File _patchinfo of Package patchinfo.35094
<patchinfo incident="35094">
<issue tracker="cve" id="2024-22034"/>
<issue tracker="bnc" id="1221340">qemu: fails to build with osc</issue>
<issue tracker="bnc" id="1218170">osc buildhistory error if in a git directory</issue>
<issue tracker="bnc" id="1225911">VUL-0: EMBARGOED: CVE-2024-22034: osc: possibility to overwrite special files in .osc</issue>
<issue tracker="bnc" id="1122683">AUDIT-FIND: osc: deprecate insecure APIs</issue>
<issue tracker="bnc" id="1212476">patch shebang line match the python version required in the package</issue>
<packager>dmach</packager>
<rating>moderate</rating>
<category>security</category>
<summary>Security update for osc</summary>
<description>This update for osc fixes the following issues:
- 1.9.0
- Security:
- Fix possibility to overwrite special files in .osc (CVE-2024-22034 bsc#1225911)
Source files are now stored in the 'sources' subdirectory which prevents
name collisons. This requires changing version of '.osc' store to 2.0.
- Command-line:
- Introduce build --checks parameter
- Library:
- OscConfigParser: Remove automatic __name__ option
- 1.8.3
- Command-line:
- Change 'repairwc' command to always run all repair steps
- Library:
- Make most of the fields in KeyinfoPubkey and KeyinfoSslcert models optional
- Fix colorize() to avoid wrapping empty string into color escape sequences
- Provide default values for kwargs.get/pop in get_results() function
- 1.8.2
- Library:
- Change 'repairwc' command to fix missing .osc/_osclib_version
- Make error message in check_store_version() more generic to work for both projects and packages
- Fix check_store_version in project store
- 1.8.1
- Command-line:
- Fix 'linkpac' command crash when used with '--disable-build' or '--disable-publish' option
- 1.8.0
- Command-line:
- Improve 'submitrequest' command to inherit description from superseded request
- Fix 'mv' command when renaming a file multiple times
- Improve 'info' command to support projects
- Improve 'getbinaries' command by accepting '-M' / '--multibuild-package' option outside checkouts
- Add architecture filtering to 'release' command
- Change 'results' command so the normal and multibuild packages have the same output
- Change 'results' command to use csv writer instead of formatting csv as string
- Add couple mutually exclusive options errors to 'results' command
- Set a default value for 'results --format' only for the csv output
- Add support for 'results --format' for the default text mode
- Update help text for '--format' option in 'results' command
- Add 'results --fail-on-error/-F' flag
- Redirect venv warnings from stderr to debug output
- Configuration:
- Fix config parser to throw an exception on duplicate sections or options
- Modify conf.get_config() to print permissions warning to stderr rather than stdout
- Library:
- Run check_store_version() in obs_scm.Store and fix related code in Project and Package
- Forbid extracting files with absolute path from 'cpio' archives (bsc#1122683)
- Forbid extracting files with absolute path from 'ar' archives (bsc#1122683)
- Remove no longer valid warning from core.unpack_srcrpm()
- Make obs_api.KeyinfoSslcert keyid and fingerprint fields optional
- Fix return value in build build.create_build_descr_data()
- Fix core.get_package_results() to obey 'multibuild_packages' argument
- Tests:
- Fix tests so they don't modify fixtures
- 1.7.0
- Command-line:
- Add 'person search' command
- Add 'person register' command
- Add '-M/--multibuild-package' option to '[what]dependson' commands
- Update '-U/--user' option in 'maintainer' command to accept also an email address
- Fix 'branch' command to allow using '--new-package' option on packages that do not exist
- Fix 'buildinfo' command to include obs:cli_debug_packages by default
- Fix 'buildinfo' command to send complete local build environment as the 'build' command does
- Fix 'maintainer --devel-project' to raise an error if running outside a working copy without any arguments
- Fix handling arguments in 'service remoterun prj/pac'
- Fix 'rebuild' command so the '--all' option conflicts with the 'package' argument
- Fix crash when removing 'scmsync' element from dst package meta in 'linkpac' command
- Fix crash when reading dst package meta in 'linkpac' command
- Allow `osc rpmlint` to infer prj/pkg from CWD
- Propagate exit code from the run() and do_() commandline methods
