Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package re for openSUSE:Factory checked in at 2026-05-29 18:10:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/re (Old) and /work/SRC/openSUSE:Factory/.re.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "re" Fri May 29 18:10:28 2026 rev:21 rq:1355805 version:4.8.1 Changes: -------- --- /work/SRC/openSUSE:Factory/re/re.changes 2026-05-15 23:54:36.551823402 +0200 +++ /work/SRC/openSUSE:Factory/.re.new.1937/re.changes 2026-05-29 18:11:40.185794713 +0200 @@ -1,0 +2,17 @@ +Fri May 29 07:53:51 UTC 2026 - Martin Hauke <[email protected]> + +- Update to version 4.8.1 + Security related fixes + * GHSA-hvxv-v2gp-v93h + websock: Fix integer overflow in websock_decode() masked frame + check (#1584). + * baresip/baresip#3705 + Fix DTLS single_conn mode lacks peer address validation, + allowing connection hijacking and DoS. + Changes + * fmt/pl: add pl_strip_html(). + * sys/fs: add getpwuid fallback for fs_gethome. + * tls: remove unused include rsa.h + * ice: check source address of incoming application packets. + +------------------------------------------------------------------- @@ -4 +21 @@ -- Updte to version 4.8.0 +- Update to version 4.8.0 Old: ---- re-4.8.0.tar.gz New: ---- re-4.8.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ re.spec ++++++ --- /var/tmp/diff_new_pack.k3S2Qo/_old 2026-05-29 18:11:40.937826030 +0200 +++ /var/tmp/diff_new_pack.k3S2Qo/_new 2026-05-29 18:11:40.937826030 +0200 @@ -20,7 +20,7 @@ %global sover 42 %global libname lib%{name}%{sover} Name: re -Version: 4.8.0 +Version: 4.8.1 Release: 0 Summary: Library for real-time communications with async I/O support License: BSD-3-Clause ++++++ re-4.8.0.tar.gz -> re-4.8.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/CHANGELOG.md new/re-4.8.1/CHANGELOG.md --- old/re-4.8.0/CHANGELOG.md 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/CHANGELOG.md 2026-05-28 17:00:02.000000000 +0200 @@ -5,6 +5,22 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## v4.8.1 - 2026-05-28 Security and Bugfix Release + +## What's Changed +* fmt/pl: add pl_strip_html() by @sreimers in https://github.com/baresip/re/pull/1575 +* sys/fs: add getpwuid fallback for fs_gethome by @sreimers in https://github.com/baresip/re/pull/1580 +* tls: remove unused include rsa.h by @alfredh in https://github.com/baresip/re/pull/1581 +* ice: check source address of incoming application packets by @alfredh in https://github.com/baresip/re/pull/1583 +* websock: Fix integer overflow in websock_decode() masked frame check by @TristanInSec in https://github.com/baresip/re/pull/1584 + +## New Contributors +* @TristanInSec made their first contribution in https://github.com/baresip/re/pull/1584 + +**Full Changelog**: https://github.com/baresip/re/compare/v4.8.0...v4.8.1 + + ## v4.8.0 - 2026-05-13 ## What's Changed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/CMakeLists.txt new/re-4.8.1/CMakeLists.txt --- old/re-4.8.0/CMakeLists.txt 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/CMakeLists.txt 2026-05-28 17:00:02.000000000 +0200 @@ -14,7 +14,7 @@ cmake_minimum_required(VERSION 3.18...4.0) project(re - VERSION 4.8.0 + VERSION 4.8.1 LANGUAGES C HOMEPAGE_URL https://github.com/baresip/re DESCRIPTION "Generic library for real-time communications" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/include/re_fmt.h new/re-4.8.1/include/re_fmt.h --- old/re-4.8.0/include/re_fmt.h 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/include/re_fmt.h 2026-05-28 17:00:02.000000000 +0200 @@ -58,6 +58,7 @@ int pl_trim(struct pl *pl); int pl_ltrim(struct pl *pl); int pl_rtrim(struct pl *pl); +void pl_strip_html(struct pl *pl); /** Advance pl position/length by +/- N bytes */ static inline void pl_advance(struct pl *pl, ssize_t n) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/mk/Doxyfile new/re-4.8.1/mk/Doxyfile --- old/re-4.8.0/mk/Doxyfile 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/mk/Doxyfile 2026-05-28 17:00:02.000000000 +0200 @@ -4,7 +4,7 @@ # Project related configuration options #--------------------------------------------------------------------------- PROJECT_NAME = libre -PROJECT_NUMBER = 4.8.0 +PROJECT_NUMBER = 4.8.1 OUTPUT_DIRECTORY = ../re-dox CREATE_SUBDIRS = NO OUTPUT_LANGUAGE = English diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/src/fmt/pl.c new/re-4.8.1/src/fmt/pl.c --- old/re-4.8.0/src/fmt/pl.c 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/src/fmt/pl.c 2026-05-28 17:00:02.000000000 +0200 @@ -902,3 +902,51 @@ return err; } + + +/** + * Strip HTML tags from a pointer-length string in-place + * + * @param pl Pointer-length string + */ +void pl_strip_html(struct pl *pl) +{ + if (!pl) + return; + + const char *r = pl->p; + bool in_tag = false; + + /* lookup first possible html tag */ + r = memchr(r, '<', pl->l); + if (!r) + return; + + char *w = (char *)r; + + /* Reference: https://html.spec.whatwg.org/multipage/parsing.html */ + for (size_t len = pl->l - (size_t)(r - pl->p); len--; r++) { + if (in_tag) { + if (*r == '>') + in_tag = false; + continue; + } + + /* 13.2.5.1 Data state */ + if (*r == '<' && len >= 1) { + /* 13.2.5.6 Tag open state */ + unsigned char n = *(r + 1); + if (isalpha(n) || n == '/' || n == '!' || n == '?') { + in_tag = true; + continue; + } + } + + unsigned char c = (unsigned char)*r; + if (c >= 0x20 || c == '\n' || c == '\r' || c == '\t') { + *w++ = *r; + } + } + + pl->l = (size_t)(w - pl->p); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/src/ice/comp.c new/re-4.8.1/src/ice/comp.c --- old/re-4.8.0/src/ice/comp.c 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/src/ice/comp.c 2026-05-28 17:00:02.000000000 +0200 @@ -27,6 +27,21 @@ enum {COMPID_MIN = 1, COMPID_MAX = 255}; +static struct ice_candpair *candpair_find_remote(const struct list *lst, + const struct sa *raddr) +{ + for (struct le *le = list_head(lst); le; le = le->next) { + + struct ice_candpair *cp = le->data; + + if (sa_cmp(&cp->rcand->addr, raddr, SA_ALL)) + return cp; + } + + return NULL; +} + + static bool helper_recv_handler(struct sa *src, struct mbuf *mb, void *arg) { struct icem_comp *comp = arg; @@ -40,8 +55,20 @@ comp->id, mbuf_get_left(mb), src); #endif - if (stun_msg_decode(&msg, mb, &ua)) + if (stun_msg_decode(&msg, mb, &ua)) { + + struct ice_candpair *pair = candpair_find_remote(&icem->validl, + src); + if (!pair) { + icecomp_printf(comp, + "dropping unauth application packet from %J\n", + src); + + return true; + } + return false; + } if (STUN_METHOD_BINDING == stun_msg_method(msg)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/src/sys/fs.c new/re-4.8.1/src/sys/fs.c --- old/re-4.8.0/src/sys/fs.c 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/src/sys/fs.c 2026-05-28 17:00:02.000000000 +0200 @@ -115,9 +115,14 @@ loginname = sys_username(); if (!loginname) +#ifdef HAVE_UNISTD_H + pw = getpwuid(getuid()); +#else return ENOENT; +#endif + else + pw = getpwnam(loginname); - pw = getpwnam(loginname); if (!pw) return errno; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/src/tls/openssl/tls.c new/re-4.8.1/src/tls/openssl/tls.c --- old/re-4.8.0/src/tls/openssl/tls.c 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/src/tls/openssl/tls.c 2026-05-28 17:00:02.000000000 +0200 @@ -6,7 +6,6 @@ #include <string.h> #include <openssl/ssl.h> #include <openssl/err.h> -#include <openssl/rsa.h> #include <openssl/bn.h> #include <openssl/evp.h> #include <openssl/ec.h> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/src/websock/websock.c new/re-4.8.1/src/websock/websock.c --- old/re-4.8.0/src/websock/websock.c 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/src/websock/websock.c 2026-05-28 17:00:02.000000000 +0200 @@ -204,7 +204,8 @@ if (hdr->mask) { - if (mbuf_get_left(mb) < (4 + hdr->len)) + if (hdr->len > SIZE_MAX - 4 || + mbuf_get_left(mb) < (4 + hdr->len)) return ENODATA; hdr->mkey[0] = mbuf_read_u8(mb); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/test/fmt.c new/re-4.8.1/test/fmt.c --- old/re-4.8.0/test/fmt.c 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/test/fmt.c 2026-05-28 17:00:02.000000000 +0200 @@ -143,6 +143,14 @@ if (NULL != pl_strstr(&pl1, str0)) goto out; + /* pl_strip_html */ + struct pl pl_html = PL_INIT; + char str_html[] = "abc <script>alert(1)</script> <= test <><a"; + pl_set_str(&pl_html, str_html); + pl_strip_html(&pl_html); + TEST_EQUALS(23, pl_html.l); + TEST_EQUALS(0, pl_strcmp(&pl_html, "abc alert(1) <= test <>")); + return 0; out: return EINVAL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/test/sys.c new/re-4.8.1/test/sys.c --- old/re-4.8.0/test/sys.c 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/test/sys.c 2026-05-28 17:00:02.000000000 +0200 @@ -228,3 +228,14 @@ out: return err; } + + +int test_sys_fs_gethome(void) +{ + char path[256]; + int err = fs_gethome(path, sizeof(path)); + TEST_ERR(err); + TEST_EQUALS(true, str_isset(path)); +out: + return err; +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/test/test.c new/re-4.8.1/test/test.c --- old/re-4.8.0/test/test.c 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/test/test.c 2026-05-28 17:00:02.000000000 +0200 @@ -234,6 +234,7 @@ TEST(test_stun_resp), TEST(test_sys_endian), TEST(test_sys_fs_fopen), + TEST(test_sys_fs_gethome), TEST(test_sys_fs_isdir), TEST(test_sys_fs_isfile), TEST(test_sys_getenv), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/re-4.8.0/test/test.h new/re-4.8.1/test/test.h --- old/re-4.8.0/test/test.h 2026-05-12 10:12:34.000000000 +0200 +++ new/re-4.8.1/test/test.h 2026-05-28 17:00:02.000000000 +0200 @@ -346,9 +346,10 @@ int test_stun(void); int test_sys_endian(void); int test_sys_rand(void); +int test_sys_fs_fopen(void); +int test_sys_fs_gethome(void); int test_sys_fs_isdir(void); int test_sys_fs_isfile(void); -int test_sys_fs_fopen(void); int test_sys_getenv(void); int test_tcp(void); int test_tcp_tos(void);
