Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-ecdsa for openSUSE:Factory checked in at 2026-03-31 16:21:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-ecdsa (Old) and /work/SRC/openSUSE:Factory/.python-ecdsa.new.1999 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-ecdsa" Tue Mar 31 16:21:19 2026 rev:20 rq:1343880 version:0.19.2 Changes: -------- --- /work/SRC/openSUSE:Factory/python-ecdsa/python-ecdsa.changes 2025-06-23 15:06:13.616121992 +0200 +++ /work/SRC/openSUSE:Factory/.python-ecdsa.new.1999/python-ecdsa.changes 2026-03-31 16:21:24.556570141 +0200 @@ -1,0 +2,8 @@ +Mon Mar 30 09:53:28 UTC 2026 - Markéta Machová <[email protected]> + +- Update to 0.19.1 + * Fix CVE-2026-33936, a DER parsing issue in remove_octet_string(), + remove_constructed(), and remove_implitic() where a truncated buffer + wasn't detected. (bsc#1261009) + +------------------------------------------------------------------- Old: ---- ecdsa-0.19.1.tar.gz New: ---- ecdsa-0.19.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-ecdsa.spec ++++++ --- /var/tmp/diff_new_pack.0lqz93/_old 2026-03-31 16:21:25.372604435 +0200 +++ /var/tmp/diff_new_pack.0lqz93/_new 2026-03-31 16:21:25.372604435 +0200 @@ -1,7 +1,7 @@ # # spec file for package python-ecdsa # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-ecdsa -Version: 0.19.1 +Version: 0.19.2 Release: 0 Summary: ECDSA cryptographic signature library (pure python) License: MIT ++++++ ecdsa-0.19.1.tar.gz -> ecdsa-0.19.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.19.1/.github/workflows/ci.yml new/ecdsa-0.19.2/.github/workflows/ci.yml --- old/ecdsa-0.19.1/.github/workflows/ci.yml 2025-02-25 13:23:23.000000000 +0100 +++ new/ecdsa-0.19.2/.github/workflows/ci.yml 2026-03-23 12:50:14.000000000 +0100 @@ -24,31 +24,32 @@ python-version: "3.10" tox-env: py310 - name: py2.7 - os: ubuntu-20.04 + os: ubuntu-22.04 python-version: 2.7 tox-env: py27 - name: py2.7 with old gmpy - os: ubuntu-20.04 + os: ubuntu-22.04 python-version: 2.7 tox-env: py27_old_gmpy - name: py2.7 with old gmpy2 - os: ubuntu-20.04 + os: ubuntu-22.04 python-version: 2.7 tox-env: py27_old_gmpy2 - name: py2.7 with old six - os: ubuntu-20.04 + os: ubuntu-22.04 python-version: 2.7 tox-env: py27_old_six - name: py2.7 with gmpy - os: ubuntu-20.04 + os: ubuntu-22.04 python-version: 2.7 tox-env: gmpypy27 - name: py2.7 with gmpy2 - os: ubuntu-20.04 + os: ubuntu-22.04 python-version: 2.7 tox-env: gmpy2py27 - name: py3.6 - os: ubuntu-20.04 + os: ubuntu-latest + container: centos:8 python-version: 3.6 tox-env: py36 - name: py3.7 @@ -97,7 +98,7 @@ tox-env: pypy3 # special configurations - name: py2.7 with instrumental - os: ubuntu-20.04 + os: ubuntu-22.04 python-version: 2.7 opt-deps: ['instrumental'] - name: code checks @@ -118,7 +119,7 @@ if: ${{ matrix.container }} with: fetch-depth: 50 - - name: Ensure dependencies on CentOS + - name: Ensure dependencies on CentOS:6 if: ${{ matrix.container == 'centos:6' }} run: | ls /etc/yum.repos.d/ @@ -147,13 +148,55 @@ echo installing yum clean all yum repolist all - yum install -y git make python curl gcc libffi-devel python-devel glibc-devel openssl-devel wget + yum install -y make python curl gcc libffi-devel python-devel glibc-devel openssl-devel wget curl-config curl-devel expat-devel gettext-devel zlib-devel perl-ExtUtils-MakeMaker + cd /usr/src + wget https://www.kernel.org/pub/software/scm/git/git-2.31.0.tar.gz + tar xzf git-2.31.0.tar.gz + cd git-2.31.0 + make prefix=/usr/local/git all + make prefix=/usr/local/git install + ln -fs /usr/local/git/bin/git /usr/bin/git + - name: Ensere dependenceis on CentOS:8 + if: ${{ matrix.container == 'centos:8' }} + run: | + ls /etc/yum.repos.d/ + cat /etc/yum.repos.d/CentOS-Linux-BaseOS.repo + cat /etc/yum.repos.d/CentOS-Linux-AppStream.repo + cat /etc/yum.repos.d/CentOS-Linux-Extras.repo + rm /etc/yum.repos.d/CentOS-Linux-BaseOS.repo + rm /etc/yum.repos.d/CentOS-Linux-AppStream.repo + rm /etc/yum.repos.d/CentOS-Linux-Extras.repo + cat > /etc/yum.repos.d/CentOS-Linux-BaseOS.repo <<EOF + [BaseOS] + name=CentOS Linux $releasever - BaseOS + baseurl=https://vault.centos.org/8.5.2111/BaseOS/x86_64/os/ + gpgcheck=0 + metadata_expire=-1 + EOF + cat > /etc/yum.repos.d/CentOS-Linux-AppStream.repo <<EOF + [AppStream] + name=CentOS Linux $releasever - AppStream + baseurl=https://vault.centos.org/8.5.2111/AppStream/x86_64/os/ + gpgcheck=0 + metadata_expire=-1 + EOF + cat > /etc/yum.repos.d/CentOS-Linux-Extras.repo <<EOF + [Extras] + name=CentOS Linux $releasever - Extras + baseurl=https://vault.centos.org/8.5.2111/extras/x86_64/os/ + gpgcheck=0 + metadata_expire=-1 + EOF + echo installing + yum clean all + yum repolist all + yum install -y git make python36 curl gcc libffi-devel python36-devel glibc-devel openssl-devel wget + ln -fs /usr/bin/python3.6 /usr/bin/python - name: Ensure dependencies on Ubuntu 22.04 if: ${{ matrix.container == 'ubuntu:22.04' }} run: | apt-get update apt-get install -y git make python-is-python3 python3 curl wget python3-distutils python3-pip - - name: Dependencies for mutation testing if: ${{ matrix.mutation == 'true' }} run: | @@ -178,10 +221,11 @@ run: | sudo apt-get update sudo apt-get install -y \ - python2.7 python2.7-dev python-pip-whl + python2.7 python2.7-dev + curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py sudo ln -sf python2.7 /usr/bin/python - export PYTHONPATH=`echo /usr/share/python-wheels/pip-*py2*.whl` - sudo --preserve-env=PYTHONPATH python -m pip install --upgrade pip setuptools wheel + sudo python get-pip.py + sudo pip install --upgrade setuptools wheel sudo chown -R $USER /usr/local/lib/python2.7 - name: Display Python version run: python -c "import sys; print(sys.version)" @@ -208,6 +252,11 @@ wget https://files.pythonhosted.org/packages/3b/7e/293d19ccd106119e35db4bf3e111b1895098f618b455b758aa636496cf03/setuptools-28.8.0-py2.py3-none-any.whl wget https://files.pythonhosted.org/packages/83/53/e120833aa2350db333df89a40dea3b310dd9dabf6f29eaa18934a597dc79/wheel-0.30.0a0-py2.py3-none-any.whl pip install setuptools-28.8.0-py2.py3-none-any.whl wheel-0.30.0a0-py2.py3-none-any.whl + - name: ensure working pip on 3.6 + if: ${{ matrix.python-version == '3.6' }} + run: | + curl -o get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py + python get-pip.py - name: Install instrumental if: ${{ contains(matrix.opt-deps, 'instrumental') }} run: pip install instrumental @@ -225,7 +274,7 @@ run: | wget https://files.pythonhosted.org/packages/1d/4e/20c679f8c5948f7c48591fde33d442e716af66a31a88f5791850a75041eb/tox-2.9.1-py2.py3-none-any.whl wget https://files.pythonhosted.org/packages/d9/9d/077582a4c6d771e3b742631e6c1d3688f48210626de488e032776242b3f2/inflect-0.3.0-py2.py3-none-any.whl - wget https://files.pythonhosted.org/packages/79/db/7c0cfe4aa8341a5fab4638952520d8db6ab85ff84505e12c00ea311c3516/pyOpenSSL-17.5.0-py2.py3-none-any.whl + wget https://files.pythonhosted.org/packages/79/db/7c0cfe4aa8341a5fab4638952520d8db6ab85ff84505e12c00ea311c3516/pyOpenSSL-17.5.0-py2.py3-none-any.whl wget https://files.pythonhosted.org/packages/2d/bf/960e5a422db3ac1a5e612cb35ca436c3fc985ed4b7ed13a1b4879006f450/cffi-1.13.2.tar.gz wget https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl wget https://files.pythonhosted.org/packages/72/20/7f0f433060a962200b7272b8c12ba90ef5b903e218174301d0abfd523813/unittest2-1.1.0-py2.py3-none-any.whl @@ -383,7 +432,6 @@ else coveralls fi - coveralls: name: Indicate completion to coveralls.io needs: test diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.19.1/PKG-INFO new/ecdsa-0.19.2/PKG-INFO --- old/ecdsa-0.19.1/PKG-INFO 2025-03-13 12:49:22.201222000 +0100 +++ new/ecdsa-0.19.2/PKG-INFO 