configure: we don't have libmagic + packaged yet. + +------------------------------------------------------------------- +Tue Jul 17 11:40:20 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.5.3: + + Allow to extract rar archives with 'The Unarchiver'. requires + json-glib (bgo#646606) + + "Folder Content could not be displayed" error when using + --extract. (bgo#678884) + + Updated translations. +- Add pkgconfig(json-glib-1.0) BuildRequires: new dependency. +- Rebase file-roller-3.4-change-archiver-priority.patch. + +------------------------------------------------------------------- +Mon Jun 25 21:08:00 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.5.2: + + New features and user visible changes: + - Allow the user to cancel addition and deletion of files to an + exiting archive. + - Progress dialog: show the number of remaining files to + complete the operation; show the archive name in the main + message. + - Removed the stop button from the toolbar. The user can use + the progress dialog cancel button to stop a long operation. + - Enabled interactive search in the file list. The user can + just start typing the name of a file and if present in the + list it will get selected. + - Removed the help buttons from the dialogs. + + Internal code changes: + - Renamed the D-Bus interface as org.gnome.ArchiveManager1. + - Use the file-roller extecutable as a D-Bus service as well, + instead of using a separate executable. + - Define the progress dialog and other dialogs in external files, + saved as gresources. + - Added a prefix to the utility functions for a better + organization and readability of the code. + + Updated translations. + +------------------------------------------------------------------- +Mon Jun 18 10:10:17 UTC 2012 - dimstar@opensuse.org + +- Update to version 3.5.1: + + Use GtkApplication + + Added an application menu + + Use GResource to store ui files + + Removed markup in translatable messages + + Ported to the new documentation infrastructure + + Updated translations. +- Replace gnome-doc-utils-devel BuildRequires with yelp-tools + following upstreams change of documentation infrastructure. + ++++ 1393 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.file-roller.1883.new/file-roller.changes New: ---- file-roller-3.4-change-archiver-priority.patch file-roller-3.6.3.tar.xz file-roller-bnc828328-CVE-2013-4668-sanitize-path-names.patch file-roller-pkg-match.patch file-roller.changes file-roller.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ file-roller.spec ++++++ # # spec file for package file-roller # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: file-roller Version: 3.6.3 Release: 0 Summary: An Archive Manager for GNOME License: GPL-2.0+ Group: Productivity/Archiving/Compression Url: http://fileroller.sourceforge.net Source: http://download.gnome.org/sources/file-roller/3.6/%{name}-%{version}.tar.xz # PATCH-FIX-OPENSUSE file-roller-3.4-change-archiver-priority.patch bnc#767386 gankov@opensuse.org -- Give unzip a higher priority than 7z when unpackging zip files. Gives better results for non-latin charsets. Patch0: file-roller-3.4-change-archiver-priority.patch # PATCH-FEATURE-OPENSUSE file-roller-pkg-match.patch bnc#696530 dimstar@opensuse.org -- List package match names for automatic installation using PK. Patch1: file-roller-pkg-match.patch # PATCH-FIX-UPSTREAM file-roller-bnc828328-CVE-2013-4668-sanitize-path-names.patch bnc828328 CVE-2013-4668 federico@suse.com - Sanitize pathnames while unpacking to avoid malicious path traversals Patch2: file-roller-bnc828328-CVE-2013-4668-sanitize-path-names.patch # Needed for directory ownership BuildRequires: dbus-1 BuildRequires: fdupes BuildRequires: file-devel BuildRequires: intltool BuildRequires: translation-update-upstream BuildRequires: update-desktop-files BuildRequires: yelp-tools BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(gtk+-3.0) >= 3.4.0 BuildRequires: pkgconfig(ice) BuildRequires: pkgconfig(json-glib-1.0) >= 0.14.0 BuildRequires: pkgconfig(libarchive) >= 3.0.0 BuildRequires: pkgconfig(libnautilus-extension) BuildRequires: pkgconfig(libnotify) >= 0.4.3 BuildRequires: pkgconfig(sm) >= 1.0.0 Recommends: %{name}-lang # Formats that we really want to support by default Requires: bzip2 Requires: cpio Requires: genisoimage Requires: gzip Requires: rpm Requires: unzip # Formats that we likely want to support by default Recommends: unrar Recommends: xz Recommends: zip # Additional formats that are supported Suggests: lha Suggests: p7zip Suggests: rzip Suggests: zoo BuildRoot: %{_tmppath}/%{name}-%{version}-build DocDir: %{_defaultdocdir} # FIXME: Formats for which we don't have packages. Some