[Git][reproducible-builds/koji][debian] 8 commits: use QueryProcessor in get_archive_type
Holger Levsen
gitlab at salsa.debian.org
Mon Feb 25 09:30:07 CET 2019
Holger Levsen pushed to branch debian at Reproducible Builds / koji
Commits:
a77cb11c by Mike McLean at 2019-01-04T22:54:27Z
use QueryProcessor in get_archive_type
- - - - -
4015bebc by Mike McLean at 2019-01-04T22:54:27Z
fix arches handling in listHosts
- - - - -
8f92b8b9 by Mike McLean at 2019-01-04T22:54:27Z
fix typeInfo handling in list_archives
- - - - -
c2761152 by Mike McLean at 2019-01-04T22:56:20Z
fix unit test for list_archives
- - - - -
c20809ab by Mike McLean at 2019-01-04T22:56:20Z
fix unit tests for listHosts
- - - - -
35d8d3ec by Mike McLean at 2019-02-16T21:26:19Z
bump version to 1.16.2
- - - - -
97f273da by Holger Levsen at 2019-02-24T18:42:20Z
Merge tag 'koji-1.16.2' into debian
Koji 1.16.2
- - - - -
93a73aed by Holger Levsen at 2019-02-24T18:44:46Z
release as 1.16.2-1
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
7 changed files:
- debian/changelog
- docs/source/conf.py
- hub/kojihub.py
- koji.spec
- setup.py
- tests/test_hub/test_list_archives.py
- tests/test_hub/test_list_hosts.py
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+koji (1.16.2-1) unstable; urgency=medium
+
+ * New upstream version, fixing CVE-2018-1002161. Closes: #922922
+
+ -- Holger Levsen <holger at debian.org> Sun, 24 Feb 2019 19:44:30 +0100
+
koji (1.16.1-1) unstable; urgency=medium
* New upstream version.
=====================================
docs/source/conf.py
=====================================
@@ -56,7 +56,7 @@ copyright = u'2017, Mike McLean, Mike B, Dennis Gilmore, Mathieu Bridon, Ian McL
# The short X.Y version.
version = '1.16'
# The full version, including alpha/beta/rc tags.
-release = '1.16.1'
+release = '1.16.2'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
=====================================
hub/kojihub.py
=====================================
@@ -4157,8 +4157,10 @@ def list_archives(buildID=None, buildrootID=None, componentBuildrootID=None, hos
val = typeInfo[key]
if not isinstance(val, (list, tuple)):
val = [val]
- for v in val:
- clauses.append(r"""%s ~ E'\\m%s\\M'""" % (key, v))
+ for i, v in enumerate(val):
+ pkey = '%s_pattern_%i' % (key, i)
+ values[pkey] = r'\m%s\M' % v
+ clauses.append('%s ~ %%(%s)s' % (key, pkey))
elif type == 'image':
joins.append('image_archives ON archiveinfo.id = image_archives.archive_id')
fields.append(['image_archives.arch', 'arch'])
@@ -6150,13 +6152,15 @@ def get_archive_type(filename=None, type_name=None, type_id=None, strict=False):
raise koji.GenericError('one of filename, type_name, or type_id must be specified')
parts = filename.split('.')
