Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libgsasl for openSUSE:Factory checked in at 2022-09-13 15:07:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libgsasl (Old) and /work/SRC/openSUSE:Factory/.libgsasl.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgsasl" Tue Sep 13 15:07:41 2022 rev:35 rq:1002784 version:1.10.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libgsasl/libgsasl.changes 2022-02-17 00:30:10.629436954 +0100 +++ /work/SRC/openSUSE:Factory/.libgsasl.new.2083/libgsasl.changes 2022-09-13 15:07:42.412358435 +0200 @@ -1,0 +2,6 @@ +Mon Sep 12 09:45:33 UTC 2022 - Dirk M??ller <[email protected]> + +- add boundary-check-CVE-2022-2469.patch (bsc#1201715) +- avoid duplicate packaging of license + +------------------------------------------------------------------- New: ---- boundary-check-CVE-2022-2469.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgsasl.spec ++++++ --- /var/tmp/diff_new_pack.P1ntsZ/_old 2022-09-13 15:07:43.888362590 +0200 +++ /var/tmp/diff_new_pack.P1ntsZ/_new 2022-09-13 15:07:43.896362613 +0200 @@ -28,6 +28,7 @@ Source2: https://josefsson.org/54265e8c.txt#/%{name}.keyring # https://lists.gnu.org/archive/html/help-gsasl/2022-01/msg00002.html Patch1: 0001-Fix-build-issues-with-GCC-12-s-Werror-address.patch +Patch2: https://gitlab.com/gsasl/gsasl/-/commit/796e4197f696261c1f872d7576371232330bcc30.patch#/boundary-check-CVE-2022-2469.patch BuildRequires: gcc-c++ BuildRequires: gettext-devel >= 0.19.8 BuildRequires: pkgconfig @@ -72,7 +73,9 @@ %lang_package %prep -%autosetup -p1 +%setup -q +%patch1 -p1 +%patch2 -p2 %build %configure \ @@ -100,12 +103,10 @@ %{_libdir}/*.so.* %files devel -%license COPYING* %{_includedir}/gsas*.h %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %files lang -f %{name}.lang -%license COPYING* %changelog ++++++ boundary-check-CVE-2022-2469.patch ++++++ >From 796e4197f696261c1f872d7576371232330bcc30 Mon Sep 17 00:00:00 2001 From: Simon Josefsson <[email protected]> Date: Fri, 15 Jul 2022 16:23:58 +0200 Subject: [PATCH] GSSAPI server: Boundary check gss_wrap token (read OOB). --- lib/gssapi/server.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/gssapi/server.c b/lib/gssapi/server.c index 5410360b..4ebfda47 100644 --- a/lib/gssapi/server.c +++ b/lib/gssapi/server.c @@ -218,6 +218,9 @@ _gsasl_gssapi_server_step (Gsasl_session * sctx, FALSE, and responds with the generated output_message. The client can then consider the server authenticated. */ + if (bufdesc2.length < 4) + return GSASL_AUTHENTICATION_ERROR; + if ((((char *) bufdesc2.value)[0] & GSASL_QOP_AUTH) == 0) { /* Integrity or privacy unsupported */ -- GitLab ++++++ libgsasl.keyring ++++++ ++++ 2503 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/libgsasl/libgsasl.keyring ++++ and /work/SRC/openSUSE:Factory/.libgsasl.new.2083/libgsasl.keyring
