Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsolv for openSUSE:Factory checked in at 2026-05-29 18:04:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsolv (Old) and /work/SRC/openSUSE:Factory/.libsolv.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsolv" Fri May 29 18:04:42 2026 rev:104 rq:1355320 version:0.7.38 Changes: -------- --- /work/SRC/openSUSE:Factory/libsolv/libsolv.changes 2026-05-14 21:42:01.660312566 +0200 +++ /work/SRC/openSUSE:Factory/.libsolv.new.1937/libsolv.changes 2026-05-29 18:05:23.154086485 +0200 @@ -1,0 +2,13 @@ +Tue May 26 10:31:41 CEST 2026 - Michael Schroeder <[email protected]> + +- made repo_add_solv more robust against corrupt files + [bsc#1265935] [CVE-2026-9149] +- fix potential buffer overflow when verifying EdDSA signatures + [bsc#1266039] [CVE-2026-48863] +- added limit checks in multiple places to catch overflows +- reduce the size of the language id cache +- fixed Debian canon selection +- fixed dbpath detection in repo_rpmdb_librpm +- reduced stack usage in repo page compression (needed for musl) + +------------------------------------------------------------------- @@ -4,0 +18 @@ + [bsc#1265938] [CVE-2026-9150] @@ -7 +21 @@ -- fix parsing of recommands in the old Mandriva synthesis format +- fix parsing of recommends in the old Mandriva synthesis format Old: ---- libsolv-0.7.37.tar.bz2 New: ---- libsolv-0.7.38.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsolv.spec ++++++ --- /var/tmp/diff_new_pack.RUvwaT/_old 2026-05-29 18:05:23.978120582 +0200 +++ /var/tmp/diff_new_pack.RUvwaT/_new 2026-05-29 18:05:23.982120748 +0200 @@ -72,7 +72,7 @@ %bcond_with zypp Name: libsolv -Version: 0.7.37 +Version: 0.7.38 Release: 0 Summary: Package dependency solver using a satisfiability algorithm License: BSD-3-Clause ++++++ libsolv-0.7.37.tar.bz2 -> libsolv-0.7.38.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/NEWS new/libsolv-0.7.38/NEWS --- old/libsolv-0.7.37/NEWS 2026-04-23 11:30:07.000000000 +0200 +++ new/libsolv-0.7.38/NEWS 2026-05-26 13:40:08.000000000 +0200 @@ -1,12 +1,25 @@ This file contains the major changes between libsolv versions: +Version 0.7.38 +- selected bug fixes: + * made repo_add_solv more robust against corrupt files + (CVE-2026-9149) + * fix potential buffer overflow when verifying EdDSA signatures + (CVE-2026-48863) + * added limit checks in multiple places to catch overflows + * reduce the size of the language id cache + * fixed Debian canon selection + * fixed dbpath detection in repo_rpmdb_librpm + * reduced stack usage in repo page compression (needed for musl) + Version 0.7.37 - selected bug fixes: * fix parsing of sha512 checksums in debian repositories + (CVE-2026-9150) * improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as fast - * fix parsing of recommands in the old Mandriva synthesis format + * fix parsing of recommends in the old Mandriva synthesis format Version 0.7.36 - selected bug fixes: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/TODO new/libsolv-0.7.38/TODO --- old/libsolv-0.7.37/TODO 2026-05-11 12:50:07.000000000 +0200 +++ new/libsolv-0.7.38/TODO 2026-05-19 11:30:08.000000000 +0200 @@ -5,7 +5,7 @@ had repo_write in libsolvext) - add SHA3 digest support - use size_t in