Jan Alexander Steffens (heftig) pushed to branch main at Arch Linux / Packaging / Packages / itstool
Commits: 9ae62e6c by Levi Zim at 2025-02-13T13:17:53+08:00 Fix handling of untranslated nodes When building caja-actions package, UAF can happen in itstools, which is fixed by an upstream PR that hasn't been merged since almost two years ago. As upstream is inactive, I suggest we integrate that PR here. This makes the caja-actions package more reproducible. - https://reproducible.archlinux.org/api/v0/builds/727962/log - https://archriscv.felixc.at/.status/log.htm?url=logs/caja-actions/caja-actions-1.28.0-3.log Link: https://github.com/itstool/itstool/pull/47 - - - - - 3 changed files: - .SRCINFO - + 0003-Fix-handling-of-untranslated-nodes.patch - PKGBUILD Changes: ===================================== .SRCINFO ===================================== @@ -13,9 +13,11 @@ pkgbase = itstool source = git+https://github.com/itstool/itstool?signed#tag=2.0.7 source = 0001-Fix-the-crash-from-912099.patch source = 0002-Fix-insufficiently-quoted-regular-expressions.patch + source = 0003-Fix-handling-of-untranslated-nodes.patch validpgpkeys = 4E03CB89E1C8ED8E049367ABE5D9AD24CC3ADF80 b2sums = 316a27ad8c76d789e773298a656d9d2516277f65be968e583e953c886f94d0e2a2af49fedc79c0652571affac7851e5dd1b671dfb92b0db3537b9495c1a95616 b2sums = 42e496c4d0aa3c5561d259c970cb9f43835e50c94b273bc01b4e388d1d6d16f05dc00cfded631cd8fdf2c1bf28f6ec64c1e626b5bdc50c15abfa7020d398673a b2sums = da79a18dee20e10c9b9e49824a09a00cab4b22abab83f3cb00d0d899216d0cf8b9d56b79f46714360312e87ec04501f6fedb3e2b8e2dcabca18c8777361f6490 + b2sums = b7601748ee4a698715e19fbe0ee4d4ed34757a090bbbbb6bc3292c29ea5956a9183bae83426a2c030884cbd0101056835669648fbff782acf51c78411b551806 pkgname = itstool ===================================== 0003-Fix-handling-of-untranslated-nodes.patch ===================================== @@ -0,0 +1,31 @@ +From e9b053be5c50c2bd69442a8484a4c9c371bc3a45 Mon Sep 17 00:00:00 2001 +From: Harald van Dijk <har...@gigawatt.nl> +Date: Thu, 15 Jun 2023 23:18:11 +0100 +Subject: [PATCH] Fix handling of untranslated nodes + +If a translation is missing, get_translated returns the node it was +called with. But ph_node when passed to get_translated is part of +another document and cannot just be reparented, it needs to be cloned. +The reparenting leaves things in an inconsistent state where references +intended to refer to nodes in the original document no longer do so, and +they may then be accessed from those references after the new document +has already been freed. + +Fixes bug #36. +--- + itstool.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/itstool.in b/itstool.in +index c21ad4b..a948828 100755 +--- a/itstool.in ++++ b/itstool.in +@@ -1096,6 +1096,8 @@ class Document (object): + child.replaceNode(newnode) + else: + repl = self.get_translated(ph_node, translations, strict=strict, lang=lang) ++ if repl == ph_node: ++ repl = repl.copyNode(1) + child.replaceNode(repl) + scan_node(child) + try: ===================================== PKGBUILD ===================================== @@ -19,10 +19,12 @@ source=( "git+https://github.com/itstool/itstool?signed#tag=$pkgver"; 0001-Fix-the-crash-from-912099.patch 0002-Fix-insufficiently-quoted-regular-expressions.patch + 0003-Fix-handling-of-untranslated-nodes.patch ) b2sums=('316a27ad8c76d789e773298a656d9d2516277f65be968e583e953c886f94d0e2a2af49fedc79c0652571affac7851e5dd1b671dfb92b0db3537b9495c1a95616' '42e496c4d0aa3c5561d259c970cb9f43835e50c94b273bc01b4e388d1d6d16f05dc00cfded631cd8fdf2c1bf28f6ec64c1e626b5bdc50c15abfa7020d398673a' - 'da79a18dee20e10c9b9e49824a09a00cab4b22abab83f3cb00d0d899216d0cf8b9d56b79f46714360312e87ec04501f6fedb3e2b8e2dcabca18c8777361f6490') + 'da79a18dee20e10c9b9e49824a09a00cab4b22abab83f3cb00d0d899216d0cf8b9d56b79f46714360312e87ec04501f6fedb3e2b8e2dcabca18c8777361f6490' + 'b7601748ee4a698715e19fbe0ee4d4ed34757a090bbbbb6bc3292c29ea5956a9183bae83426a2c030884cbd0101056835669648fbff782acf51c78411b551806') validpgpkeys=( 4E03CB89E1C8ED8E049367ABE5D9AD24CC3ADF80 # Shaun McCance <sha...@redhat.com> ) @@ -37,6 +39,10 @@ prepare() { ## https://github.com/itstool/itstool/pull/51 git apply -3 ../0002-Fix-insufficiently-quoted-regular-expressions.patch + # Fix handling of untranslated nodes + ## https://github.com/itstool/itstool/pull/47 + git apply -3 ../0003-Fix-handling-of-untranslated-nodes.patch + autoreconf -fvi } View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/itstool/-/commit/9ae62e6ca2365d342ca33b21de259a21f3c4799a -- View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/itstool/-/commit/9ae62e6ca2365d342ca33b21de259a21f3c4799a You're receiving this email because of your account on gitlab.archlinux.org.
