Branch: refs/heads/master Home: https://github.com/openSUSE/osc Commit: a3ed68508bbee5965a517559f90a60ab76101e33 https://github.com/openSUSE/osc/commit/a3ed68508bbee5965a517559f90a60ab76101... Author: Daniel Mach <daniel.mach@suse.com> Date: 2024-05-28 (Tue, 28 May 2024) Changed paths: M osc/core.py Log Message: ----------- Remove no longer valid warning from core.unpack_srcrpm() Shell injection is not possible with Popen() which has shell=False as a default. Commit: d61b781976e21b8253ca72daf4b406cfa6f8e9ad https://github.com/openSUSE/osc/commit/d61b781976e21b8253ca72daf4b406cfa6f8e... Author: Daniel Mach <daniel.mach@suse.com> Date: 2024-05-30 (Thu, 30 May 2024) Changed paths: M osc/util/ar.py A tests/fixtures/README A tests/fixtures/archive.ar A tests/test_util_ar.py Log Message: ----------- Forbid extracting files with absolute path from 'ar' archives (boo#1122683) Also fix and modernize the code, add tests. Commit: 5cbd110a844714d764cc2f04a43603d5ea55c3e4 https://github.com/openSUSE/osc/commit/5cbd110a844714d764cc2f04a43603d5ea55c... Author: Daniel Mach <daniel.mach@suse.com> Date: 2024-05-30 (Thu, 30 May 2024) Changed paths: M osc/util/cpio.py M tests/fixtures/README A tests/fixtures/archive.cpio A tests/test_util_cpio.py Log Message: ----------- Forbid extracting files with absolute path from 'cpio' archives (boo#1122683) Also fix and modernize the code, add tests. Commit: d92f2677f4b061d877f9cba96d1067227ccba7ca https://github.com/openSUSE/osc/commit/d92f2677f4b061d877f9cba96d1067227ccba... Author: Daniel Mach <daniel.mach@suse.com> Date: 2024-06-03 (Mon, 03 Jun 2024) Changed paths: M osc/core.py M osc/util/ar.py M osc/util/cpio.py A tests/fixtures/README A tests/fixtures/archive.ar A tests/fixtures/archive.cpio A tests/test_util_ar.py A tests/test_util_cpio.py Log Message: ----------- Merge pull request #1571 from dmach/boo1122683-insecure Fix insecure extraction of 'ar' and 'cpio' archives by forbidding extracting files with absolute paths Compare: https://github.com/openSUSE/osc/compare/e98164579150...d92f2677f4b0 To unsubscribe from these emails, change your notification settings at https://github.com/openSUSE/osc/settings/notifications