From ca3075f0a05ab90ddd515a4fdc1c4b4faeea7057 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 10 2020 09:46:57 +0000
Subject: import librepo-1.8.1-8.el7_9


---

diff --git a/SOURCES/0001-Validate-path-read-from-repomd.xml-RhBug-1866500.patch b/SOURCES/0001-Validate-path-read-from-repomd.xml-RhBug-1866500.patch
new file mode 100644
index 0000000..97715bf
--- /dev/null
+++ b/SOURCES/0001-Validate-path-read-from-repomd.xml-RhBug-1866500.patch
@@ -0,0 +1,46 @@
+From 094704af59677596e09d5205a801aa26ef477378 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
+Date: Thu, 13 Aug 2020 13:48:58 +0200
+Subject: [PATCH] Validate path read from repomd.xml (RhBug:1866500)
+
+---
+ librepo/yum.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/librepo/yum.c b/librepo/yum.c
+index 6d36562..a5eeb9c 100644
+--- a/librepo/yum.c
++++ b/librepo/yum.c
+@@ -22,6 +22,7 @@
+ #define _DEFAULT_SOURCE
+ 
+ #include <stdio.h>
++#include <libgen.h>
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <errno.h>
+@@ -573,6 +574,21 @@ prepare_repo_download_targets(LrHandle *handle,
+         if (!lr_yum_repomd_record_enabled(handle, record->type, repomd->records))
+             continue;
+ 
++        char *dest_dir = realpath(handle->destdir, NULL);
++        path = lr_pathconcat(handle->destdir, record->location_href, NULL);
++        char *requested_dir = realpath(dirname(path), NULL);
++        lr_free(path);
++        if (!g_str_has_prefix(requested_dir, dest_dir)) {
++            g_debug("%s: Invalid path: %s", __func__, record->location_href);
++            g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", record->location_href);
++            g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free);
++            free(requested_dir);
++            free(dest_dir);
++            return FALSE;
++        }
++        free(requested_dir);
++        free(dest_dir);
++
+         path = lr_pathconcat(destdir, record->location_href, NULL);
+         fd = open(path, O_CREAT|O_TRUNC|O_RDWR, 0666);
+         if (fd < 0) {
+-- 
+2.28.0
+
diff --git a/SPECS/librepo.spec b/SPECS/librepo.spec
index e9b33f9..be6b31e 100644
--- a/SPECS/librepo.spec
+++ b/SPECS/librepo.spec
@@ -10,7 +10,7 @@
 
 Name:           librepo
 Version:        1.8.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Repodata downloading library
 
 Group:          System Environment/Libraries
@@ -18,6 +18,8 @@ License:        LGPLv2+
 URL:            https://github.com/rpm-software-management/librepo
 Source0:        %{url}/archive/%{name}-%{version}/%{name}-%{version}.tar.gz
 
+Patch1:         0001-Validate-path-read-from-repomd.xml-RhBug-1866500.patch
+
 BuildRequires:  check-devel
 BuildRequires:  cmake
 BuildRequires:  gcc
@@ -145,6 +147,9 @@ popd
 %endif
 
 %changelog
+* Thu Aug 13 2020 Ales Matej <amatej@redhat.com> - 1.8.1-8
+- Validate paths read from repomd.xml (RhBug: 1866500)
+
 * Fri Jun 08 2018 Marek Blaha <mblaha@redhat.com> - 1.8.1-1
 - Add yumrecord substitution mechanism (mluscon)
 - Fix a memory leak in signature verification (cwalters)