- Give a hint where a scmsync git is hosted
- Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec
- Improve 'updatepacmetafromspec' command to expand rpm spec macros by calling rpmspec to query the data
- Improve 'build' and 'buildinfo' commands by uploading *.inc files to OBS for parsing BuildRequires (bsc#1221340)
- Improve 'service' command by printing names of running services
- Improve 'getbinaries' command by ignoring source and debuginfo filters when a binary name is specified
- Change 'build' command to pass '--jobs' option to 'build' tool only if 'build_jobs' > 0
- Clarify 'list' command's help that that listing binaries doesn't contain md5 checksums
- Improve 'log' command: produce proper CSV and XML outputs, add -p/--patch option for the text output
- Allow setlinkrev to set a specific vrev
- Document '--buildtool-opt=--noclean' example in 'build' command's help
- Fix handling the default package argument on the command-line
- Configuration:
- Document loading configuration from env variables
- Connection:
- Don't retry on error 400
- Remove now unused 'retry_on_400' http_request() option from XmlModel
- Revert "Don't retry on 400 HTTP status code in core.server_diff()"
- Revert "connection: Allow disabling retry on 400 HTTP status code"
- Authentication:
- Update SignatureAuthHandler to support specifying ssh key by its fingerprint
- Use ssh key from ssh agent that contains comment 'obs=<apiurl-hostname>'
- Use strings instead of bytes in SignatureAuthHandler
- Cache password from SecretService to avoid spamming user with an accept dialog
- Never ask for credentials when displaying help
- Remove unused SignatureAuthHandler.get_fingerprint()
- Library:
- Add rootless build support for 'qemu' VM type
- Support package linking of packages from scmsync projects
- Fix do_createrequest() function to return None instead of request id
- Replace invalid 'if' with 'elif' in BaseModel.dict()
- Fix crash when no prefered packages are defined
- Add XmlModel class that encapsulates manipulation with XML
- Add obs_api.Person.cmd_register() for registering new users
- Fix conf.get_config() to ignore file type bits when comparing oscrc perms
- Fix conf.get_config() to correctly handle overrides when env variables are set
- Fix output.tty.IS_INTERACTIVE when os.isatty() throws OSError
- Improve cmdln.HelpFormatter to obey newline characters
- Update list of color codes in 'output.tty' module
- Remove core.setDevelProject() in favor of core.set_devel_project()
- Move removing control characters to output.sanitize_text()
- Improve sanitize_text() to keep selected CSI escape sequences
- Add output.pipe_to_pager() that pipes lines to a pager without creating an intermediate temporary file
- Fix output.safe_write() in connection with NamedTemporaryFile
- Modernize output.run_pager()
- Extend output.print_msg() to accept 'error' and 'warning' values of 'to_print' argument
- Add XPathQuery class for translating keyword arguments to an xpath query
- Add obs_api.Keyinfo class
- Add obs_api.Package class
- Add Package.get_revision_list() for listing commit log
- Add obs_api.PackageSources class for handling OBS SCM sources
- Add obs_api.Person class
- Add obs_api.Project class
- Add obs_api.Request class
- Add obs_api.Token class
- Allow storing apiurl in the XmlModel instances
- Allow retrieving default field value from top-level model
- Fix BaseModel to convert dictionaries to objects on retrieving a model list
- Fix BaseModel to always deepcopy mutable defaults on first use
- Implement do_snapshot() and has_changed() methods to determine changes in BaseModel
- Implement total ordering on BaseModel
- Add comments with available attributes/elements to edited XML
- Refactoring:
- Migrate repo {list,add,remove} commands to obs_api.Project
- Migrate core.show_package_disabled_repos() to obs_api.Package
- Migrate core.Package.update_package_meta() to obs_api.Package
- Migrate core.get_repos_of_project() to obs_api.Project
- Migrate core.get_repositories_of_project() to obs_api.Project
- Migrate core.show_scmsync() to obs_api.{Package,Project}
- Migrate core.set_devel_project() to obs_api.Package
- Migrate core.show_devel_project() to obs_api.Package
- Migrate Fetcher.run() to obs_api.Keyinfo
- Migrate core.create_submit_request() to obs_api.Request
- Migrate 'token' command to obs_api.Token
- Migrate 'whois/user' command to obs_api.Person
