From 02a3b715f471311fa758fc5088512bac047aab9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ladislav=20Slez=C3=A1k?= <lslezak@suse.com>
Date: Mon, 14 Oct 2024 16:58:13 +0200
Subject: [PATCH 1/2] Fixed shell injection vulnerability in the internal API

---
 service/lib/agama/manager.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/service/lib/agama/manager.rb b/service/lib/agama/manager.rb
index 51067c0e1f..3874d4b71d 100644
--- a/service/lib/agama/manager.rb
+++ b/service/lib/agama/manager.rb
@@ -19,6 +19,8 @@
 # To contact SUSE LLC about this file by physical or electronic mail, you may
 # find current contact information at www.suse.com.
 
+require "shellwords"
+
 require "yast"
 require "agama/config"
 require "agama/network"
@@ -236,7 +238,7 @@ def valid?
     #
     # @return [String] path to created archive
     def collect_logs(path: nil)
-      opt = "-d #{path}" unless path.nil? || path.empty?
+      opt = "-d #{path.shellescape}" unless path.nil? || path.empty?
 
       `agama logs store #{opt}`.strip
     end

From c26892217fd816103eef563ce8527f2e0769a7ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ladislav=20Slez=C3=A1k?= <lslezak@suse.com>
Date: Mon, 14 Oct 2024 17:03:34 +0200
Subject: [PATCH 2/2] Changes

---
 service/package/rubygem-agama-yast.changes | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/service/package/rubygem-agama-yast.changes b/service/package/rubygem-agama-yast.changes
index ad56095053..68d9fe4acc 100644
--- a/service/package/rubygem-agama-yast.changes
+++ b/service/package/rubygem-agama-yast.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Oct 14 14:52:26 UTC 2024 - Ladislav Slezák <lslezak@suse.com>
+
+- Fixed shell injection vulnerability in the internal API
+  (gh#agama-project/agama#1668)
+
 -------------------------------------------------------------------
 Tue Oct  8 12:25:08 UTC 2024 - Ancor Gonzalez Sosa <ancor@suse.com>