Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rnp for openSUSE:Factory checked in
at 2023-06-13 16:09:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rnp (Old)
and /work/SRC/openSUSE:Factory/.rnp.new.15902 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rnp"
Tue Jun 13 16:09:26 2023 rev:8 rq:1092656 version:0.16.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/rnp/rnp.changes 2022-09-26 18:47:59.392030003
+0200
+++ /work/SRC/openSUSE:Factory/.rnp.new.15902/rnp.changes 2023-06-13
16:09:31.538890938 +0200
@@ -1,0 +2,9 @@
+Mon Jun 12 17:16:52 UTC 2023 - Andreas Stieger <andreas.stie...@gmx.de>
+
+- rnp 0.16.3:
+ * CVE-2023-29479: Fix issue with possible hang on malformed
+ inputs (boo#1212253)
+ * CVE-2023-29480: Fix issue where in some cases, secret keys
+ remain unlocked after use (boo#1212254)
+
+-------------------------------------------------------------------
Old:
----
rnp-0.16.2.tar.gz
rnp-0.16.2.tar.gz.asc
New:
----
rnp-0.16.3.tar.gz
rnp-0.16.3.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rnp.spec ++++++
--- /var/tmp/diff_new_pack.9AIy20/_old 2023-06-13 16:09:32.338895658 +0200
+++ /var/tmp/diff_new_pack.9AIy20/_new 2023-06-13 16:09:32.342895681 +0200
@@ -1,8 +1,8 @@
#
# spec file for package rnp
#
-# Copyright (c) 2022 SUSE LLC
-# Copyright (c) 2022 Andreas Stieger <andreas.stie...@gmx.de>
+# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2023 Andreas Stieger <andreas.stie...@gmx.de>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define soname 0
Name: rnp
-Version: 0.16.2
+Version: 0.16.3
Release: 0
Summary: OpenPGP implementation fully compliant with RFC 4880
License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause
++++++ rnp-0.16.2.tar.gz -> rnp-0.16.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rnp-0.16.2/.github/workflows/macos.yml
new/rnp-0.16.3/.github/workflows/macos.yml
--- old/rnp-0.16.2/.github/workflows/macos.yml 2022-09-22 11:27:54.000000000
+0200
+++ new/rnp-0.16.3/.github/workflows/macos.yml 2023-04-13 02:27:38.000000000
+0200
@@ -42,7 +42,7 @@
strategy:
fail-fast: false
matrix:
- os: [macos-10.15, macos-11.0]
+ os: [macos-11, macos-12]
env:
- CC: gcc
CXX: g++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rnp-0.16.2/CHANGELOG.md new/rnp-0.16.3/CHANGELOG.md
--- old/rnp-0.16.2/CHANGELOG.md 2022-09-22 11:27:54.000000000 +0200
+++ new/rnp-0.16.3/CHANGELOG.md 2023-04-13 02:27:38.000000000 +0200
@@ -1,5 +1,12 @@
## Changelog
+### 0.16.3 [2023-04-11]
+
+#### Security
+
+* Fixed issue with possible hang on malformed inputs (CVE-2023-29479).
+* Fixed issue where in some cases, secret keys remain unlocked after use
(CVE-2023-29480).
+
### 0.16.2 [2022-09-20]
#### General
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rnp-0.16.2/ci/lib/install_functions.inc.sh
new/rnp-0.16.3/ci/lib/install_functions.inc.sh
--- old/rnp-0.16.2/ci/lib/install_functions.inc.sh 2022-09-22
11:27:54.000000000 +0200
+++ new/rnp-0.16.3/ci/lib/install_functions.inc.sh 2023-04-13
02:27:38.000000000 +0200
@@ -19,6 +19,11 @@
: "${RECOMMENDED_CMAKE_VERSION:=3.20.5}"
: "${RECOMMENDED_PYTHON_VERSION:=3.9.2}"
: "${RECOMMENDED_RUBY_VERSION:=2.5.8}"
+# Bundler version to use if Ruby version is less then
+# FALLBACK_BUNDLER_RUBY_VERSION
+: "${FALLBACK_BUNDLER_VERSION:=2.3.26}"
+: "${FALLBACK_BUNDLER_RUBY_VERSION:=2.6.0}"
+
: "${RECOMMENDED_BOTAN_VERSION_MSYS:=${RECOMMENDED_BOTAN_VERSION}-1}"
: "${CMAKE_VERSION:=${RECOMMENDED_CMAKE_VERSION}}"
@@ -69,6 +74,17 @@
rm /usr/local/Cellar/openssl || true
# homebrew fails to update python 3.9.1 to 3.9.1.1 due to unlinking failure
rm /usr/local/bin/2to3 || true
+ # homebrew fails to update python from 3.9 to 3.10 due to another unlinking
