Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gnu-recutils for openSUSE:Factory checked in at 2026-01-01 15:00:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnu-recutils (Old) and /work/SRC/openSUSE:Factory/.gnu-recutils.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnu-recutils" Thu Jan 1 15:00:47 2026 rev:3 rq:1324905 version:1.9 Changes: -------- --- /work/SRC/openSUSE:Factory/gnu-recutils/gnu-recutils.changes 2024-11-17 16:41:17.443461856 +0100 +++ /work/SRC/openSUSE:Factory/.gnu-recutils.new.1928/gnu-recutils.changes 2026-01-01 15:01:53.397047393 +0100 @@ -1,0 +2,6 @@ +Wed Dec 31 13:18:12 UTC 2025 - Luigi Baldoni <[email protected]> + +- Add recutils-fix_empty_password_vuln.patch + (fixes bsc#1255767 CVE-2025-65409) + +------------------------------------------------------------------- New: ---- recutils-fix_empty_password_vuln.patch ----------(New B)---------- New: - Add recutils-fix_empty_password_vuln.patch (fixes bsc#1255767 CVE-2025-65409) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnu-recutils.spec ++++++ --- /var/tmp/diff_new_pack.pWSbEU/_old 2026-01-01 15:01:53.989071672 +0100 +++ /var/tmp/diff_new_pack.pWSbEU/_new 2026-01-01 15:01:53.993071836 +0100 @@ -1,7 +1,7 @@ # # spec file for package gnu-recutils # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,6 +28,9 @@ Source0: https://ftp.gnu.org/gnu/recutils/recutils-%{version}.tar.gz Source1: https://ftp.gnu.org/gnu/recutils/recutils-%{version}.tar.gz.sig Source2: https://savannah.gnu.org/people/viewgpg.php?user_id=829#/%{name}.keyring +# PATCH-FIX-UPSTREAM recutils-fix_empty_password_vuln.patch +Patch0: recutils-fix_empty_password_vuln.patch +BuildRequires: help2man BuildRequires: pkgconfig BuildRequires: pkgconfig(bash) BuildRequires: pkgconfig(check) @@ -101,7 +104,7 @@ %lang_package %prep -%setup -q -n recutils-%{version} +%autosetup -p1 -n recutils-%{version} %build export CFLAGS="%{optflags} -Wno-implicit-function-declaration -Wno-incompatible-pointer-types" ++++++ recutils-fix_empty_password_vuln.patch ++++++ From: Jose E. Marchesi <[email protected]> Subject: [SECURITY][CWE-369] GNU Recutils 1.9: empty password triggers divide-by-zero (SIGFPE) in recfix / rec-crypt Date: Thu, 30 Oct 2025 17:17:49 +0100 References: bsc#1255767 CVE-2025-65409 CWE-369 --- src/rec-crypt.c | 14 ++++++++++++++ utils/recfix.c | 3 +++ 2 files changed, 17 insertions(+) diff --git a/src/rec-crypt.c b/src/rec-crypt.c index 5c88716..1ae7882 100644 --- a/src/rec-crypt.c +++ b/src/rec-crypt.c @@ -102,6 +102,13 @@ rec_encrypt (char *in, /* Set the key of the cypher. */ password_size = strlen (password); + + if (password_size <= 0) + { + gcry_cipher_close (handler); + return false; + } + for (i = 0; i < AESV2_KEYSIZE; i++) key[i] = password[i % password_size]; @@ -177,6 +184,13 @@ rec_decrypt (char *in, /* Set the key of the cypher. */ password_size = strlen (password); + + if (password_size<=0) + { + gcry_cipher_close (handler); + return false; + } + for (i = 0; i < AESV2_KEYSIZE; i++) key[i] = password[i % password_size]; diff --git a/utils/recfix.c b/utils/recfix.c index f9afef2..d286047 100644 --- a/utils/recfix.c +++ b/utils/recfix.c @@ -190,6 +190,9 @@ recfix_parse_args (int argc, if (recfix_password != NULL) recutl_fatal (_("please specify just one password.\n")); + if (optarg == NULL || optarg[0] == '\0') + recutl_fatal (_("password must not be empty.\n")); + recfix_password = xstrdup (optarg); break; #endif /* REC_CRYPT_SUPPORT */ --