-
+ query = QueryProcessor(
+ tables=['archivetypes'],
+ columns=['id', 'name', 'description', 'extensions'],
+ clauses=['extensions ~* %(pattern)s'],
+ )
for start in range(len(parts)-1, -1, -1):
ext = '.'.join(parts[start:])
-
- select = r"""SELECT id, name, description, extensions FROM archivetypes
- WHERE extensions ~* E'(\\s|^)%s(\\s|$)'""" % ext
- results = _multiRow(select, locals(), ('id', 'name', 'description', 'extensions'))
+ query.values['pattern'] = r'(\s|^)%s(\s|$)' % ext
+ results = query.execute()
if len(results) == 1:
return results[0]
@@ -10779,8 +10783,8 @@ class RootExports(object):
# matching 'ppc64'
if not (isinstance(arches, list) or isinstance(arches, tuple)):
arches = [arches]
- archClause = [r"""arches ~ E'\\m%s\\M'""" % arch for arch in arches]
- clauses.append('(' + ' OR '.join(archClause) + ')')
+ archPattern = r'\m(%s)\M' % '|'.join(arches)
+ clauses.append('arches ~ %(archPattern)s')
if channelID is not None:
channelID = get_channel_id(channelID, strict=True)
joins.append('host_channels ON host.id = host_channels.host_id')
=====================================
koji.spec
=====================================
@@ -31,7 +31,7 @@
%define release %{baserelease}
%endif
Name: koji
-Version: 1.16.1
+Version: 1.16.2
Release: %{release}%{?dist}
License: LGPLv2
Summary: Build system tools
@@ -467,6 +467,9 @@ fi
%endif
%changelog
+* Thu Feb 21 2019 Mike McLean <mikem at redhat.com> - 1.16.2-1
+- Fix CVE-2018-1002161: SQL injection in multiple remote calls
+
* Fri Aug 17 2018 Franz Chih-Ping Hsieh <chsieh at redhat.com> - 1.16.1-1
- PR#1041: fix utf-8 output in CLI
- PR#1000: Fix target handling in make_task
=====================================
setup.py
=====================================
@@ -25,7 +25,7 @@ def get_install_requires():
setup(
name="koji",
- version="1.16.0",
+ version="1.16.2",
description=("Koji is a system for building and tracking RPMS. The base"
" package contains shared libraries and the command-line"
" interface."),
=====================================
tests/test_hub/test_list_archives.py
=====================================
@@ -174,10 +174,14 @@ class TestListArchives(DBQueryTestCase):
'btype ON archiveinfo.btype_id = btype.id',
'win_archives ON archiveinfo.id = win_archives.archive_id'],
clauses=['win_archives.relpath = %(relpath)s',
- r"platforms ~ E'\\mall\\M'",
- r"flags ~ E'\\mA\\M'",
- r"flags ~ E'\\mB\\M'"],
- values={'relpath': 'somerelpath'},
+ r"platforms ~ %(platforms_pattern_0)s",
+ r"flags ~ %(flags_pattern_0)s",
+ r"flags ~ %(flags_pattern_1)s"],
+ values={'relpath': 'somerelpath',
+ 'flags_pattern_0': '\\mA\\M',
+ 'flags_pattern_1': '\\mB\\M',
+ 'platforms_pattern_0': '\\mall\\M',
+ },
colsByAlias={'relpath': 'win_archives.relpath',
'platforms': 'win_archives.platforms',
'flags': 'win_archives.flags',
=====================================
tests/test_hub/test_list_hosts.py
=====================================
@@ -67,7 +67,7 @@ class TestListHosts(unittest.TestCase):
query = self.queries[0]
self.assertEqual(query.tables, ['host_config'])
self.assertEqual(query.joins, ['host ON host.id = host_config.host_id'])
- self.assertEqual(query.clauses, ['host_config.active IS TRUE',r"""(arches ~ E'\\mx86_64\\M')"""])
+ self.assertEqual(query.clauses, ['host_config.active IS TRUE',r"""arches ~ %(archPattern)s"""])
def test_list_hosts_multi_arch(self):
self.exports.listHosts(arches=['x86_64', 's390'])
@@ -76,7 +76,7 @@ class TestListHosts(unittest.TestCase):
query = self.queries[0]
self.assertEqual(query.tables, ['host_config'])
self.assertEqual(query.joins, ['host ON host.id = host_config.host_id'])
- self.assertEqual(query.clauses, ['host_config.active IS TRUE',r"""(arches ~ E'\\mx86_64\\M' OR arches ~ E'\\ms390\\M')"""])
+ self.assertEqual(query.clauses, ['host_config.active IS TRUE',r"""arches ~ %(archPattern)s"""])
def test_list_hosts_bad_arch(self):
with self.assertRaises(koji.GenericError):
View it on GitLab: https://salsa.debian.org/reproducible-builds/koji/compare/06a0fef21b233f2804fdc9a81cc6b07cbc18ac9e...93a73aed7fe262537b463a7a45a3915bcb2a8c8a
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/koji/compare/06a0fef21b233f2804fdc9a81cc6b07cbc18ac9e...93a73aed7fe262537b463a7a45a3915bcb2a8c8a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190225/e7618600/attachment.html>
More information about the rb-commits
mailing list