Hello community, here is the log from the commit of package libjansson.2640 for openSUSE:12.3:Update checked in at 2014-03-19 10:29:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/libjansson.2640 (Old) and /work/SRC/openSUSE:12.3:Update/.libjansson.2640.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libjansson.2640" Changes: -------- New Changes file: --- /dev/null 2014-02-13 01:09:38.344032506 +0100 +++ /work/SRC/openSUSE:12.3:Update/.libjansson.2640.new/libjansson.changes 2014-03-19 10:29:51.000000000 +0100 @@ -0,0 +1,52 @@ +------------------------------------------------------------------- +Mon Mar 10 12:44:38 UTC 2014 - [email protected] + +- fix CVE-2013-6401: hash table collisions CPU usage DoS + (bnc#863301). +- fix "make check" for ppc64 arch. + +- added patches: + * CVE-2013-6401.patch + * fix-ppc64.patch +------------------------------------------------------------------- +Wed Nov 28 19:42:17 CET 2012 - [email protected] + +- Verify GPG signature. + +------------------------------------------------------------------- +Sat May 12 15:18:44 UTC 2012 - [email protected] + +- Update to new upstream release 2.3.1 +* Add support for optional object keys with the "{s?o}" syntax + in json_unpack and the like +* Add json_object_update_existing() and json_object_update_missing() + for updating only existing keys or only adding missing keys to an + object. +* Add json_object_foreach() for more convenient iteration over + objects. +* When decoding JSON, write the number of bytes that were read from + input to "error.position" also on success. This is handy with + JSON_DISABLE_EOF_CHECK. +* Add support for decoding any JSON value, not just arrays or + objects. The support is enabled with the new "JSON_DECODE_ANY" + flag. +* Avoid problems with object's serial number growing too big. +* Remove "+" and leading zeros from exponents in the encoder. +* Decoding functions now return NULL if the first argument is NULL. + +------------------------------------------------------------------- +Tue Jan 31 16:50:56 UTC 2012 - [email protected] + +- Provide pkgconfig symbols + +------------------------------------------------------------------- +Fri Oct 21 16:03:16 UTC 2011 - [email protected] + +- Remove redundant tags/sections (cf. specfile guidelines) +- Centralize the shlib package name + +------------------------------------------------------------------- +Mon Oct 17 14:53:08 UTC 2011 - [email protected] + +- Create initial package (v2.2.1) + New: ---- CVE-2013-6401.patch fix-ppc64.patch jansson-2.3.1.tar.gz jansson-2.3.1.tar.gz.asc libjansson.changes libjansson.keyring libjansson.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libjansson.spec ++++++ # # spec file for package libjansson # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libjansson %define lname libjansson4 Summary: C library for encoding, decoding and manipulating JSON data License: MIT Group: Development/Libraries/C and C++ Version: 2.3.1 Release: 0 Url: http://digip.org/jansson/ Source: jansson-%version.tar.gz Source2: jansson-%version.tar.gz.asc Source3: %name.keyring Patch0: CVE-2013-6401.patch Patch1: fix-ppc64.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gpg-offline BuildRequires: pkgconfig %description Jansson is a C library for encoding, decoding and manipulating JSON data. It features: * Simple and intuitive API and data model * Comprehensive documentation * No dependencies on other libraries * Full Unicode support (UTF-8) * Extensive test suite %package -n %lname Summary: C library for encoding, decoding and manipulating JSON data Group: Development/Libraries/C and C++ %description -n %lname Jansson is a C library for encoding, decoding and manipulating JSON data. It features: * Simple and intuitive API and data model * Comprehensive documentation * No dependencies