Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package aws-c-common for openSUSE:Factory checked in at 2026-06-15 19:49:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aws-c-common (Old) and /work/SRC/openSUSE:Factory/.aws-c-common.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aws-c-common" Mon Jun 15 19:49:24 2026 rev:31 rq:1359497 version:0.14.0 Changes: -------- --- /work/SRC/openSUSE:Factory/aws-c-common/aws-c-common.changes 2026-05-26 16:37:06.623638578 +0200 +++ /work/SRC/openSUSE:Factory/.aws-c-common.new.1981/aws-c-common.changes 2026-06-15 19:53:13.424023743 +0200 @@ -1,0 +2,6 @@ +Mon Jun 8 07:18:57 UTC 2026 - John Paul Adrian Glaubitz <[email protected]> + +- Update to 0.14.0 + * base64 decode fix by @TingDaoK in (#1248) + +------------------------------------------------------------------- Old: ---- v0.13.1.tar.gz New: ---- v0.14.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aws-c-common.spec ++++++ --- /var/tmp/diff_new_pack.5rsFNu/_old 2026-06-15 19:53:14.096051928 +0200 +++ /var/tmp/diff_new_pack.5rsFNu/_new 2026-06-15 19:53:14.100052095 +0200 @@ -19,7 +19,7 @@ %define library_version 1.0.0 %define library_soversion 1 Name: aws-c-common -Version: 0.13.1 +Version: 0.14.0 Release: 0 Summary: Core C99 package for AWS SDK for C License: Apache-2.0 ++++++ v0.13.1.tar.gz -> v0.14.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-common-0.13.1/source/encoding.c new/aws-c-common-0.14.0/source/encoding.c --- old/aws-c-common-0.13.1/source/encoding.c 2026-05-20 18:40:27.000000000 +0200 +++ new/aws-c-common-0.14.0/source/encoding.c 2026-05-28 00:02:05.000000000 +0200 @@ -440,6 +440,7 @@ } int64_t block_count = (int64_t)(to_decode->len + 3) / 4; + size_t remainder = to_decode->len % 4; size_t string_index = 0; uint8_t value1 = 0, value2 = 0, value3 = 0, value4 = 0; @@ -480,16 +481,29 @@ return aws_raise_error(AWS_ERROR_INVALID_BASE64_STR); } + /* Reject interior '=' followed by non-'=' (e.g. "AB=D") per RFC 4648: + * '=' is only valid at the end of encoded data. */ + if (value3 == BASE64_SENTINEL_VALUE && value4 != BASE64_SENTINEL_VALUE) { + return aws_raise_error(AWS_ERROR_INVALID_BASE64_STR); + } + output->buffer[buffer_index++] = (uint8_t)((value1 << 2) | ((value2 >> 4) & 0x03)); if (value3 != BASE64_SENTINEL_VALUE) { output->buffer[buffer_index++] = (uint8_t)(((value2 << 4) & 0xF0) | ((value3 >> 2) & 0x0F)); if (value4 != BASE64_SENTINEL_VALUE) { - output->buffer[buffer_index] = (uint8_t)((value3 & 0x03) << 6 | value4); + output->buffer[buffer_index++] = (uint8_t)((value3 & 0x03) << 6 | value4); } } } output->len = decoded_length; + + /* Sanity check: bytes written must match the precomputed decoded length */ + if (buffer_index >= 0 && (size_t)buffer_index != decoded_length) { + output->len = 0; + return aws_raise_error(AWS_ERROR_INVALID_BASE64_STR); + } + return AWS_OP_SUCCESS; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-common-0.13.1/tests/CMakeLists.txt new/aws-c-common-0.14.0/tests/CMakeLists.txt --- old/aws-c-common-0.13.1/tests/CMakeLists.txt 2026-05-20 18:40:27.000000000 +0200 +++ new/aws-c-common-0.14.0/tests/CMakeLists.txt 2026-05-28 00:02:05.000000000 +0200 @@ -143,6 +143,7 @@ add_test_case(base64_encoding_invalid_buffer_test) add_test_case(base64_encoding_highbyte_string_test) add_test_case(base64_encoding_invalid_padding_test) +add_test_case(base64_encoding_interior_padding_rejected_test) add_test_case(base64_encoding_test_zeros) add_test_case(base64_encoding_test_roundtrip) add_test_case(base64_encoding_test_all_values) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-common-0.13.1/tests/encoding_test.c new/aws-c-common-0.14.0/tests/encoding_test.c --- old/aws-c-common-0.13.1/tests/encoding_test.c 2026-05-20 18:40:27.000000000 +0200 +++ new/aws-c-common-0.14.0/tests/encoding_test.c 2026-05-28 00:02:05.000000000 +0200 @@ -798,6 +798,53 @@ AWS_TEST_CASE(base64_encoding_invalid_padding_test, s_base64_encoding_invalid_padding_test_fn) +/* Regression test: interior '=' followed by non-'=' must be rejected per RFC 4648 section 4. + * Only the patterns "XX==" (1 byte) and "XXX=" (2 bytes) are valid padding. */ +static int s_base64_encoding_interior_padding_rejected_test_fn(struct aws_allocator *allocator, void *ctx) { + (void)allocator; + (void)ctx; + + /* All of these have '=' at position 3 followed by a valid base64 char — must be rejected */ + const char *invalid_inputs[] = {"AB=D", "AB=d", "XX=Y", "ab=+"}; + for (size_t i = 0; i < AWS_ARRAY_SIZE(invalid_inputs); ++i) { + uint8_t output[16] = {0}; + struct aws_byte_cursor encoded_buf = aws_byte_cursor_from_c_str(invalid_inputs[i]); + struct aws_byte_buf output_buf = aws_byte_buf_from_empty_array(output, sizeof(output)); + + ASSERT_ERROR( + AWS_ERROR_INVALID_BASE64_STR, + aws_base64_decode(&encoded_buf, &output_buf), + "input \"%s\" with interior '=' should be rejected", + invalid_inputs[i]); + ASSERT_UINT_EQUALS(0, output_buf.len, "output.len must be 0 on rejection"); + } + + /* Verify that valid padding patterns still work */ + { + /* "Zg==" decodes to "f" (1 byte) */ + uint8_t output[16] = {0}; + struct aws_byte_cursor encoded_buf = aws_byte_cursor_from_c_str("Zg=="); + struct aws_byte_buf output_buf = aws_byte_buf_from_empty_array(output, sizeof(output)); + ASSERT_SUCCESS(aws_base64_decode(&encoded_buf, &output_buf)); + ASSERT_UINT_EQUALS(1, output_buf.len); + ASSERT_UINT_EQUALS('f', output_buf.buffer[0]); + } + { + /* "Zm8=" decodes to "fo" (2 bytes) */ + uint8_t output[16] = {0}; + struct aws_byte_cursor encoded_buf = aws_byte_cursor_from_c_str("Zm8="); + struct aws_byte_buf output_buf = aws_byte_buf_from_empty_array(output, sizeof(output)); + ASSERT_SUCCESS(aws_base64_decode(&encoded_buf, &output_buf)); + ASSERT_UINT_EQUALS(2, output_buf.len); + ASSERT_UINT_EQUALS('f', output_buf.buffer[0]); + ASSERT_UINT_EQUALS('o', output_buf.buffer[1]); + } + + return 0; +} + +AWS_TEST_CASE(base64_encoding_interior_padding_rejected_test, s_base64_encoding_interior_padding_rejected_test_fn) + /* network integer encoding tests */ static int s_uint64_buffer_test_fn(struct aws_allocator *allocator, void *ctx) { (void)allocator;