- Migrate 'signkey' command to obs_api.Keyinfo
- Move print_msg() to the 'osc.output' module
- Move run_pager() and get_default_pager() from 'core' to 'output' module
- Move core.Package to obs_scm.Package
- Move core.Project to obs_scm.Project
- Move functions manipulating store from core to obs_scm.store
- Move store.Store to obs_scm.Store
- Move core.Linkinfo to obs_scm.Linkinfo
- Move core.Serviceinfo to obs_scm.Serviceinfo
- Move core.File to obs_scm.File
- Merge _private.project.ProjectMeta into obs_api.Project
- Spec:
- Remove dependency on /usr/bin/python3 using %python3_fix_shebang macro (bsc#1212476)
- 1.6.2
- Command-line:
- Fix 'branch' command to allow using '--new-package' option on packages that do not exist
- Fix 'buildinfo' command to include obs:cli_debug_packages by default
- Fix 'buildinfo' command to send complete local build environment as the 'build' command does
- Allow `osc rpmlint` to infer prj/pkg from CWD
- Propagate exit code from the run() and do_() commandline methods
- Give a hint where a scmsync git is hosted
- Fix crash in 'updatepacmetafromspec' command when working with an incomplete spec
- Authentication:
- Cache password from SecretService to avoid spamming user with an accept dialog
- Never ask for credentials when displaying help
- Library:
- Support package linking of packages from scmsync projects
- Fix do_createrequest() function to return None instead of request id
- Replace invalid 'if' with 'elif' in BaseModel.dict()
- Fix crash when no prefered packages are defined
- 1.6.1
- Command-line:
- Use busybox compatible commands for completion
- Change 'wipe' command to use the new get_user_input() function
- Fix error 500 in running 'meta attribute <prj>'
- Configuration:
- Fix resolving config symlink to the actual config file
- Honor XDG_CONFIG_HOME and XDG_CACHE_HOME env vars
- Warn about ignoring XDG_CONFIG_HOME and ~/.config/osc/oscrc if ~/.oscrc exists
- Library:
- Error out when branching a scmsync package
- New get_user_input() function for consistent handling of user input
- Move xml_indent, xml_quote and xml_unquote to osc.util.xml module
- Refactor makeurl(), deprecate query taking string or list arguments, drop osc_urlencode()
- Remove all path quoting, rely on makeurl()
- Always use dict query in makeurl()
- Fix core.slash_split() to strip both leading and trailing slashes
- 1.6.0
- Command-line:
- The 'token --trigger' command no longer sets '--operation=runservice' by default.
- Change 'token --create' command to require '--operation'
- Fix 'linkdiff' command error 400: prj/pac/md5 not in repository
- Update 'build' command to support building 'productcompose' build type with updateinfo.xml data
- Don't show meter in terminals that are not interactive
- Fix traceback when running osc from an arbitrary git repo that fails to map branch to a project (bsc#1218170)
- Configuration:
- Implement reading credentials from environmental variables
- Allow starting with an empty config if --configfile is either empty or points to /dev/null
- Implement 'quiet' conf option
- Password can be an empty string (commonly used with ssh auth)
- Connection:
- Allow -X HEAD on osc api requests as well
- Library:
- Fix credentials managers to consistently return Password
- Fix Password.encode() on python < 3.8
- Refactor 'meter' module, use config settings to pick the right class
- Convert to using f-strings
- Use Field.get_callback to handle quiet/verbose and http_debug/http_full_debug options
- Implement get_callback that allows modifying returned value to the Field class
- Add support for List[BaseModel] type to Field class
- Report class name when reporting an error during instantiating BaseModel object
- Fix exporting an empty model field in BaseModel.dict()
- Fix initializing a sub-model instance from a dictionary
- Implement 'Enum' support in models
- Fix Field.origin_type for Optional types
- Drop unused 'exclude_unset' argument from BaseModel.dict() method
- Store cached model defaults in self._defaults, avoid sharing references to mutable defaults
- Limit model attributes to predefined fields by forbidding creating new attributes on fly
- Store model values in self._values dict instead of private attributes
- Spec:
- Recommend openssh-clients for ssh-add that is required during ssh auth
- Add 0%{?amzn} macro that wasn't usptreamed
</description>
</patchinfo>
