Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libksba for openSUSE:Factory checked
in at 2022-10-18 12:44:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libksba (Old)
and /work/SRC/openSUSE:Factory/.libksba.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libksba"
Tue Oct 18 12:44:36 2022 rev:43 rq:1012125 version:1.6.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/libksba/libksba.changes 2022-09-19
16:02:50.634071367 +0200
+++ /work/SRC/openSUSE:Factory/.libksba.new.2275/libksba.changes
2022-10-18 12:44:53.389708701 +0200
@@ -1,0 +2,6 @@
+Mon Oct 17 12:45:32 UTC 2022 - Pedro Monreal <pmonr...@suse.com>
+
+- libksba 1.6.2: [bsc#1204357, CVE-2022-3515]
+ * Fix integer overflow in the CRL parser.
+
+-------------------------------------------------------------------
Old:
----
libksba-1.6.1.tar.bz2
libksba-1.6.1.tar.bz2.sig
New:
----
libksba-1.6.2.tar.bz2
libksba-1.6.2.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libksba.spec ++++++
--- /var/tmp/diff_new_pack.WTp3Kw/_old 2022-10-18 12:44:53.853709758 +0200
+++ /var/tmp/diff_new_pack.WTp3Kw/_new 2022-10-18 12:44:53.857709767 +0200
@@ -18,7 +18,7 @@
%define soname 8
Name: libksba
-Version: 1.6.1
+Version: 1.6.2
Release: 0
Summary: A X.509 Library
License: (GPL-2.0-or-later OR LGPL-3.0-or-later) AND GPL-3.0-or-later
AND MIT
++++++ libksba-1.6.1.tar.bz2 -> libksba-1.6.2.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libksba-1.6.1/ChangeLog new/libksba-1.6.2/ChangeLog
--- old/libksba-1.6.1/ChangeLog 2022-09-16 12:27:53.000000000 +0200
+++ new/libksba-1.6.2/ChangeLog 2022-10-07 10:09:50.000000000 +0200
@@ -1,3 +1,16 @@
+2022-10-07 Werner Koch <w...@gnupg.org>
+
+ Release 1.6.2.
+ + commit 29814959fe2b65c6d4ac35dea261006a8cad3661
+
+
+2022-10-05 Werner Koch <w...@gnupg.org>
+
+ Detect a possible overflow directly in the TLV parser.
+ + commit 4b7d9cd4a018898d7714ce06f3faf2626c14582b
+ * src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly
+ used sum.
+
2022-09-16 Werner Koch <w...@gnupg.org>
Release 1.6.1.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libksba-1.6.1/NEWS new/libksba-1.6.2/NEWS
--- old/libksba-1.6.1/NEWS 2022-09-16 12:24:38.000000000 +0200
+++ new/libksba-1.6.2/NEWS 2022-10-07 10:06:25.000000000 +0200
@@ -1,3 +1,11 @@
+Noteworthy changes in version 1.6.2 (2022-10-07) [C22/A14/R2]
+------------------------------------------------
+
+ * Fix integer overflow in the CRL parser. [rK4b7d9cd4a0]
+
+ Release-info: https://dev.gnupg.org/T6230
+
+
Noteworthy changes in version 1.6.1 (2022-09-16) [C22/A14/R1]
------------------------------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libksba-1.6.1/configure new/libksba-1.6.2/configure
--- old/libksba-1.6.1/configure 2022-09-16 12:27:42.000000000 +0200
+++ new/libksba-1.6.2/configure 2022-10-07 10:09:39.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libksba 1.6.1.
+# Generated by GNU Autoconf 2.69 for libksba 1.6.2.
#
# Report bugs to <https://bugs.gnupg.org>.
#
@@ -590,8 +590,8 @@
# Identity of this package.
PACKAGE_NAME='libksba'
PACKAGE_TARNAME='libksba'
-PACKAGE_VERSION='1.6.1'
-PACKAGE_STRING='libksba 1.6.1'
+PACKAGE_VERSION='1.6.2'
+PACKAGE_STRING='libksba 1.6.2'
PACKAGE_BUGREPORT='https://bugs.gnupg.org'
PACKAGE_URL=''
@@ -1384,7 +1384,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures libksba 1.6.1 to adapt to many kinds of systems.
+\`configure' configures libksba 1.6.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1455,7 +1455,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of libksba 1.6.1:";;
+ short | recursive ) echo "Configuration of libksba 1.6.2:";;
esac
cat <<\_ACEOF
@@ -1584,7 +1584,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-libksba configure 1.6.1
+libksba configure 1.6.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2190,7 +2190,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by libksba $as_me 1.6.1, which was
+It was created by libksba $as_me 1.6.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2546,7 +2546,7 @@
