Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-pyasn1 for openSUSE:Factory checked in at 2026-01-21 14:14:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pyasn1 (Old) and /work/SRC/openSUSE:Factory/.python-pyasn1.new.1928 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyasn1" Wed Jan 21 14:14:19 2026 rev:47 rq:1328046 version:0.6.2 Changes: -------- --- /work/SRC/openSUSE:Factory/python-pyasn1/python-pyasn1.changes 2024-10-08 17:23:07.637819876 +0200 +++ /work/SRC/openSUSE:Factory/.python-pyasn1.new.1928/python-pyasn1.changes 2026-01-21 14:14:29.171661058 +0100 @@ -1,0 +2,10 @@ +Mon Jan 19 07:47:28 UTC 2026 - Nico Krapp <[email protected]> + +- Update to 0.6.2 (fixes CVE-2026-2141, bsc#1256331) + * Fixed continuation octet limits in OID/RELATIVE-OID decoder (CVE-2026-23490). + * Added support for Python 3.14. + * Added SECURITY.md policy. + * Migrated to pyproject.toml packaging. +- fix broken changelog entries + +------------------------------------------------------------------- @@ -208 +217,0 @@ ------------------------------------ @@ -220 +228,0 @@ ------------------------------------ @@ -240 +247,0 @@ ------------------------------------ @@ -262 +268,0 @@ ------------------------------------ @@ -342 +347,0 @@ ------------------------------------ @@ -379 +383,0 @@ ------------------------------------ @@ -388 +391,0 @@ ------------------------------------ Old: ---- pyasn1-0.6.1.tar.gz New: ---- pyasn1-0.6.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pyasn1.spec ++++++ --- /var/tmp/diff_new_pack.AQwege/_old 2026-01-21 14:14:29.811687729 +0100 +++ /var/tmp/diff_new_pack.AQwege/_new 2026-01-21 14:14:29.819688062 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-pyasn1 # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-pyasn1 -Version: 0.6.1 +Version: 0.6.2 Release: 0 Summary: ASN.1 types and codecs License: BSD-2-Clause ++++++ pyasn1-0.6.1.tar.gz -> pyasn1-0.6.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/CHANGES.rst new/pyasn1-0.6.2/CHANGES.rst --- old/pyasn1-0.6.1/CHANGES.rst 2024-09-11 00:05:17.000000000 +0200 +++ new/pyasn1-0.6.2/CHANGES.rst 2026-01-16 18:54:37.000000000 +0100 @@ -1,3 +1,17 @@ +Revision 0.6.2, released 16-01-2026 +--------------------------------------- + +- CVE-2026-23490 (GHSA-63vm-454h-vhhq): Fixed continuation octet limits + in OID/RELATIVE-OID decoder (thanks to tsigouris007) +- Added support for Python 3.14 + [pr #97](https://github.com/pyasn1/pyasn1/pull/97) +- Added SECURITY.md policy +- Fixed unit tests failing due to missing code + [issue #91](https://github.com/pyasn1/pyasn1/issues/91) + [pr #92](https://github.com/pyasn1/pyasn1/pull/92) +- Migrated to pyproject.toml packaging + [pr #90](https://github.com/pyasn1/pyasn1/pull/90) + Revision 0.6.1, released 10-09-2024 --------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/PKG-INFO new/pyasn1-0.6.2/PKG-INFO --- old/pyasn1-0.6.1/PKG-INFO 2024-09-11 00:41:08.295431600 +0200 +++ new/pyasn1-0.6.2/PKG-INFO 2026-01-16 19:03:37.415287000 +0100 @@ -1,13 +1,12 @@ -Metadata-Version: 2.1 +Metadata-Version: 2.4 Name: pyasn1 -Version: 0.6.1 +Version: 0.6.2 Summary: Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208) -Home-page: https://github.com/pyasn1/pyasn1 -Author: Ilya Etingof -Author-email: [email protected] +Author-email: Ilya Etingof <[email protected]> Maintainer: pyasn1 maintenance organization Maintainer-email: Christian Heimes <[email protected]> License: BSD-2-Clause +Project-URL: Homepage, https://github.com/pyasn1/pyasn1 Project-URL: Documentation, https://pyasn1.readthedocs.io Project-URL: Source, https://github.com/pyasn1/pyasn1 Project-URL: Issues, https://github.com/pyasn1/pyasn1/issues @@ -20,7 +19,6 @@ Classifier: Intended Audience :: Information Technology Classifier: Intended Audience :: System Administrators Classifier: Intended Audience :: Telecommunications Industry -Classifier: License :: OSI Approved :: BSD License Classifier: Natural Language :: English Classifier: Operating System :: OS Independent Classifier: Programming Language :: Python :: 3 @@ -30,6 +28,7 @@ Classifier: Programming Language :: Python :: 3.11 Classifier: Programming Language :: Python :: 3.12 Classifier: Programming Language :: Python :: 3.13 +Classifier: Programming Language :: Python :: 3.14 Classifier: Programming Language :: Python :: Implementation :: CPython Classifier: Programming Language :: Python :: Implementation :: PyPy Classifier: Topic :: Communications @@ -37,6 +36,7 @@ Requires-Python: >=3.8 Description-Content-Type: text/markdown License-File: LICENSE.rst +Dynamic: license-file ASN.1 library for Python diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/SECURITY.md new/pyasn1-0.6.2/SECURITY.md --- old/pyasn1-0.6.1/SECURITY.md 1970-01-01 01:00:00.000000000 +0100 +++ new/pyasn1-0.6.2/SECURITY.md 2026-01-16 18:53:07.000000000 +0100 @@ -0,0 +1,13 @@ +# Security Policy + +## Supported Versions + +Security updates are applied only to the latest release. + +## Reporting a Vulnerability + +If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. + +Please disclose it at our [security advisory](https://github.com/pyasn1/pyasn1/security/advisories/new). + +This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be disclosed in a best effort base. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/docs/source/conf.py new/pyasn1-0.6.2/docs/source/conf.py --- old/pyasn1-0.6.1/docs/source/conf.py 2023-11-15 23:26:25.000000000 +0100 +++ new/pyasn1-0.6.2/docs/source/conf.py 2026-01-16 18:53:07.000000000 +0100 @@ -126,7 +126,7 @@ 'logo': 'logo.svg', 'description': '<p align=left><i><b>Brewing free software for the greater good</i></b></p>', 'show_powered_by': False, - 'github_user': 'etingof', + 'github_user': 'pyasn1', 'github_repo': 'pyasn1', 'fixed_sidebar': True, } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/pyasn1/__init__.py new/pyasn1-0.6.2/pyasn1/__init__.py --- old/pyasn1-0.6.1/pyasn1/__init__.py 2024-09-11 00:05:17.000000000 +0200 +++ new/pyasn1-0.6.2/pyasn1/__init__.py 2026-01-16 18:54:37.000000000 +0100 @@ -1,2 +1,2 @@ # https://www.python.org/dev/peps/pep-0396/ -__version__ = '0.6.1' +__version__ = '0.6.2' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/pyasn1/codec/ber/decoder.py new/pyasn1-0.6.2/pyasn1/codec/ber/decoder.py --- old/pyasn1-0.6.1/pyasn1/codec/ber/decoder.py 2024-09-10 23:46:42.000000000 +0200 +++ new/pyasn1-0.6.2/pyasn1/codec/ber/decoder.py 2026-01-16 18:54:20.000000000 +0100 @@ -33,6 +33,10 @@ SubstrateUnderrunError = error.SubstrateUnderrunError +# Maximum number of continuation octets (high-bit set) allowed per OID arc. +# 20 octets allows up to 140-bit integers, supporting UUID-based OIDs +MAX_OID_ARC_CONTINUATION_OCTETS = 20 + class AbstractPayloadDecoder(object): protoComponent = None @@ -427,7 +431,14 @@ # Construct subid from a number of octets nextSubId = subId subId = 0 + continuationOctetCount = 0 while nextSubId >= 128: + continuationOctetCount += 1 + if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS: + raise error.PyAsn1Error( + 'OID arc exceeds maximum continuation octets limit (%d) ' + 'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index) + ) subId = (subId << 7) + (nextSubId & 0x7F) if index >= substrateLen: raise error.SubstrateUnderrunError( @@ -485,7 +496,14 @@ # Construct subid from a number of octets nextSubId = subId subId = 0 + continuationOctetCount = 0 while nextSubId >= 128: + continuationOctetCount += 1 + if continuationOctetCount > MAX_OID_ARC_CONTINUATION_OCTETS: + raise error.PyAsn1Error( + 'RELATIVE-OID arc exceeds maximum continuation octets limit (%d) ' + 'at position %d' % (MAX_OID_ARC_CONTINUATION_OCTETS, index) + ) subId = (subId << 7) + (nextSubId & 0x7F) if index >= substrateLen: raise error.SubstrateUnderrunError( @@ -1915,7 +1933,7 @@ :py:class:`~pyasn1.error.SubstrateUnderrunError` object indicating insufficient BER/CER/DER serialization on input to fully recover ASN.1 objects from it. - + In the latter case the caller is advised to ensure some more data in the input stream, then call the iterator again. The decoder will resume the decoding process using the newly arrived data. