Version in base suite: 2.3.0-1 Base version: opam_2.3.0-1 Target version: opam_2.3.0-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/opam/opam_2.3.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/opam/opam_2.3.0-1+deb13u1.dsc changelog | 7 ++ gbp.conf | 1 patches/0001-Invalidate-.install-fields-containing-destination-fi.patch | 32 ++++++++++ patches/series | 1 4 files changed, 41 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpm4s0dxf3/opam_2.3.0-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpm4s0dxf3/opam_2.3.0-1+deb13u1.dsc: no acceptable signature found diff -Nru opam-2.3.0/debian/changelog opam-2.3.0/debian/changelog --- opam-2.3.0/debian/changelog 2025-01-07 10:21:36.000000000 +0000 +++ opam-2.3.0/debian/changelog 2026-04-16 13:55:31.000000000 +0000 @@ -1,3 +1,10 @@ +opam (2.3.0-1+deb13u1) trixie-security; urgency=medium + + * Invalidate .install fields containing destination filepath trying to + escape their scope + + -- Stéphane Glondu Thu, 16 Apr 2026 15:55:31 +0200 + opam (2.3.0-1) unstable; urgency=medium * New upstream release diff -Nru opam-2.3.0/debian/gbp.conf opam-2.3.0/debian/gbp.conf --- opam-2.3.0/debian/gbp.conf 2025-01-07 10:21:36.000000000 +0000 +++ opam-2.3.0/debian/gbp.conf 2026-04-16 13:47:56.000000000 +0000 @@ -1,4 +1,5 @@ [DEFAULT] +debian-branch = debian/trixie pristine-tar = True filter-pristine-tar = True filter = [ diff -Nru opam-2.3.0/debian/patches/0001-Invalidate-.install-fields-containing-destination-fi.patch opam-2.3.0/debian/patches/0001-Invalidate-.install-fields-containing-destination-fi.patch --- opam-2.3.0/debian/patches/0001-Invalidate-.install-fields-containing-destination-fi.patch 1970-01-01 00:00:00.000000000 +0000 +++ opam-2.3.0/debian/patches/0001-Invalidate-.install-fields-containing-destination-fi.patch 2026-04-16 13:47:56.000000000 +0000 @@ -0,0 +1,32 @@ +From: Kate +Date: Thu, 16 Apr 2026 08:11:45 +0200 +Subject: Invalidate .install fields containing destination filepath trying to + escape their scope + +Origin: https://github.com/ocaml/opam/pull/6898 +--- + src/format/opamFile.ml | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/format/opamFile.ml b/src/format/opamFile.ml +index 28707cc..c0b4774 100644 +--- a/src/format/opamFile.ml ++++ b/src/format/opamFile.ml +@@ -3805,8 +3805,15 @@ module Dot_installSyntax = struct + Pp.V.map_list ~depth:1 @@ Pp.V.map_option + (Pp.V.string -| pp_optional) + (Pp.opt @@ +- Pp.singleton -| Pp.V.string -| +- Pp.of_module "rel-filename" (module OpamFilename.Base)) ++ Pp.singleton -| Pp.V.string -| Pp.pp ~name:"rel-filename" ++ (fun ~pos s -> ++ if OpamFilename.might_escape ~sep:`Unspecified s then ++ Pp.bad_format ~pos "%s references its parent directory." s ++ else if Filename.is_relative s then ++ OpamFilename.Base.of_string s ++ else ++ Pp.bad_format ~pos "%s is an absolute filename." s) ++ OpamFilename.Base.to_string) + in + let pp_misc = + Pp.V.map_list ~depth:1 @@ Pp.V.map_option diff -Nru opam-2.3.0/debian/patches/series opam-2.3.0/debian/patches/series --- opam-2.3.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ opam-2.3.0/debian/patches/series 2026-04-16 13:47:56.000000000 +0000 @@ -0,0 +1 @@ +0001-Invalidate-.install-fields-containing-destination-fi.patch