failure
+ rm /usr/local/bin/idle3 || true
+ rm /usr/local/bin/pydoc3 || true
+ rm /usr/local/bin/python3 || true
+ rm /usr/local/bin/python3-config || true
+ # homebrew fails to update python from 3.11.0 to 3.11.1
+ rm /usr/local/bin/2to3-3.11 || true
+ rm /usr/local/bin/idle3.11 || true
+ rm /usr/local/bin/pydoc3.11 || true
+ rm /usr/local/bin/python3.11 || true
+ rm /usr/local/bin/python3.11-config || true
# homebrew fails to update openssl@1.1 1.1.1l to 1.1.1l_1 due to linking
failure of nghttp2.h
brew unlink nghttp2 || true
brew update
@@ -252,6 +268,7 @@
}
linux_install_centos8() {
+ "${SUDO}" "${YUM}" -y -q install 'dnf-command(config-manager)'
"${SUDO}" "${YUM}" config-manager --set-enabled powertools
yum_prepare_repos epel-release
yum_install_build_dependencies \
@@ -492,7 +509,7 @@
automake_build=${LOCAL_BUILDS}/automake
mkdir -p "${automake_build}"
pushd "${automake_build}"
- curl -L -o automake.tar.xz
https://ftp.gnu.org/gnu/automake/automake-${AUTOMAKE_VERSION}.tar.xz
+ curl -L -o automake.tar.xz
"https://ftp.gnu.org/gnu/automake/automake-${AUTOMAKE_VERSION}.tar.xz";
tar -xf automake.tar.xz --strip 1
./configure --enable-optimizations --prefix=/usr && ${MAKE}
-j"${MAKE_PARALLEL}" && ${SUDO} make install
popd
@@ -687,7 +704,11 @@
# ruby-rnp
install_bundler() {
- gem_install bundler bundle
+ if is_version_at_least ruby "${FALLBACK_BUNDLER_RUBY_VERSION}" command ruby
-e 'puts RUBY_VERSION'; then
+ gem_install bundler bundle
+ else
+ gem_install "bundler:${FALLBACK_BUNDLER_VERSION}" bundle
+ fi
}
install_asciidoctor() {
@@ -747,7 +768,7 @@
;;
*)
# TODO: handle ubuntu?
- >&2 echo Error: Need to install ruby ${MINIMUM_RUBY_VERSION}+
+ >&2 echo "Error: Need to install ruby ${MINIMUM_RUBY_VERSION}+"
exit 1
esac
}
@@ -931,7 +952,7 @@
local rnpsrc="$PWD"
pushd "$(mktemp -d)" || return 1
- # shellcheck disable=SC2046
+ # shellcheck disable=SC2046,SC2086
gcc "${rnpsrc}/src/examples/generate.c" -ogenerate $(pkg-config --cflags
--libs $pkgflags librnp) $gccflags
./generate
readelf -d generate
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rnp-0.16.2/docs/installation.adoc
new/rnp-0.16.3/docs/installation.adoc
--- old/rnp-0.16.2/docs/installation.adoc 2022-09-22 11:27:54.000000000
+0200
+++ new/rnp-0.16.3/docs/installation.adoc 2023-04-13 02:27:38.000000000
+0200
@@ -55,7 +55,7 @@
[source,console]
----
# Clone the repository by version tag (or omit it to get the latest sources)
-git clone https://github.com/rnpgp/rnp.git -b v0.16.2
+git clone https://github.com/rnpgp/rnp.git -b v0.16.3
# Install required packages
sudo apt install g++-8 cmake libbz2-dev zlib1g-dev libjson-c-dev \
@@ -91,7 +91,7 @@
[source,console]
----
# Clone the repository by version tag (or omit it to get the latest sources)
-git clone https://github.com/rnpgp/rnp.git -b v0.16.2
+git clone https://github.com/rnpgp/rnp.git -b v0.16.3
# Enable access to `testing` packages by editing /etc/apt/sources.list
# deb http://deb.debian.org/debian testing main
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rnp-0.16.2/src/librepgp/stream-parse.cpp
new/rnp-0.16.3/src/librepgp/stream-parse.cpp
--- old/rnp-0.16.2/src/librepgp/stream-parse.cpp 2022-09-22
11:27:54.000000000 +0200
+++ new/rnp-0.16.3/src/librepgp/stream-parse.cpp 2023-04-13
02:27:38.000000000 +0200
@@ -1919,9 +1919,10 @@
int ptype;
/* Reading pk/sk encrypted session key(s) */
try {
- bool stop = false;
+ size_t errors = 0;
+ bool stop = false;
while (!stop) {
- if (param->pubencs.size() + param->symencs.size() >
MAX_RECIPIENTS) {
+ if (param->pubencs.size() + param->symencs.size() + errors >
MAX_RECIPIENTS) {
RNP_LOG("Too many recipients of the encrypted message.
