Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package hiredis for openSUSE:Factory checked in at 2021-10-08 00:24:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/hiredis (Old) and /work/SRC/openSUSE:Factory/.hiredis.new.2443 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "hiredis" Fri Oct 8 00:24:37 2021 rev:10 rq: version:1.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/hiredis/hiredis.changes 2021-10-08 00:07:00.253850330 +0200 +++ /work/SRC/openSUSE:Factory/.hiredis.new.2443/hiredis.changes 2021-10-08 00:24:38.351636527 +0200 @@ -2,7 +1,0 @@ -Wed Oct 6 20:11:38 UTC 2021 - Andreas Stieger <[email protected]> - -- hiredis 1.0.1: - * CVE-2021-32765: integer overflow if provided maliciously - crafted or corrupted RESP mult-bulk protocol data boo#1191331 - -------------------------------------------------------------------- Old: ---- v1.0.1.tar.gz New: ---- v1.0.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hiredis.spec ++++++ --- /var/tmp/diff_new_pack.OgTM8Q/_old 2021-10-08 00:24:38.747637191 +0200 +++ /var/tmp/diff_new_pack.OgTM8Q/_new 2021-10-08 00:24:38.747637191 +0200 @@ -1,7 +1,7 @@ # # spec file for package hiredis # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,9 +16,9 @@ # -%global libname lib%{name}1_0_1 +%global libname lib%{name}1_0_0 Name: hiredis -Version: 1.0.1 +Version: 1.0.0 Release: 0 Summary: Minimalistic C client for Redis License: BSD-3-Clause @@ -27,8 +27,7 @@ Source0: https://github.com/redis/hiredis/archive/v%{version}.tar.gz Patch0: relocatable_executable.patch BuildRequires: pkgconfig -BuildRequires: pkgconfig(libcrypto) -BuildRequires: pkgconfig(libssl) +BuildRequires: libopenssl-devel %description Hiredis is a minimalistic C client library for the ++++++ v1.0.1.tar.gz -> v1.0.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.1/CHANGELOG.md new/hiredis-1.0.0/CHANGELOG.md --- old/hiredis-1.0.1/CHANGELOG.md 2021-10-04 22:08:51.000000000 +0200 +++ new/hiredis-1.0.0/CHANGELOG.md 2020-08-03 20:18:07.000000000 +0200 @@ -1,13 +1,3 @@ -## [1.0.1](https://github.com/redis/hiredis/tree/v1.0.1) - (2021-10-04) - -Announcing Hiredis v1.0.1, a security release fixing CVE-2021-32765 - -- Fix for [CVE-2021-32765](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2) - [commit](https://github.com/redis/hiredis/commit/76a7b10005c70babee357a7d0f2becf28ec7ed1e) - ([Yossi Gottlieb](https://github.com/yossigo)) - -_Thanks to [Yossi Gottlieb](https://github.com/yossigo) for the security fix and to [Microsoft Security Vulnerability Research](https://www.microsoft.com/en-us/msrc/msvr) for finding the bug._ :sparkling_heart: - ## [1.0.0](https://github.com/redis/hiredis/tree/v1.0.0) - (2020-08-03) Announcing Hiredis v1.0.0, which adds support for RESP3, SSL connections, allocator injection, and better Windows support! :tada: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.1/README.md new/hiredis-1.0.0/README.md --- old/hiredis-1.0.1/README.md 2021-10-04 22:08:51.000000000 +0200 +++ new/hiredis-1.0.0/README.md 2020-08-03 20:18:07.000000000 +0200 @@ -22,10 +22,6 @@ The library comes with multiple APIs. There is the *synchronous API*, the *asynchronous API* and the *reply parsing API*. -## Upgrading to `1.0.1` - -Version 1.0.1 is simply 1.0.0 with a fix for [CVE-2021-32765](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2). They are otherwise identical. - ## Upgrading to `1.0.0` Version 1.0.0 marks the first stable release of Hiredis. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.1/hiredis.c new/hiredis-1.0.0/hiredis.c --- old/hiredis-1.0.1/hiredis.c 2021-10-04 22:08:51.000000000 +0200 +++ new/hiredis-1.0.0/hiredis.c 2020-08-03 20:18:07.000000000 +0200 @@ -174,7 +174,6 @@ return NULL; if (elements > 0) { - if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL; /* Don't overflow */ r->element = hi_calloc(elements,sizeof(redisReply*)); if (r->element == NULL) { freeReplyObject(r); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.1/hiredis.h new/hiredis-1.0.0/hiredis.h --- old/hiredis-1.0.1/hiredis.h 2021-10-04 22:08:51.000000000 +0200 +++ new/hiredis-1.0.0/hiredis.h 2020-08-03 20:18:07.000000000 +0200 @@ -47,8 +47,8 @@ #define HIREDIS_MAJOR 1 #define HIREDIS_MINOR 0 -#define HIREDIS_PATCH 1 -#define HIREDIS_SONAME 1.0.1 +#define HIREDIS_PATCH 0 +#define HIREDIS_SONAME 1.0.0 /* Connection type can be blocking or non-blocking and is set in the * least significant bit of the flags field in redisContext. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hiredis-1.0.1/test.c new/hiredis-1.0.0/test.c --- old/hiredis-1.0.1/test.c 2021-10-04 22:08:51.000000000 +0200 +++ new/hiredis-1.0.0/test.c 2020-08-03 20:18:07.000000000 +0200 @@ -493,20 +493,6 @@ freeReplyObject(reply); redisReaderFree(reader); - test("Multi-bulk never overflows regardless of maxelements: "); - size_t bad_mbulk_len = (SIZE_MAX / sizeof(void *)) + 3; - char bad_mbulk_reply[100]; - snprintf(bad_mbulk_reply, sizeof(bad_mbulk_reply), "*%llu\r\n+asdf\r\n", - (unsigned long long) bad_mbulk_len); - - reader = redisReaderCreate(); - reader->maxelements = 0; /* Don't rely on default limit */ - redisReaderFeed(reader, bad_mbulk_reply, strlen(bad_mbulk_reply)); - ret = redisReaderGetReply(reader,&reply); - test_cond(ret == REDIS_ERR && strcasecmp(reader->errstr, "Out of memory") == 0); - freeReplyObject(reply); - redisReaderFree(reader); - #if LLONG_MAX > SIZE_MAX test("Set error when array > SIZE_MAX: "); reader = redisReaderCreate();