2026-03-26 10:58:01.293388000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: ecdsa -Version: 0.19.1 +Version: 0.19.2 Summary: ECDSA cryptographic signature library (pure python) Home-page: http://github.com/tlsfuzzer/python-ecdsa Author: Brian Warner diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.19.1/src/ecdsa/_version.py new/ecdsa-0.19.2/src/ecdsa/_version.py --- old/ecdsa-0.19.1/src/ecdsa/_version.py 2025-03-13 12:49:22.202222000 +0100 +++ new/ecdsa-0.19.2/src/ecdsa/_version.py 2026-03-26 10:58:01.293748400 +0100 @@ -8,11 +8,11 @@ version_json = ''' { - "date": "2025-03-13T12:48:15+0100", + "date": "2026-03-26T10:50:34+0100", "dirty": false, "error": null, - "full-revisionid": "2a6593d840ad153a16ebdd4f9b772b290494f3e3", - "version": "0.19.1" + "full-revisionid": "bd66899550d7185939bf27b75713a2ac9325a9d3", + "version": "0.19.2" } ''' # END VERSION_JSON diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.19.1/src/ecdsa/der.py new/ecdsa-0.19.2/src/ecdsa/der.py --- old/ecdsa-0.19.1/src/ecdsa/der.py 2025-03-12 17:53:37.000000000 +0100 +++ new/ecdsa-0.19.2/src/ecdsa/der.py 2026-03-26 10:51:10.000000000 +0100 @@ -163,6 +163,8 @@ ) tag = s0 & 0x1F length, llen = read_length(string[1:]) + if length > len(string) - 1 - llen: + raise UnexpectedDER("Length longer than the provided buffer") body = string[1 + llen : 1 + llen + length] rest = string[1 + llen + length :] return tag, body, rest @@ -206,6 +208,8 @@ tag = s0 & 0x1F length, llen = read_length(string[1:]) + if length > len(string) - 1 - llen: + raise UnexpectedDER("Length longer than the provided buffer") body = string[1 + llen : 1 + llen + length] rest = string[1 + llen + length :] return tag, body, rest @@ -229,6 +233,8 @@ n = str_idx_as_int(string, 0) raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n) length, llen = read_length(string[1:]) + if length > len(string) - 1 - llen: + raise UnexpectedDER("Length longer than the provided buffer") body = string[1 + llen : 1 + llen + length] rest = string[1 + llen + length :] return body, rest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.19.1/src/ecdsa/test_der.py new/ecdsa-0.19.2/src/ecdsa/test_der.py --- old/ecdsa-0.19.1/src/ecdsa/test_der.py 2025-03-12 17:53:37.000000000 +0100 +++ new/ecdsa-0.19.2/src/ecdsa/test_der.py 2026-03-26 10:51:10.000000000 +0100 @@ -600,3 +600,23 @@ decoded_oid, rest = remove_object(encoded_oid) assert rest == b"" assert decoded_oid == ids + +def test_remove_octet_string_rejects_truncated_length(): + # OCTET STRING: declared length 4096, but only 3 bytes present + bad = b"\x04\x82\x10\x00" + b"ABC" + with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): + remove_octet_string(bad) + +def test_remove_constructed_rejects_truncated_length(): + # Constructed tag: 0xA0 (context-specific constructed, tag=0) + # declared length 4096, but only 3 bytes present + bad = b"\xA0\x82\x10\x00" + b"ABC" + with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): + remove_constructed(bad) + +def test_remove_implicit_rejects_truncated_length(): + # IMPLICIT primitive context-specific tag 0: 0x80 + # declared length 4096, but only 3 bytes present + bad = b"\x80\x82\x10\x00" + b"ABC" + with pytest.raises(UnexpectedDER, match="Length longer than the provided buffer"): + remove_implicit(bad) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/ecdsa-0.19.1/src/ecdsa.egg-info/PKG-INFO new/ecdsa-0.19.2/src/ecdsa.egg-info/PKG-INFO --- old/ecdsa-0.19.1/src/ecdsa.egg-info/PKG-INFO 2025-03-13 12:49:21.000000000 +0100 +++ new/ecdsa-0.19.2/src/ecdsa.egg-info/PKG-INFO 2026-03-26 10:58:01.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: ecdsa -Version: 0.19.1 +Version: 0.19.2 Summary: ECDSA cryptographic signature library (pure python) Home-page: http://github.com/tlsfuzzer/python-ecdsa Author: Brian Warner