pool_alloctmpspace, pool_strn2id, stringpool_strn2id, - solv_xmlparser_contentspace, solv_hex2bin, solv_bin2hex, + solv_xmlparser_contentspace, solv_hex2bin, solv_bin2hex, pool_bin2hex, solv_chksum_add, strnhash - drop solv_pgpvrfy.c and most of repo_pubkey (hopefully noone uses them anyway) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/VERSION.cmake new/libsolv-0.7.38/VERSION.cmake --- old/libsolv-0.7.37/VERSION.cmake 2026-04-23 11:30:07.000000000 +0200 +++ new/libsolv-0.7.38/VERSION.cmake 2026-05-26 13:40:08.000000000 +0200 @@ -49,5 +49,5 @@ SET(LIBSOLV_MAJOR "0") SET(LIBSOLV_MINOR "7") -SET(LIBSOLV_PATCH "37") +SET(LIBSOLV_PATCH "38") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/ext/repo_rpmmd.c new/libsolv-0.7.38/ext/repo_rpmmd.c --- old/libsolv-0.7.37/ext/repo_rpmmd.c 2026-04-09 14:30:07.000000000 +0200 +++ new/libsolv-0.7.38/ext/repo_rpmmd.c 2026-05-15 11:00:07.000000000 +0200 @@ -521,7 +521,7 @@ fprintf(stderr, "rebuild cshash with mask 0x%x\n", hm); #endif solv_free(pd->cshash); - ht = pd->cshash = (Hashtable)solv_calloc(hm + 1, sizeof(Id)); + ht = pd->cshash = allochashtable(hm, 1); d = pd->csdata; de = d + pd->ncsdata; while (d != de) @@ -565,7 +565,7 @@ memcpy(d + 1, key, keyl); memcpy(d + 1 + keyl, &id, sizeof(Id)); pd->ncsdata += 1 + keyl + sizeof(Id); - if ((Hashval)++pd->ncshash * 2 > hm) + if ((Hashval)++pd->ncshash * 2 >= hm) { pd->cshashm = pd->cshashm ? (2 * pd->cshashm + 1) : 4095; rebuild_cshash(pd); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/ext/solv_pgpvrfy.c new/libsolv-0.7.38/ext/solv_pgpvrfy.c --- old/libsolv-0.7.37/ext/solv_pgpvrfy.c 2024-05-16 15:50:06.000000000 +0200 +++ new/libsolv-0.7.38/ext/solv_pgpvrfy.c 2026-05-26 13:40:08.000000000 +0200 @@ -589,7 +589,7 @@ if (rlen) memcpy(sigdata + 32 - rlen, r, rlen); if (slen) - memcpy(sigdata + 64 - slen, s, rlen); + memcpy(sigdata + 64 - slen, s, slen); res = mped25519(pub + 1 + 10 + 2 + 1, sigdata, sig + 2, hashl); break; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/package/libsolv.changes new/libsolv-0.7.38/package/libsolv.changes --- old/libsolv-0.7.37/package/libsolv.changes 2026-04-23 11:30:07.000000000 +0200 +++ new/libsolv-0.7.38/package/libsolv.changes 2026-05-26 13:40:08.000000000 +0200 @@ -1,10 +1,24 @@ ------------------------------------------------------------------- +Tue May 26 10:31:41 CEST 2026 - Michael Schroeder <[email protected]> + +- made repo_add_solv more robust against corrupt files + [bsc#1265935] [CVE-2026-9149] +- fix potential buffer overflow when verifying EdDSA signatures + [bsc#1266039] [CVE-2026-48863] +- added limit checks in multiple places to catch overflows +- reduce the size of the language id cache +- fixed Debian canon selection +- fixed dbpath detection in repo_rpmdb_librpm +- reduced stack usage in repo page compression (needed for musl) + +------------------------------------------------------------------- Thu Apr 23 11:22:49 CEST 2026 - Michael Schroeder <[email protected]> - fix parsing of sha512 checksums in debian repositories + [bsc#1265938] [CVE-2026-9150] - improve speed of dirpool_add_dir makeing parsing of filelists.xml twice as fast -- fix parsing of recommands in the old Mandriva synthesis format +- fix parsing of recommends in the old Mandriva synthesis format - bump version to 0.7.37 ------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/src/dirpool.c new/libsolv-0.7.38/src/dirpool.c --- old/libsolv-0.7.37/src/dirpool.c 2026-05-06 15:50:07.000000000 +0200 +++ new/libsolv-0.7.38/src/dirpool.c 2026-05-18 13:00:07.000000000 +0200 @@ -82,9 +82,9 @@ dirpool_make_dirtraverse(Dirpool *dp) { Id parent, i, *dirtraverse; + dp->dirtraverse = solv_free(dp->dirtraverse); if (!dp->ndirs) return; - dp->dirs = solv_extend_resize(dp->dirs, dp->ndirs, sizeof(Id), DIR_BLOCK); dirtraverse = solv_calloc_block(dp->ndirs, sizeof(Id), DIR_BLOCK); for (i = 0; i < dp->ndirs; i++) { @@ -134,6 +134,23 @@ } } +/* Create a new block for a parent */ +static void +dirpool_add_block(Dirpool *dp, Id parent) +{ + /* make room for parent entry */ + dp->dirs = solv_extend(dp->dirs, dp->ndirs, 1, sizeof(Id), DIR_BLOCK); + /* new parent block, update dirtraverse if present */ + dp->dirs[dp->ndirs] = -parent; + if (dp->dirtraverse) + { + dp->dirtraverse = solv_extend(dp->dirtraverse, dp->ndirs, 1, sizeof(Id), DIR_BLOCK); + dp->dirtraverse[dp->ndirs] = dp->dirtraverse[parent]; + dp->dirtraverse[parent] = dp->ndirs + 1; /* point to future entry */ + } + dp->ndirs++; +} + Id dirpool_add_dir(Dirpool *dp, Id parent, Id comp, int create) { @@ -150,14 +167,19 @@ dp->dirs[0] = 0; dp->dirs[1] = 1; /* "" */ } - if (comp <= 0) + if (parent < 0 || comp <= 0) return 0; if (parent == 0 && comp == 1) return 1; /* grow hash table if load factor exceeds 50% */ if ((Hashval)dp->ndirs * 2 >= dp->dirhashmask) - dirpool_resize_hash(dp, DIR_BLOCK); + { + /* hack: repo_add_solv will not use DIR_BLOCK, so realloc here */ + if (!dp->dirhashmask) + dp->dirs = solv_extend_resize(dp->dirs, dp->ndirs, sizeof(Id), DIR_BLOCK); + dirpool_resize_hash(dp, DIR_BLOCK); + } ht = dp->dirhashtbl; hm = dp->dirhashmask; @@ -175,36 +197,23 @@ if (!create) return 0; - /* find last parent block */ - for (did = dp->ndirs - 1; did > 0; did--) - if (dp->dirs[did] <= 0) - break; - if (dp->dirs[did] != -parent) - { - /* make room for parent entry */ - dp->dirs = solv_extend(dp->dirs, dp->ndirs, 1, sizeof(Id), DIR_BLOCK); - /* new parent block, link in */ - dp->dirs[dp->ndirs] = -parent; - if (dp->dirtraverse) - { - dp->dirtraverse = solv_extend(dp->dirtraverse, dp->ndirs, 1, sizeof(Id), DIR_BLOCK); - dp->dirtraverse[dp->ndirs] = dp->dirtraverse[parent]; - dp->dirtraverse[parent] = dp->ndirs; - } - dp->ndirs++; - } - /* make room for new entry */ + /* start a new block if the parent is different */ + if (dirpool_parent(dp, dp->ndirs - 1) != parent) + dirpool_add_block(dp, parent); + + /* add new entry */ dp->dirs = solv_extend(dp->dirs, dp->ndirs, 1, sizeof(Id), DIR_BLOCK); dp->dirs[dp->ndirs] = comp; if (dp->dirtraverse) { dp->dirtraverse = solv_extend(dp->dirtraverse, dp->ndirs, 1, sizeof(Id), DIR_BLOCK); - dp->dirtraverse[dp->ndirs] = 0; + dp->dirtraverse[dp->ndirs] = 0; /* no children */ } + did = dp->ndirs++; /* insert new entry into hash table (h still points at * the empty slot from the failed probe above) */ - ht[h] = dp->ndirs; + ht[h] = did; - return dp->ndirs++; + return did; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/src/hash.h new/libsolv-0.7.38/src/hash.h --- old/libsolv-0.7.37/src/hash.h 2026-05-06 17:29:20.000000000 +0200 +++ new/libsolv-0.7.38/src/hash.h 2026-05-15 11:00:07.000000000 +0200 @@ -92,7 +92,7 @@ static inline Hashtable allochashtable(Hashval mask, size_t size) { - if (mask == 0 && ((size_t)mask + 1) == 0) + if (mask == 0 || ((size_t)mask + 1) == 0) solv_oom((size_t)mask, size * sizeof(Id)); return (Hashtable)solv_calloc((size_t)mask + 1, size * sizeof(Id)); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/src/pool.c new/libsolv-0.7.38/src/pool.c --- old/libsolv-0.7.37/src/pool.c 2026-05-04 10:20:08.000000000 +0200 +++ new/libsolv-0.7.38/src/pool.c 2026-05-19 11:30:08.000000000 +0200 @@ -34,6 +34,8 @@ #include "knownid.h" #undef KNOWNID_INITIALIZE +#define POOL_MAX_TMPSPACE_LEN 0x1000000 + /* create pool */ Pool * pool_create(void) @@ -430,6 +432,8 @@ int n = pool->tmpspace.n; if (len <= 0) return 0; + if (len >= POOL_MAX_TMPSPACE_LEN) + solv_ovfl("tmpspace size overflow"); if (len > pool->tmpspace.len[n]) { pool->tmpspace.buf[n] = solv_realloc(pool->tmpspace.buf[n], len + 32); @@ -479,11 +483,13 @@ char * pool_tmpjoin(Pool *pool, const char *str1, const char *str2, const char *str3) { - int l1, l2, l3; + size_t l1, l2, l3; char *s, *str; l1 = str1 ? strlen(str1) : 0; l2 = str2 ? strlen(str2) : 0; l3 = str3 ? strlen(str3) : 0; + if (l1 >= POOL_MAX_TMPSPACE_LEN || l2 >= POOL_MAX_TMPSPACE_LEN || l3 >= POOL_MAX_TMPSPACE_LEN) + solv_ovfl("tmpspace size overflow"); s = str = pool_alloctmpspace(pool, l1 + l2 + l3 + 1); if (l1) { @@ -507,12 +513,14 @@ char * pool_tmpappend(Pool *pool, const char *str1, const char *str2, const char *str3) { - int l1, l2, l3; + size_t l1, l2, l3; char *s, *str; l1 = str1 ? strlen(str1) : 0; l2 = str2 ? strlen(str2) : 0; l3 = str3 ? strlen(str3) : 0; + if (l1 >= POOL_MAX_TMPSPACE_LEN || l2 >= POOL_MAX_TMPSPACE_LEN || l3 >= POOL_MAX_TMPSPACE_LEN) + solv_ovfl("tmpspace size overflow"); str = pool_alloctmpspace_free(pool, str1, l1 + l2 + l3 + 1); if (str) str1 = str; @@ -545,6 +553,8 @@ char *s; if (len <= 0) return ""; + if (len >= POOL_MAX_TMPSPACE_LEN / 2) + solv_ovfl("pool_bin2hex size overflow"); s = pool_alloctmpspace(pool, 2 * len + 1); solv_bin2hex(buf, len, s); return s; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/src/repo.c new/libsolv-0.7.38/src/repo.c --- old/libsolv-0.7.37/src/repo.c 2026-05-06 15:50:07.000000000 +0200 +++ new/libsolv-0.7.38/src/repo.c 2026-05-15 11:00:07.000000000 +0200 @@ -396,7 +396,7 @@ if (repo->lastidhash_idarraysize != repo->idarraysize || (Hashval)size * 2 > repo->lastidhash_mask || repo->lastmarker != marker) { repo->lastmarkerpos = 0; - if ((Hashval)size * 2 > repo->lastidhash_mask) + if ((Hashval)size * 2 >= repo->lastidhash_mask) { repo->lastidhash_mask = mkmask(size < REPO_ADDID_DEP_HASHMIN ? REPO_ADDID_DEP_HASHMIN : size); solv_free(repo->lastidhash); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsolv-0.7.37/src/repo_solv.c new/libsolv-0.7.38/src/repo_solv.c --- old/libsolv-0.7.37/src/repo_solv.c 2026-05-05 13:30:08.000000000 +0200 +++ new/libsolv-0.7.38/src/repo_solv.c 2026-05-18 13:00:07.000000000 +0200 @@ -873,6 +873,7 @@ /******* Part 3: Dirs ***********************************************/ if (numdir) { + /* note that we do not use DIR_BLOCK here. See comment in dirpool_add_dir */ data.dirpool.dirs = solv_malloc2(numdir, sizeof(Id)); data.dirpool.ndirs = numdir; data.dirpool.dirs[0] = 0; /* dir 0: virtual root */