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/pyasn1.egg-info/PKG-INFO new/pyasn1-0.6.2/pyasn1.egg-info/PKG-INFO --- old/pyasn1-0.6.1/pyasn1.egg-info/PKG-INFO 2024-09-11 00:41:08.000000000 +0200 +++ new/pyasn1-0.6.2/pyasn1.egg-info/PKG-INFO 2026-01-16 19:03:37.000000000 +0100 @@ -1,13 +1,12 @@ -Metadata-Version: 2.1 +Metadata-Version: 2.4 Name: pyasn1 -Version: 0.6.1 +Version: 0.6.2 Summary: Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208) -Home-page: https://github.com/pyasn1/pyasn1 -Author: Ilya Etingof -Author-email: [email protected] +Author-email: Ilya Etingof <[email protected]> Maintainer: pyasn1 maintenance organization Maintainer-email: Christian Heimes <[email protected]> License: BSD-2-Clause +Project-URL: Homepage, https://github.com/pyasn1/pyasn1 Project-URL: Documentation, https://pyasn1.readthedocs.io Project-URL: Source, https://github.com/pyasn1/pyasn1 Project-URL: Issues, https://github.com/pyasn1/pyasn1/issues @@ -20,7 +19,6 @@ Classifier: Intended Audience :: Information Technology Classifier: Intended Audience :: System Administrators Classifier: Intended Audience :: Telecommunications Industry -Classifier: License :: OSI Approved :: BSD License Classifier: Natural Language :: English Classifier: Operating System :: OS Independent Classifier: Programming Language :: Python :: 3 @@ -30,6 +28,7 @@ Classifier: Programming Language :: Python :: 3.11 Classifier: Programming Language :: Python :: 3.12 Classifier: Programming Language :: Python :: 3.13 +Classifier: Programming Language :: Python :: 3.14 Classifier: Programming Language :: Python :: Implementation :: CPython Classifier: Programming Language :: Python :: Implementation :: PyPy Classifier: Topic :: Communications @@ -37,6 +36,7 @@ Requires-Python: >=3.8 Description-Content-Type: text/markdown License-File: LICENSE.rst +Dynamic: license-file ASN.1 library for Python diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/pyasn1.egg-info/SOURCES.txt new/pyasn1-0.6.2/pyasn1.egg-info/SOURCES.txt --- old/pyasn1-0.6.1/pyasn1.egg-info/SOURCES.txt 2024-09-11 00:41:08.000000000 +0200 +++ new/pyasn1-0.6.2/pyasn1.egg-info/SOURCES.txt 2026-01-16 19:03:37.000000000 +0100 @@ -2,10 +2,9 @@ LICENSE.rst MANIFEST.in README.md +SECURITY.md TODO.rst pyproject.toml -setup.cfg -setup.py docs/Makefile docs/source/changelog.rst docs/source/conf.py @@ -142,8 +141,6 @@ tests/codec/native/__main__.py tests/codec/native/test_decoder.py tests/codec/native/test_encoder.py -tests/compat/__init__.py -tests/compat/__main__.py tests/type/__init__.py tests/type/__main__.py tests/type/test_char.py diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/pyproject.toml new/pyasn1-0.6.2/pyproject.toml --- old/pyasn1-0.6.1/pyproject.toml 2023-11-15 23:26:25.000000000 +0100 +++ new/pyasn1-0.6.2/pyproject.toml 2026-01-16 19:03:23.000000000 +0100 @@ -3,3 +3,69 @@ "setuptools" ] build-backend = "setuptools.build_meta" + +[project] +name = "pyasn1" +license.text = "BSD-2-Clause" # Replace with 'license' once Python 3.8 is dropped +description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)" +readme = "README.md" +authors = [ + {name = "Ilya Etingof", email = "[email protected]"} +] +maintainers = [ + {name = "pyasn1 maintenance organization"}, + {name = "Christian Heimes", email = "[email protected]"} +] +requires-python = ">=3.8" +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Environment :: Console", + "Intended Audience :: Developers", + "Intended Audience :: Education", + "Intended Audience :: Information Technology", + "Intended Audience :: System Administrators", + "Intended Audience :: Telecommunications Industry", + "Natural Language :: English", + "Operating System :: OS Independent", + "Programming Language :: Python :: 3", + "Programming Language :: Python :: 3.8", + "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", + "Programming Language :: Python :: 3.12", + "Programming Language :: Python :: 3.13", + "Programming Language :: Python :: 3.14", + "Programming Language :: Python :: Implementation :: CPython", + "Programming Language :: Python :: Implementation :: PyPy", + "Topic :: Communications", + "Topic :: Software Development :: Libraries :: Python Modules" +] +dynamic = ["version"] + +[project.urls] +"Homepage" = "https://github.com/pyasn1/pyasn1"; +"Documentation" = "https://pyasn1.readthedocs.io"; +"Source" = "https://github.com/pyasn1/pyasn1"; +"Issues" = "https://github.com/pyasn1/pyasn1/issues"; +"Changelog" = "https://pyasn1.readthedocs.io/en/latest/changelog.html"; + +[tool.setuptools] +zip-safe = true +platforms = ["any"] +# Additional files to include in the distribution (replaces MANIFEST.in functionality) +include-package-data = true +license-files = ["LICENSE.rst"] # Replace with 'project.license-files' once Python 3.8 is dropped + +[tool.setuptools.dynamic] +version = {attr = "pyasn1.__version__"} + +[tool.setuptools.packages.find] +include = [ + "pyasn1*" +] + +[tool.setuptools.package-data] +"*" = [ + "*.rst", + "*.md" +] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/setup.cfg new/pyasn1-0.6.2/setup.cfg --- old/pyasn1-0.6.1/setup.cfg 2024-09-11 00:41:08.296431800 +0200 +++ new/pyasn1-0.6.2/setup.cfg 2026-01-16 19:03:37.415445600 +0100 @@ -1,59 +1,3 @@ -[metadata] -name = pyasn1 -version = attr: pyasn1.__version__ -description = Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208) -long_description = file: README.md -long_description_content_type = text/markdown -license = BSD-2-Clause -license_files = LICENSE.rst -url = https://github.com/pyasn1/pyasn1 -author = Ilya Etingof -author_email = [email protected] -maintainer = pyasn1 maintenance organization -maintainer_email = Christian Heimes <[email protected]> -project_urls = - Documentation=https://pyasn1.readthedocs.io - Source=https://github.com/pyasn1/pyasn1 - Issues=https://github.com/pyasn1/pyasn1/issues - Changelog=https://pyasn1.readthedocs.io/en/latest/changelog.html -platforms = any -classifiers = - Development Status :: 5 - Production/Stable - Environment :: Console - Intended Audience :: Developers - Intended Audience :: Education - Intended Audience :: Information Technology - Intended Audience :: System Administrators - Intended Audience :: Telecommunications Industry - License :: OSI Approved :: BSD License - Natural Language :: English - Operating System :: OS Independent - Programming Language :: Python :: 3 - Programming Language :: Python :: 3.8 - Programming Language :: Python :: 3.9 - Programming Language :: Python :: 3.10 - Programming Language :: Python :: 3.11 - Programming Language :: Python :: 3.12 - Programming Language :: Python :: 3.13 - Programming Language :: Python :: Implementation :: CPython - Programming Language :: Python :: Implementation :: PyPy - Topic :: Communications - Topic :: Software Development :: Libraries :: Python Modules - -[options] -python_requires = >=3.8 -zip_safe = True -setup_requires = setuptools -packages = - pyasn1 - pyasn1.type - pyasn1.compat - pyasn1.codec - pyasn1.codec.ber - pyasn1.codec.cer - pyasn1.codec.der - pyasn1.codec.native - [egg_info] tag_build = tag_date = 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/setup.py new/pyasn1-0.6.2/setup.py --- old/pyasn1-0.6.1/setup.py 2023-11-15 23:26:25.000000000 +0100 +++ new/pyasn1-0.6.2/setup.py 1970-01-01 01:00:00.000000000 +0100 @@ -1,10 +0,0 @@ -#!