on other libraries * Full Unicode support (UTF-8) * Extensive test suite %package devel Summary: Development files for libjansson Group: Development/Libraries/C and C++ Requires: %lname = %version %description devel Jansson is a C library for encoding, decoding and manipulating JSON data. It features: * Simple and intuitive API and data model * Comprehensive documentation * No dependencies on other libraries * Full Unicode support (UTF-8) * Extensive test suite %prep %gpg_verify %{S:2} %setup -q -n jansson-%{version} %patch0 -p1 %ifarch ppc64 %patch1 -p1 %endif %build %configure --disable-static make %{?_smp_mflags} %install %makeinstall rm -f "%buildroot/%_libdir"/*.la; %check make check %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files -n %lname %defattr(-,root,root) %{_libdir}/libjansson.so.4* %files devel %defattr(-,root,root) %{_includedir}/jansson.h %{_includedir}/jansson_config.h %{_libdir}/libjansson.so %{_libdir}/pkgconfig/jansson.pc %changelog ++++++ CVE-2013-6401.patch ++++++ diff -Naur a/src/hashtable.c b/src/hashtable.c --- a/src/hashtable.c 2012-03-20 19:56:00.000000000 +0100 +++ b/src/hashtable.c 2014-03-10 16:39:21.044317074 +0100 @@ -10,6 +10,7 @@ #include <jansson_config.h> /* for JSON_INLINE */ #include "jansson_private.h" /* for container_of() */ #include "hashtable.h" +#include <sys/time.h> typedef struct hashtable_list list_t; typedef struct hashtable_pair pair_t; @@ -21,17 +22,25 @@ static size_t hash_str(const void *ptr) { const char *str = (const char *)ptr; + static size_t hashxor = 0; size_t hash = 5381; size_t c; + if (!hashxor) { + struct timeval tv; + gettimeofday(&tv,NULL); + + hashxor = tv.tv_usec; + } + while((c = (size_t)*str)) { hash = ((hash << 5) + hash) + c; str++; } - return hash; + return hash ^ hashxor; } static JSON_INLINE void list_init(list_t *list) diff -Naur a/test/suites/api/test_object.c b/test/suites/api/test_object.c --- a/test/suites/api/test_object.c 2012-03-20 19:56:00.000000000 +0100 +++ b/test/suites/api/test_object.c 2014-03-10 16:26:34.579305573 +0100 @@ -249,7 +249,11 @@ static void test_iterators() { + int i; json_t *object, *foo, *bar, *baz; + const char *iter_keys[3]; + int have_key[3] = { 0, 0, 0 }; + json_t *iter_values[3]; void *iter; if(json_object_iter(NULL)) @@ -276,30 +280,50 @@ iter = json_object_iter(object); if(!iter) fail("unable to get iterator"); - if(strcmp(json_object_iter_key(iter), "a")) - fail("iterating failed: wrong key"); - if(json_object_iter_value(iter) != foo) - fail("iterating failed: wrong value"); + iter_keys[0] = json_object_iter_key(iter); + iter_values[0] = json_object_iter_value(iter); iter = json_object_iter_next(object, iter); if(!iter) fail("unable to increment iterator"); - if(strcmp(json_object_iter_key(iter), "b")) - fail("iterating failed: wrong key"); - if(json_object_iter_value(iter) != bar) - fail("iterating failed: wrong value"); + iter_keys[1] = json_object_iter_key(iter); + iter_values[1] = json_object_iter_value(iter); iter = json_object_iter_next(object, iter); if(!iter) fail("unable to increment iterator"); - if(strcmp(json_object_iter_key(iter), "c")) - fail("iterating failed: wrong key"); - if(json_object_iter_value(iter) != baz) - fail("iterating failed: wrong value"); + iter_keys[2] = json_object_iter_key(iter); + iter_values[2] = json_object_iter_value(iter); if(json_object_iter_next(object, iter) != NULL) fail("able to iterate over the end"); + /* Check that keys have correct values */ + for (i = 0; i < 3; i++) { + if (strcmp(iter_keys[i], "a") == 0) { + if (iter_values[i] != foo) + fail("wrong value for iter key a"); + else + have_key[0] = 1; + } else if (strcmp(iter_keys[i], "b") == 0) { + if (iter_values[i] != bar) + fail("wrong value for iter key b"); + else + have_key[1] = 1; + } else if (strcmp(iter_keys[i], "c") == 0) { + if (iter_values[i] != baz) + fail("wrong value for iter key c"); + else + have_key[2] = 1; + } + } + + /* Check that we got all keys */ + for(i = 0; i < 3; i++) { + if(!have_key[i]) + fail("a key wasn't iterated over"); + } + if(json_object_iter_at(object, "foo")) fail("json_object_iter_at() succeeds for non-existent key"); @@ -312,22 +336,14 @@ if(json_object_iter_value(iter) != bar) fail("iterating failed: wrong value"); - iter = json_object_iter_next(object, iter); - if(!iter) - fail("unable to increment iterator"); - if(strcmp(json_object_iter_key(iter), "c")) - fail("iterating failed: wrong key"); - if(json_object_iter_value(iter) != baz) - fail("iterating failed: wrong value"); - - if(json_object_iter_set(object, iter, bar)) + if(json_object_iter_set(object, iter, baz)) fail("unable to set value at iterator"); - if(strcmp(json_object_iter_key(iter), "c")) + if(strcmp(json_object_iter_key(iter), "b")) fail("json_object_iter_key() fails after json_object_iter_set()"); - if(json_object_iter_value(iter) != bar) + if(json_object_iter_value(iter) != baz) fail("json_object_iter_value() fails after json_object_iter_set()"); - if(json_object_get(object, "c") != bar) + if(json_object_get(object, "b") != baz) fail("json_object_get() fails after json_object_iter_set()"); json_decref(object); ++++++ fix-ppc64.patch ++++++ Index: jansson-2.3.1/test/suites/api/check-exports =================================================================== --- jansson-2.3.1.orig/test/suites/api/check-exports +++ jansson-2.3.1/test/suites/api/check-exports @@ -96,7 +96,7 @@ SOFILE="../src/.libs/libjansson.so" nm -D $SOFILE >/dev/null >$test_log/symbols 2>/dev/null \ || exit 77 # Skip if "nm -D" doesn't seem to work -grep ' T ' $test_log/symbols | cut -d' ' -f3 | sort >$test_log/output +grep -E ' [DT] ' $test_log/symbols | cut -d' ' -f3 | sort >$test_log/output if ! cmp -s $test_log/exports $test_log/output; then diff -u $test_log/exports $test_log/output >&2 ++++++ libjansson.keyring ++++++ pub 1024D/D4E39B36 2007-01-29 uid Petri Lehtinen <[email protected]> sub 2048g/95EC06E7 2007-01-29 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.19 (GNU/Linux) mQGiBEW9eBoRBACJSNQQQhCnDogaHKEu9v20yzzz6b6QXI0pBRcGBWHTMqR+WaWa MIPHhxPZu3eJwu5QRPHmlBNxxKVaPfebo+TTxNsVy3SjH8jEL2nxmVb+LHWnkCYM hONWA5IclamyHaWb554ojlpzGh8nyfZiDJdc8CjMUzSfc/1Uo1mbov/qLwCg0jcO +2CLI066LdwAY+c6JZqgg+sD/jy8LZUdEKtl7mQx4wPUD3v3NXrwwf7eSgm1dX6A VkqkB2oHWdZFh314W65KPmY23VLHautRPLOsrqaNPaGYvZhag04c0lij9wJcVPg4 /uSCmyFTsZSvhdwrDmiMOklgFRdjtLxfMp5ccDlMpw89GhyAF4IFE9CFJ9bLrCah 7VWkA/9h+oeiG0FVXx66W2fI+pKKwc5a4dLJiQ3g9ognBp1Gq4kWo7nNkxPk/rXV 4wWBzXSEd3haiMb1iM8YsxqCuAABhKzrpVUV2lqt/O8uYJg/+SGbIB3W5K851NRF Fd7RJoTiK7NJ+I1xw6Z8t9C6vllwsL96WOadxNLB7eQw0G6Sf7QgUGV0cmkgTGVo dGluZW4gPHBldHJpQGRpZ2lwLm9yZz6IYAQTEQIAIAUCRb14GgIbAwYLCQgHAwIE FQIIAwQWAgMBAh4BAheAAAoJEDeCAqbU45s2p9AAoMq5+E7WRXl2lCtCCmyhUMdw aiQAAJ9taFYWn84shvu6HcsGSCRKQn7G0LkCDQRFvXgkEAgA/5UjG8Bq846xI6cQ kZ6TlLf3ZLh8yHcbMAmEtrRG40aJ/Fg5hyfBddTrEUF+9o5+LWd/7b2CAlyrIUAu qgy3aoztkuZe5R50tnul1rVOIkdvpImlGsRDZiIIRXc6LT+WReNtAMWb28KZ/oZZ vP5El68H2kdlPed4yNmA9T1KkMa9Dyt4U9nBXdLYiWlJIXNdaI6lw8MgyMMgMZwl B0RU0u5Zl+kPxa9sFiLPsqBEaSl5uShHD3k3SIIbC+RrRtzfTXWf8OwhVMv0ycTN d53awlN5oG7z3PrkoWRCwe+LfqG/rKLeD5vAl9iMdFd+4gdSnCpkfuVsOjWxsH78 Ja7/cwADBQgA0EBgvcKrzorAC/UV1tDhAdG/uqy2N3xuPjVq/ZIKRdqS8wyHLs+3 wuoG9zF4tyVqG5XJRywwKTbDJH8+5Uj4NTTuM6EsbZA9lXqYo2gCWXQzB8/+LHLf buRmzNy856okOC6so82grvu/VEuW24wz6D0DjqdUSNfOTd49A3OWpdE13sIM7aOb 4lntZJnOkwGcbl67aPjUG3P8qzD5A1M4OqDk4wj9pySw+sn39Nbcdh7oAEW2KsAM NQwAduNQWbr4vfj5QxumzrQWLqs6An2fSfVgAICtB8IKNGyskPXTuvMrSAW5ak06 zdCLULwRWXHqIQowsX2wlHGZ2AJ3C4cxHYhJBBgRAgAJBQJFvXgkAhsMAAoJEDeC AqbU45s2qaIAnRSSzKsHOIL1ZJYJF2Ghx34l49rjAKDOH8UAjvuNkAcQZOduolmH UndUNA== =nBMK -----END PGP PUBLIC KEY BLOCK----- -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