are free software that # we could package. #Suggests: arj #Suggests: lrzip #Suggests: lzip #Suggests: lzop #Suggests: ncompress #Suggests: rar #Suggests: theunarchiver #Suggests: unace #Suggests: unalz #Suggests: unstuff %glib2_gsettings_schema_requires %description File Roller is an archive manager for GNOME. With it, you can create and modify archives, view the contents of an archive, view a file contained in the archive, and extract files from the archive. %package -n nautilus-file-roller Summary: An Archive Manager for GNOME - Nautilus extension Group: Productivity/Archiving/Compression Requires: %{name} = %{version} Supplements: packageand(file-roller:nautilus) %description -n nautilus-file-roller File Roller is an archive manager for GNOME. With it, you can create and modify archives, view the contents of an archive, view a file contained in the archive, and extract files from the archive. This package contains a plugin to integrate File Roller into Nautilus. %lang_package %prep %setup -q %patch0 %patch1 -p1 %patch2 -p1 translation-update-upstream %build %configure\ --disable-scrollkeeper \ --enable-magic make %{?_smp_mflags} V=1 %install %make_install %if 0%{?suse_version} <= 1120 rm %{buildroot}%{_datadir}/locale/en@shaw/LC_MESSAGES/* %endif %suse_update_desktop_file -N "File Roller" -G "Archive Manager" %{name} Archiving %find_lang %{name} %{?no_lang_C} rm %{buildroot}%{_libdir}/*/*/*.*a %fdupes %{buildroot} %post %glib2_gsettings_schema_post %desktop_database_post %icon_theme_cache_post %postun %glib2_gsettings_schema_postun %desktop_database_postun %icon_theme_cache_postun %files %defattr(-, root, root) %doc AUTHORS NEWS README COPYING %{_bindir}/file-roller %{_libexecdir}/file-roller/ %{_datadir}/GConf/gsettings/file-roller.convert %{_datadir}/applications/*.desktop %{_datadir}/dbus-1/services/org.gnome.FileRoller.service %{_datadir}/file-roller/ %doc %{_datadir}/help/C/%{name}/ %{_datadir}/glib-2.0/schemas/org.gnome.FileRoller.gschema.xml %{_datadir}/icons/hicolor/*/apps/*.png %files -n nautilus-file-roller %defattr(-, root, root) %{_libdir}/nautilus/extensions-3.0/*.so %files lang -f %{name}.lang %changelog ++++++ file-roller-3.4-change-archiver-priority.patch ++++++ Index: src/fr-init.c =================================================================== --- src/fr-init.c.orig +++ src/fr-init.c @@ -350,6 +350,7 @@ register_archives (void) register_archive (FR_TYPE_COMMAND_TAR); register_archive (FR_TYPE_COMMAND_CFILE); + register_archive (FR_TYPE_COMMAND_ZIP); register_archive (FR_TYPE_COMMAND_7Z); register_archive (FR_TYPE_COMMAND_DPKG); @@ -364,7 +365,6 @@ register_archives (void) register_archive (FR_TYPE_COMMAND_RAR); register_archive (FR_TYPE_COMMAND_RPM); register_archive (FR_TYPE_COMMAND_UNSTUFF); - register_archive (FR_TYPE_COMMAND_ZIP); register_archive (FR_TYPE_COMMAND_LRZIP); register_archive (FR_TYPE_COMMAND_ZOO); #if HAVE_JSON_GLIB ++++++ file-roller-bnc828328-CVE-2013-4668-sanitize-path-names.patch ++++++
From ad099d7cf8df7683a970c24b554a90c8584c8fc4 Mon Sep 17 00:00:00 2001 From: Paolo Bacchilega
Date: Mon, 27 May 2013 21:18:21 +0200 Subject: [PATCH] libarchive: sanitize filenames before extracting
--- src/fr-archive-libarchive.c | 28 +++++++++++++++++++++------- src/fr-window.c | 33 +++++++++++++++++++++------------ src/glib-utils.c | 40 ++++++++++++++++++++++++++++++++++++++++ src/glib-utils.h | 4 ++++ 4 files changed, 86 insertions(+), 19 deletions(-) diff --git a/src/fr-archive-libarchive.c b/src/fr-archive-libarchive.c index dd6fbe7..329b03a 100644 --- a/src/fr-archive-libarchive.c +++ b/src/fr-archive-libarchive.c @@ -504,6 +504,7 @@ extract_archive_thread (GSimpleAsyncResult *result, while ((r = archive_read_next_header (a, &entry)) == ARCHIVE_OK) { const char *pathname; char *fullpath; + const char *relative_path; GFile *file; GFile *parent; GOutputStream *ostream; @@ -523,7 +524,12 @@ extract_archive_thread (GSimpleAsyncResult *result, } fullpath = (*pathname == '/') ? g_strdup (pathname) : g_strconcat ("/", pathname, NULL); - file = g_file_get_child (extract_data->destination, _g_path_get_relative_basename (fullpath, extract_data->base_dir, extract_data->junk_paths)); + relative_path = _g_path_get_relative_basename_safe (fullpath, extract_data->base_dir, extract_data->junk_paths); + if (relative_path == NULL) { + archive_read_data_skip (a); + continue; + } + file = g_file_get_child (extract_data->destination, relative_path); /* honor the skip_older and overwrite options */ @@ -607,14 +613,22 @@ extract_archive_thread (GSimpleAsyncResult *result, linkname = archive_entry_hardlink (entry); if (linkname != NULL) { - char *link_fullpath; - GFile *link_file; - char *oldname; - char *newname; - int r; + char *link_fullpath; + const char *relative_path; + GFile *link_file; + char *oldname; + char *newname; + int r; link_fullpath = (*linkname == '/') ? g_strdup (linkname) : g_strconcat ("/", linkname, NULL); - link_file = g_file_get_child (extract_data->destination, _g_path_get_relative_basename (link_fullpath, extract_data->base_dir, extract_data->junk_paths)); + relative_path = _g_path_get_relative_basename_safe (link_fullpath, extract_data->base_dir, extract_data->junk_paths); + if (relative_path == NULL) { + g_free (link_fullpath); + archive_read_data_skip (a); + continue; + } + + link_file = g_file_get_child (extract_data->destination, relative_path); oldname = g_file_get_path (link_file); newname = g_file_get_path (file); diff --git a/src/fr-window.c b/src/fr-window.c index e033869..454c439 100644 --- a/src/fr-window.c +++ b/src/fr-window.c @@ -6667,26 +6667,35 @@ query_info_ready_for_overwrite_dialog_cb (GObject *source_object, static void _fr_window_ask_overwrite_dialog (OverwriteData *odata) { + gboolean perform_extraction = TRUE; + if ((odata->edata->overwrite == FR_OVERWRITE_ASK) && (odata->current_file != NULL)) { const char *base_name; GFile *destination; - base_name = _g_path_get_relative_basename ((char *) odata->current_file->data, odata->edata->base_dir, odata->edata->junk_paths); - destination = g_file_get_child (odata->edata->destination, base_name); - g_file_query_info_async (destination, - G_FILE_ATTRIBUTE_STANDARD_TYPE "," G_FILE_ATTRIBUTE_STANDARD_NAME "," G_FILE_ATTRIBUTE_STANDARD_DISPLAY_NAME, - G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, - G_PRIORITY_DEFAULT, - odata->window->priv->cancellable, - query_info_ready_for_overwrite_dialog_cb, - odata); + base_name = _g_path_get_relative_basename_safe ((char *) odata->current_file->data, odata->edata->base_dir, odata->edata->junk_paths); + if (base_name != NULL) { + destination = g_file_get_child (odata->edata->destination, base_name); + g_file_query_info_async (destination, + G_FILE_ATTRIBUTE_STANDARD_TYPE "," G_FILE_ATTRIBUTE_STANDARD_NAME "," G_FILE_ATTRIBUTE_STANDARD_DISPLAY_NAME, + G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, + G_PRIORITY_DEFAULT, + odata->window->priv->cancellable, + query_info_ready_for_overwrite_dialog_cb, + odata); - g_object_unref (destination); + g_object_unref (destination); - return; + return; + } + else + perform_extraction = FALSE; } - if (odata->edata->file_list != NULL) { + if (odata->edata->file_list == NULL) + perform_extraction = FALSE; + + if (perform_extraction) { /* speed optimization: passing NULL when extracting all the * files is faster if the command supports the * propCanExtractAll property. */ diff --git a/src/glib-utils.c b/src/glib-utils.c index 119edf4..092ff97 100644 --- a/src/glib-utils.c +++ b/src/glib-utils.c @@ -984,6 +984,46 @@ _g_path_get_relative_basename (const char *path, } +#define ISDOT(c) ((c) == '.') +#define ISSLASH(c) ((c) == '/') + + +static const char * +sanitize_filename (const char *file_name) +{ + size_t prefix_len; + char const *p; + + prefix_len = 0; + for (p = file_name; *p; ) { + if (ISDOT (p[0]) && ISDOT (p[1]) && (ISSLASH (p[2]) || !p[2])) + prefix_len = p + 2 - file_name; + + do { + char c = *p++; + if (ISSLASH (c)) + break; + } + while (*p); + } + + p = file_name + prefix_len; + while (ISSLASH (*p)) + p++; + + return p; +} + + +const char * +_g_path_get_relative_basename_safe (const char *path, + const char *base_dir, + gboolean junk_paths) +{ + return sanitize_filename (_g_path_get_relative_basename (path, base_dir, junk_paths)); +} + + gboolean _g_filename_is_hidden (const gchar *name) { diff --git a/src/glib-utils.h b/src/glib-utils.h index c409ea1..0837887 100644 --- a/src/glib-utils.h +++ b/src/glib-utils.h @@ -138,6 +138,10 @@ gboolean _g_path_is_parent_of (const char *dirname const char * _g_path_get_relative_basename (const char *path, const char *base_dir, gboolean junk_paths); +const char * _g_path_get_relative_basename_safe + (const char *path, + const char *base_dir, + gboolean junk_paths); gboolean _g_filename_is_hidden (const char *name); const char * _g_filename_get_extension (const char *filename); gboolean _g_filename_has_extension (const char *filename, -- 1.8.1.4 ++++++ file-roller-pkg-match.patch ++++++ diff --git a/data/packages.match b/data/packages.match index 78b9fe3..25775c0 100644 --- a/data/packages.match +++ b/data/packages.match @@ -6,15 +6,15 @@ cpio= dpkg= genisoimage= gzip= -lha= +lha=lhasa lrzip= lzip= lzma= lzop= ncompress= p7zip= -p7zip-full= -p7zip-rar= +p7zip-full=p7zip +p7zip-rar=p7zip rar= rpm= rzip= -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de