Merge remote-tracking branch 'upstream/SLE-15-SP7' into huha-regcode-leak-master

Author: shundhammer

package/yast2.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Oct 14 13:40:00 UTC 2025 - Stefan Hundhammer <shundhammer@suse.com>
+
+- save_y2logs: Sanitize confidential data in macro_inst_initial.ycp
+  (bsc#1251768)
+- 5.0.16
+
 -------------------------------------------------------------------
 Fri Jul 18 09:38:48 UTC 2025 - Ladislav Slezák <lslezak@suse.com>
 

package/yast2.spec

@@ -17,7 +17,7 @@
 
 
 Name:           yast2
-Version:        5.0.15
+Version:        5.0.16
 
 Release:        0
 Summary:        YaST2 Main Package

scripts/save_y2logs

@@ -91,6 +91,26 @@ if [ -f /etc/install.inf ]; then
   LIST_TMP="$LIST_TMP install.inf"
 fi
 
+MACRO_INST=/var/log/YaST2/macro_inst_initial.ycp
+
+if [ -f $MACRO_INST ]; then
+    # bsc#1251768: Don't leak registration code or e-mail to the y2logs tarball
+    #
+    # UI::ChangeWidget( `id (`email),    `Value, "kilroy@example.com" ); // YInputField ...
+    # UI::ChangeWidget( `id (`reg_code), `Value, "MY-REG-CODE" );        // YInputField ...
+    #
+    # -->
+    #
+    # UI::ChangeWidget( `id (`email),	 `Value, [confidential] ); // YInputField ...
+    # UI::ChangeWidget( `id (`reg_code), `Value, [confidential] ); // YInputField ...
+    #
+    # Intentionally doing this in-place in the real /var/log/YaST2/macro_inst_initial.ycp
+
+    sed -i -E \
+        -e '/id.*(reg_code|email).*YInputField/s/(Value,\s)[^)]+(.*$)*/\1[confidential] \2/' \
+        $MACRO_INST
+fi
+
 # if storing logs at the end of installation after bootloader fail, try to store pbl log from target system
 if [ -f /mnt/var/log/pbl.log ]; then
   cp /mnt/var/log/pbl.log $TMPDIR/pbl-target.log