/usr/bin/env python -# -# This file is part of pyasn1 software. -# -# Copyright (c) 2005-2020, Ilya Etingof <[email protected]> -# License: https://pyasn1.readthedocs.io/en/latest/license.html -# -from setuptools import setup - -setup() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/tests/__main__.py new/pyasn1-0.6.2/tests/__main__.py --- old/pyasn1-0.6.1/tests/__main__.py 2023-11-15 23:26:25.000000000 +0100 +++ new/pyasn1-0.6.2/tests/__main__.py 2026-01-16 18:53:07.000000000 +0100 @@ -9,8 +9,7 @@ suite = unittest.TestLoader().loadTestsFromNames( ['tests.test_debug.suite', 'tests.type.__main__.suite', - 'tests.codec.__main__.suite', - 'tests.compat.__main__.suite'] + 'tests.codec.__main__.suite'] ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/tests/codec/ber/test_decoder.py new/pyasn1-0.6.2/tests/codec/ber/test_decoder.py --- old/pyasn1-0.6.1/tests/codec/ber/test_decoder.py 2024-09-10 23:46:42.000000000 +0200 +++ new/pyasn1-0.6.2/tests/codec/ber/test_decoder.py 2026-01-16 18:54:20.000000000 +0100 @@ -449,6 +449,72 @@ bytes((0x06, 0x13, 0x88, 0x37, 0x83, 0xC6, 0xDF, 0xD4, 0xCC, 0xB3, 0xFF, 0xFF, 0xFE, 0xF0, 0xB8, 0xD6, 0xB8, 0xCB, 0xE2, 0xB6, 0x47)) ) == ((2, 999, 18446744073709551535184467440737095), b'') + def testExcessiveContinuationOctets(self): + """Test that OID arcs with excessive continuation octets are rejected.""" + # Create a payload with 25 continuation octets (exceeds 20 limit) + # 0x81 bytes are continuation octets, 0x01 terminates + malicious_payload = bytes([0x06, 26]) + bytes([0x81] * 25) + bytes([0x01]) + try: + decoder.decode(malicious_payload) + except error.PyAsn1Error: + pass + else: + assert 0, 'Excessive continuation octets tolerated' + + def testMaxAllowedContinuationOctets(self): + """Test that OID arcs at the maximum continuation octets limit work.""" + # Create a payload with exactly 20 continuation octets (at limit) + # This should succeed + payload = bytes([0x06, 21]) + bytes([0x81] * 20) + bytes([0x01]) + try: + decoder.decode(payload) + except error.PyAsn1Error: + assert 0, 'Valid OID with 20 continuation octets rejected' + + def testOneOverContinuationLimit(self): + """Test boundary: 21 continuation octets (one over limit) is rejected.""" + payload = bytes([0x06, 22]) + bytes([0x81] * 21) + bytes([0x01]) + try: + decoder.decode(payload) + except error.PyAsn1Error: + pass + else: + assert 0, '21 continuation octets tolerated (should be rejected)' + + def testExcessiveContinuationInSecondArc(self): + """Test that limit applies to subsequent arcs, not just the first.""" + # First arc: valid simple byte (0x55 = 85, decodes to arc 2.5) + # Second arc: excessive continuation octets + payload = bytes([0x06, 27]) + bytes([0x55]) + bytes([0x81] * 25) + bytes([0x01]) + try: + decoder.decode(payload) + except error.PyAsn1Error: + pass + else: + assert 0, 'Excessive continuation in second arc tolerated' + + def testMultipleArcsAtLimit(self): + """Test multiple arcs each at the continuation limit work correctly.""" + # Two arcs, each with 20 continuation octets (both at limit) + arc1 = bytes([0x81] * 20) + bytes([0x01]) # 21 bytes + arc2 = bytes([0x81] * 20) + bytes([0x01]) # 21 bytes + payload = bytes([0x06, 42]) + arc1 + arc2 + try: + decoder.decode(payload) + except error.PyAsn1Error: + assert 0, 'Multiple valid arcs at limit rejected' + + def testExcessiveContinuationWithMaxBytes(self): + """Test with 0xFF continuation bytes (maximum value, not just 0x81).""" + # 0xFF bytes are also continuation octets (high bit set) + malicious_payload = bytes([0x06, 26]) + bytes([0xFF] * 25) + bytes([0x01]) + try: + decoder.decode(malicious_payload) + except error.PyAsn1Error: + pass + else: + assert 0, 'Excessive 0xFF continuation octets