# Please remember to document interface changes in the NEWS file.
LIBKSBA_LT_CURRENT=22
LIBKSBA_LT_AGE=14
-LIBKSBA_LT_REVISION=1
+LIBKSBA_LT_REVISION=2
#-------------------
# If the API is changed in an incompatible way: increment the next counter.
KSBA_CONFIG_API_VERSION=1
@@ -3066,7 +3066,7 @@
# Define the identity of the package.
PACKAGE='libksba'
- VERSION='1.6.1'
+ VERSION='1.6.2'
cat >>confdefs.h <<_ACEOF
@@ -12475,7 +12475,7 @@
-VERSION_NUMBER=0x010601
+VERSION_NUMBER=0x010602
@@ -15257,11 +15257,11 @@
# Generate extended version information for W32.
if test "$have_w32_system" = yes; then
BUILD_FILEVERSION=`echo "$VERSION" | sed 's/\([0-9.]*\).*/\1./;s/\./,/g'`
- BUILD_FILEVERSION="${BUILD_FILEVERSION}54209"
+ BUILD_FILEVERSION="${BUILD_FILEVERSION}10625"
fi
-BUILD_REVISION="d3c1e06"
+BUILD_REVISION="2981495"
cat >>confdefs.h <<_ACEOF
@@ -15878,7 +15878,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by libksba $as_me 1.6.1, which was
+This file was extended by libksba $as_me 1.6.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15944,7 +15944,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-libksba config.status 1.6.1
+libksba config.status 1.6.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@@ -17957,7 +17957,7 @@
echo "
Libksba v${VERSION} has been configured as follows:
- Revision: d3c1e06 (54209)
+ Revision: 2981495 (10625)
Platform: $host
"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libksba-1.6.1/configure.ac
new/libksba-1.6.2/configure.ac
--- old/libksba-1.6.1/configure.ac 2022-09-16 12:24:38.000000000 +0200
+++ new/libksba-1.6.2/configure.ac 2022-10-07 10:06:25.000000000 +0200
@@ -30,7 +30,7 @@
m4_define([mym4_package],[libksba])
m4_define([mym4_major], [1])
m4_define([mym4_minor], [6])
-m4_define([mym4_micro], [1])
+m4_define([mym4_micro], [2])
# Below is m4 magic to extract and compute the git revision number,
# the decimalized short revision number, a beta version string and a
@@ -52,7 +52,7 @@
# Please remember to document interface changes in the NEWS file.
LIBKSBA_LT_CURRENT=22
LIBKSBA_LT_AGE=14
-LIBKSBA_LT_REVISION=1
+LIBKSBA_LT_REVISION=2
#-------------------
# If the API is changed in an incompatible way: increment the next counter.
KSBA_CONFIG_API_VERSION=1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libksba-1.6.1/doc/ksba.info
new/libksba-1.6.2/doc/ksba.info
--- old/libksba-1.6.1/doc/ksba.info 2022-09-16 12:27:53.000000000 +0200
+++ new/libksba-1.6.2/doc/ksba.info 2022-10-07 10:09:50.000000000 +0200
@@ -8,8 +8,8 @@
This file documents the KSBA library to access X.509 and CMS data
structures.
- This is edition 1.6.1, last updated 12 May 2020, of 'The KSBA
-Reference Manual', for Version 1.6.1.
+ This is edition 1.6.2, last updated 12 May 2020, of 'The KSBA
+Reference Manual', for Version 1.6.2.
Copyright (C) 2002, 2003, 2004 g10 Code GmbH
@@ -25,8 +25,8 @@
Main Menu
*********
-This is edition 1.6.1, last updated 12 May 2020, of 'The KSBA Reference
-Manual', for Version 1.6.1 of the KSBA library.
+This is edition 1.6.2, last updated 12 May 2020, of 'The KSBA Reference
+Manual', for Version 1.6.2 of the KSBA library.
Copyright (C) 2002, 2003, 2004 g10 Code GmbH
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libksba-1.6.1/doc/stamp-vti
new/libksba-1.6.2/doc/stamp-vti
--- old/libksba-1.6.1/doc/stamp-vti 2022-09-16 12:27:52.000000000 +0200
+++ new/libksba-1.6.2/doc/stamp-vti 2022-10-07 10:09:49.000000000 +0200
@@ -1,4 +1,4 @@
@set UPDATED 12 May 2020
@set UPDATED-MONTH May 2020
-@set EDITION 1.6.1
-@set VERSION 1.6.1
+@set EDITION 1.6.2
+@set VERSION 1.6.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libksba-1.6.1/doc/version.texi
new/libksba-1.6.2/doc/version.texi
--- old/libksba-1.6.1/doc/version.texi 2022-09-16 12:27:52.000000000 +0200
+++ new/libksba-1.6.2/doc/version.texi 2022-10-07 10:09:13.000000000 +0200
@@ -1,4 +1,4 @@
@set UPDATED 12 May 2020
@set UPDATED-MONTH May 2020
-@set EDITION 1.6.1
-@set VERSION 1.6.1
+@set EDITION 1.6.2
+@set VERSION 1.6.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libksba-1.6.1/src/ber-help.c
new/libksba-1.6.2/src/ber-help.c
--- old/libksba-1.6.1/src/ber-help.c 2021-05-18 13:09:59.000000000 +0200
+++ new/libksba-1.6.2/src/ber-help.c 2022-10-05 14:09:37.000000000 +0200
@@ -182,6 +182,12 @@
ti->length = len;
}
+ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+ {
+ ti->err_string = "header+length would overflow";
+ return gpg_error (GPG_ERR_EOVERFLOW);
+ }
+
/* Without this kludge some example certs can't be parsed */
if (ti->class == CLASS_UNIVERSAL && !ti->tag)
ti->length = 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libksba-1.6.1/src/ksba.h new/libksba-1.6.2/src/ksba.h
--- old/libksba-1.6.1/src/ksba.h 2022-09-16 12:27:50.000000000 +0200
+++ new/libksba-1.6.2/src/ksba.h 2022-10-07 10:09:47.000000000 +0200
@@ -46,11 +46,11 @@
/* The version of this header should match the one of the library. Do
* not use this symbol in your application; use assuan_check_version
* instead. */
-#define KSBA_VERSION "1.6.1"
+#define KSBA_VERSION "1.6.2"
/* The version number of this header. It may be used to handle minor
* API incompatibilities. */
-#define KSBA_VERSION_NUMBER 0x010601
+#define KSBA_VERSION_NUMBER 0x010602
