commit tinyssh for openSUSE:Factory

Thu, 26 Mar 2026 22:53:13 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tinyssh for openSUSE:Factory checked 
in at 2026-03-25 21:18:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tinyssh (Old)
 and      /work/SRC/openSUSE:Factory/.tinyssh.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tinyssh"

Wed Mar 25 21:18:46 2026 rev:11 rq:1342322 version:20260301

Changes:
--------
--- /work/SRC/openSUSE:Factory/tinyssh/tinyssh.changes  2025-05-08 
18:24:56.348376595 +0200
+++ /work/SRC/openSUSE:Factory/.tinyssh.new.8177/tinyssh.changes        
2026-03-27 06:51:15.978320207 +0100
@@ -1,0 +2,8 @@
+Sun Mar  1 21:14:40 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 20260301:
+  * Fixed crypto_sign_ed25519_tinyssh_open, now rejects
+    signatures where S >= L (Ed25519 group order).
+- drop tinyssh-gcc14-compat.patch (obsolete)
+
+-------------------------------------------------------------------

Old:
----
  20250501.tar.gz.asc
  tinyssh-20250501.tar.gz
  tinyssh-gcc14-compat.patch

New:
----
  tinyssh-20260301.tar.gz
  tinyssh-20260301.tar.gz.asc

----------(Old B)----------
  Old:    signatures where S >= L (Ed25519 group order).
- drop tinyssh-gcc14-compat.patch (obsolete)
----------(Old E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tinyssh.spec ++++++
--- /var/tmp/diff_new_pack.F43MYF/_old  2026-03-27 06:51:16.618346627 +0100
+++ /var/tmp/diff_new_pack.F43MYF/_new  2026-03-27 06:51:16.626346957 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package tinyssh
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,18 +17,15 @@
 
 
 Name:           tinyssh
-Version:        20250501
+Version:        20260301
 Release:        0
 Summary:        A minimalistic SSH server which implements only a subset of 
SSHv2 features
 License:        CC0-1.0
 Group:          Productivity/Networking/SSH
 URL:            https://tinyssh.org/
 Source0:        
https://github.com/janmojzis/tinyssh/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Source1:        
https://github.com/janmojzis/tinyssh/releases/download/%{version}/%{version}.tar.gz.asc
-Source2:        %{name}-%{version}.tar.gz
-Source3:        %{version}.tar.gz.asc
+Source1:        
https://github.com/janmojzis/tinyssh/releases/download/%{version}/%{version}.tar.gz.asc#/%{name}-%{version}.tar.gz.asc
 Source4:        %{name}.keyring
-Patch0:         tinyssh-gcc14-compat.patch
 
 %description
 tinyssh is a minimalistic SSH server which implements only a subset of SSHv2
@@ -40,7 +37,7 @@
 use dynamic memory allocation (no allocation failures, etc.)
 
 %prep
-%autosetup -a2
+%autosetup -p1
 
 %build
 export CFLAGS="%{optflags}"

++++++ tinyssh-20250501.tar.gz -> tinyssh-20260301.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/tinyssh-20250501/CHANGELOG.md 
new/tinyssh-20260301/CHANGELOG.md
--- old/tinyssh-20250501/CHANGELOG.md   2025-05-01 18:43:00.000000000 +0200
+++ new/tinyssh-20260301/CHANGELOG.md   2026-03-01 07:37:31.000000000 +0100
@@ -1,3 +1,6 @@
+### 20260301
+- Fixed crypto_sign_ed25519_tinyssh_open, now rejects signatures where S >= L 
(Ed25519 group order).
+
 ### 20250501
 - Fixed minor strict kex violation, thanks to Fabian Bäumer and Marcus 
Brinkmann for the bug report.
 - Updated cryptoint to version 20250414
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/tinyssh-20250501/README.md 
new/tinyssh-20260301/README.md
--- old/tinyssh-20250501/README.md      2025-05-01 18:43:00.000000000 +0200
+++ new/tinyssh-20260301/README.md      2026-03-01 07:37:31.000000000 +0100
@@ -17,7 +17,7 @@
 * beta(updated): 2018.01.01 - ????.??.?? (ready for production use)
 * stable: expected ????.??.?? - (ready for production use - including 
post-quantum crypto)
 
-### Current release (20250501) ###
+### Current release (20260301) ###
 * has 74260 words of code
 * beta release
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/tinyssh-20250501/crypto_sign_ed25519_tinyssh.c 
new/tinyssh-20260301/crypto_sign_ed25519_tinyssh.c
--- old/tinyssh-20250501/crypto_sign_ed25519_tinyssh.c  2025-05-01 
18:43:00.000000000 +0200
+++ new/tinyssh-20260301/crypto_sign_ed25519_tinyssh.c  2026-03-01 
07:37:31.000000000 +0100
@@ -68,7 +68,7 @@
 
     unsigned long long i;
     long long j;
-    unsigned char pkcopy[32], rcopy[32], scopy[32], hram[64], rcheck[32];
+    unsigned char pkcopy[32], rcopy[32], scopy[64], hram[64], rcheck[32];
     ge25519 R, S, A;
     int ret = -1;
 
@@ -83,6 +83,11 @@
     for (i = 0; i < 32; ++i) pkcopy[i] = pk[i];
     for (i = 0; i < 32; ++i) rcopy[i] = sm[i];
     for (i = 0; i < 32; ++i) scopy[i] = sm[i + 32];
+    for (i = 0; i < 32; ++i) scopy[i + 32] = 0;
+
+    /* check S */
+    sc25519_reduce(scopy);
+    if (crypto_verify_32(scopy, sm + 32) != 0) goto fail;
 
     /* copy sm to m and copy pk to m */
     for (j = n - 1; j >= 0; --j) m[j] = sm[j];

Reply via email to