tolerated' + class RelativeOIDDecoderTestCase(BaseTestCase): def testOne(self): @@ -518,6 +584,70 @@ bytes((0x0D, 0x13, 0x88, 0x37, 0x83, 0xC6, 0xDF, 0xD4, 0xCC, 0xB3, 0xFF, 0xFF, 0xFE, 0xF0, 0xB8, 0xD6, 0xB8, 0xCB, 0xE2, 0xB6, 0x47)) ) == ((1079, 18446744073709551535184467440737095), b'') + def testExcessiveContinuationOctets(self): + """Test that RELATIVE-OID arcs with excessive continuation octets are rejected.""" + # Create a payload with 25 continuation octets (exceeds 20 limit) + malicious_payload = bytes([0x0D, 26]) + bytes([0x81] * 25) + bytes([0x01]) + try: + decoder.decode(malicious_payload) + except error.PyAsn1Error: + pass + else: + assert 0, 'Excessive continuation octets tolerated' + + def testMaxAllowedContinuationOctets(self): + """Test that RELATIVE-OID arcs at the maximum continuation octets limit work.""" + # Create a payload with exactly 20 continuation octets (at limit) + payload = bytes([0x0D, 21]) + bytes([0x81] * 20) + bytes([0x01]) + try: + decoder.decode(payload) + except error.PyAsn1Error: + assert 0, 'Valid RELATIVE-OID with 20 continuation octets rejected' + + def testOneOverContinuationLimit(self): + """Test boundary: 21 continuation octets (one over limit) is rejected.""" + payload = bytes([0x0D, 22]) + bytes([0x81] * 21) + bytes([0x01]) + try: + decoder.decode(payload) + except error.PyAsn1Error: + pass + else: + assert 0, '21 continuation octets tolerated (should be rejected)' + + def testExcessiveContinuationInSecondArc(self): + """Test that limit applies to subsequent arcs, not just the first.""" + # First arc: valid simple byte + # Second arc: excessive continuation octets + payload = bytes([0x0D, 27]) + bytes([0x55]) + bytes([0x81] * 25) + bytes([0x01]) + try: + decoder.decode(payload) + except error.PyAsn1Error: + pass + else: + assert 0, 'Excessive continuation in second arc tolerated' + + def testMultipleArcsAtLimit(self): + """Test multiple arcs each at the continuation limit work correctly.""" + # Two arcs, each with 20 continuation octets (both at limit) + arc1 = bytes([0x81] * 20) + bytes([0x01]) # 21 bytes + arc2 = bytes([0x81] * 20) + bytes([0x01]) # 21 bytes + payload = bytes([0x0D, 42]) + arc1 + arc2 + try: + decoder.decode(payload) + except error.PyAsn1Error: + assert 0, 'Multiple valid arcs at limit rejected' + + def testExcessiveContinuationWithMaxBytes(self): + """Test with 0xFF continuation bytes (maximum value, not just 0x81).""" + # 0xFF bytes are also continuation octets (high bit set) + malicious_payload = bytes([0x0D, 26]) + bytes([0xFF] * 25) + bytes([0x01]) + try: + decoder.decode(malicious_payload) + except error.PyAsn1Error: + pass + else: + assert 0, 'Excessive 0xFF continuation octets tolerated' + class RealDecoderTestCase(BaseTestCase): def testChar(self): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/tests/compat/__init__.py new/pyasn1-0.6.2/tests/compat/__init__.py --- old/pyasn1-0.6.1/tests/compat/__init__.py 2023-11-15 23:26:25.000000000 +0100 +++ new/pyasn1-0.6.2/tests/compat/__init__.py 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -# This file is necessary to make this directory a package. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyasn1-0.6.1/tests/compat/__main__.py new/pyasn1-0.6.2/tests/compat/__main__.py --- old/pyasn1-0.6.1/tests/compat/__main__.py 2023-11-15 23:26:25.000000000 +0100 +++ new/pyasn1-0.6.2/tests/compat/__main__.py 1970-01-01 01:00:00.000000000 +0100 @@ -1,16 +0,0 @@ -# -# This file is part of pyasn1 software. -# -# Copyright (c) 2005-2020, Ilya Etingof <[email protected]> -# License: https://pyasn1.readthedocs.io/en/latest/license.html -# -import unittest - -suite = unittest.TestLoader().loadTestsFromNames( - ['tests.compat.test_integer.suite', - 'tests.compat.test_octets.suite'] -) - - -if __name__ == '__main__': - unittest.TextTestRunner(verbosity=2).run(suite)
