Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsignal-protocol-c for
openSUSE:Factory checked in at 2026-02-24 16:27:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libsignal-protocol-c (Old)
and /work/SRC/openSUSE:Factory/.libsignal-protocol-c.new.1977 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsignal-protocol-c"
Tue Feb 24 16:27:24 2026 rev:6 rq:1334730 version:2.3.3
Changes:
--------
---
/work/SRC/openSUSE:Factory/libsignal-protocol-c/libsignal-protocol-c.changes
2020-03-30 23:05:09.256236362 +0200
+++
/work/SRC/openSUSE:Factory/.libsignal-protocol-c.new.1977/libsignal-protocol-c.changes
2026-02-24 16:27:25.448003576 +0100
@@ -1,0 +2,6 @@
+Tue Feb 24 12:52:13 UTC 2026 - Michael Vetter <[email protected]>
+
+- CVE-2022-48468: Integer overflow in parse_required_member in protobuf-c
(bsc#1210323)
+ * Add CVE-2022-48468.patch taken from Fedora
+
+-------------------------------------------------------------------
New:
----
CVE-2022-48468.patch
----------(New B)----------
New:- CVE-2022-48468: Integer overflow in parse_required_member in protobuf-c
(bsc#1210323)
* Add CVE-2022-48468.patch taken from Fedora
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libsignal-protocol-c.spec ++++++
--- /var/tmp/diff_new_pack.IWzgp2/_old 2026-02-24 16:27:26.636052964 +0100
+++ /var/tmp/diff_new_pack.IWzgp2/_new 2026-02-24 16:27:26.640053131 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libsignal-protocol-c
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -25,6 +25,7 @@
Group: Development/Libraries/C and C++
URL: https://github.com/signalapp/libsignal-protocol-c/
Source:
https://github.com/signalapp/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0: CVE-2022-48468.patch
BuildRequires: check-devel >= 0.9.10
BuildRequires: cmake >= 2.8.4
BuildRequires: gcc-c++
@@ -50,7 +51,7 @@
The libsignal-protocol-c library is a forward secrecy protocol library written
in C.
%prep
-%setup -q
+%autosetup -p1
%build
%cmake \
++++++ CVE-2022-48468.patch ++++++
>From 478dfe51552243b367cf2e9c5d047cbbd3c21635 Mon Sep 17 00:00:00 2001
From: Randy Barlow <[email protected]>
Date: Fri, 18 Mar 2022 12:42:57 -0400
Subject: [PATCH] CVE-2022-48468: unsigned integer overflow
This commit combines two upstream commits from protobuf-c[0][1].
The first fixes an unsigned integer overflow, and the second fixes a
regression introduced by the first. I originally decided to amend the
commit message of the first to mention that it fixes a CVE, but then I
realized it would be better to bring the fix for the regression together
with it.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468
https://bugzilla.redhat.com/show_bug.cgi?id=2186673
[0]
https://github.com/protobuf-c/protobuf-c/pull/513/commits/289f5c18b195aa43d46a619d1188709abbfa9c82
[1]
https://github.com/protobuf-c/protobuf-c/pull/513/commits/0d1fd124a4e0a07b524989f6e64410ff648fba61
Co-authored-by: 10054172 <[email protected]>
Co-authored-by: "Todd C. Miller" <[email protected]>
Signed-off-by: 10054172 <[email protected]>
Signed-off-by: Randy Barlow <[email protected]>
---
src/protobuf-c/protobuf-c.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/protobuf-c/protobuf-c.c b/src/protobuf-c/protobuf-c.c
index 4f2f5bc..6ae5287 100644
--- a/src/protobuf-c/protobuf-c.c
+++ b/src/protobuf-c/protobuf-c.c
@@ -2456,10 +2456,13 @@ parse_required_member(ScannedMember *scanned_member,
return FALSE;
def_mess = scanned_member->field->default_value;
- subm =
protobuf_c_message_unpack(scanned_member->field->descriptor,
- allocator,
- len - pref_len,
- data + pref_len);
+ if (len >= pref_len)
+ subm =
protobuf_c_message_unpack(scanned_member->field->descriptor,
+ allocator,
+ len - pref_len,
+ data + pref_len);
+ else
+ subm = NULL;
if (maybe_clear &&
*pmessage != NULL &&
--
2.39.2