Aborting.");
return RNP_ERROR_BAD_STATE;
}
@@ -1935,8 +1936,13 @@
case PGP_PKT_SK_SESSION_KEY: {
pgp_sk_sesskey_t skey;
rnp_result_t ret = skey.parse(*param->pkt.readsrc);
+ if (ret == RNP_ERROR_READ) {
+ RNP_LOG("SKESK: Premature end of data.");
+ return ret;
+ }
if (ret) {
RNP_LOG("Failed to parse SKESK, skipping.");
+ errors++;
continue;
}
param->symencs.push_back(skey);
@@ -1945,8 +1951,13 @@
case PGP_PKT_PK_SESSION_KEY: {
pgp_pk_sesskey_t pkey;
rnp_result_t ret = pkey.parse(*param->pkt.readsrc);
+ if (ret == RNP_ERROR_READ) {
+ RNP_LOG("PKESK: Premature end of data.");
+ return ret;
+ }
if (ret) {
RNP_LOG("Failed to parse PKESK, skipping.");
+ errors++;
continue;
}
param->pubencs.push_back(pkey);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rnp-0.16.2/src/librepgp/stream-write.cpp
new/rnp-0.16.3/src/librepgp/stream-write.cpp
--- old/rnp-0.16.2/src/librepgp/stream-write.cpp 2022-09-22
11:27:54.000000000 +0200
+++ new/rnp-0.16.3/src/librepgp/stream-write.cpp 2023-04-13
02:27:38.000000000 +0200
@@ -1126,7 +1126,7 @@
}
/* decrypt the secret key if needed */
- rnp::KeyLocker(*signer.key);
+ rnp::KeyLocker keylock(*signer.key);
if (signer.key->encrypted() &&
!signer.key->unlock(*param.password_provider, PGP_OP_SIGN)) {
RNP_LOG("wrong secret key password");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rnp-0.16.2/src/tests/CMakeLists.txt
new/rnp-0.16.3/src/tests/CMakeLists.txt
--- old/rnp-0.16.2/src/tests/CMakeLists.txt 2022-09-22 11:27:54.000000000
+0200
+++ new/rnp-0.16.3/src/tests/CMakeLists.txt 2023-04-13 02:27:38.000000000
+0200
@@ -222,11 +222,11 @@
GIT_SHALLOW yes
SOURCE_DIR "${_sourcedir}"
BUILD_IN_SOURCE yes
- CONFIGURE_COMMAND ""
+ CONFIGURE_COMMAND bundle config set --local path '.'
BUILD_COMMAND
COMMAND bundle add ffi --version 1.15.5
COMMAND bundle show parallel_tests || bundle add parallel_tests
- COMMAND bundle install --path .
+ COMMAND bundle install
INSTALL_COMMAND ""
TEST_COMMAND ""
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rnp-0.16.2/src/tests/ffi-enc.cpp
new/rnp-0.16.3/src/tests/ffi-enc.cpp
--- old/rnp-0.16.2/src/tests/ffi-enc.cpp 2022-09-22 11:27:54.000000000
+0200
+++ new/rnp-0.16.3/src/tests/ffi-enc.cpp 2023-04-13 02:27:38.000000000
+0200
@@ -670,6 +670,28 @@
// make sure the output file was created
assert_true(rnp_file_exists("encrypted"));
+ // check whether keys are locked
+ rnp_identifier_iterator_t it = NULL;
+ assert_rnp_success(rnp_identifier_iterator_create(ffi, &it,
"fingerprint"));
+ const char *fprint = NULL;
+ while (!rnp_identifier_iterator_next(it, &fprint)) {
+ if (!fprint) {
+ break;
+ }
+ SCOPED_TRACE(fprint);
+ rnp_key_handle_t skey = NULL;
+ assert_rnp_success(rnp_locate_key(ffi, "fingerprint", fprint, &skey));
+ bool secret = true;
+ assert_rnp_success(rnp_key_have_secret(skey, &secret));
+ if (secret) {
+ bool locked = false;
+ assert_rnp_success(rnp_key_is_locked(skey, &locked));
+ assert_true(locked);
+ }
+ rnp_key_handle_destroy(skey);
+ }
+ rnp_identifier_iterator_destroy(it);
+
// cleanup
assert_rnp_success(rnp_input_destroy(input));
input = NULL;
@@ -762,6 +784,25 @@
assert_string_equal(hname, "SHA512");
rnp_buffer_destroy(hname);
hname = NULL;
+ // make sure keys are locked
+ assert_rnp_success(rnp_identifier_iterator_create(ffi, &it,
"fingerprint"));
+ while (!rnp_identifier_iterator_next(it, &fprint)) {
+ if (!fprint) {
+ break;
+ }
+ SCOPED_TRACE(fprint);
+ rnp_key_handle_t skey = NULL;
+ assert_rnp_success(rnp_locate_key(ffi, "fingerprint", fprint, &skey));
+ bool secret = true;
+ assert_rnp_success(rnp_key_have_secret(skey, &secret));
+ if (secret) {
+ bool locked = false;
+ assert_rnp_success(rnp_key_is_locked(skey, &locked));
+ assert_true(locked);
+ }
+ rnp_key_handle_destroy(skey);
+ }
+ rnp_identifier_iterator_destroy(it);
// cleanup
rnp_op_verify_destroy(verify);
rnp_input_destroy(input);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/rnp-0.16.2/version.txt new/rnp-0.16.3/version.txt
--- old/rnp-0.16.2/version.txt 2022-09-22 11:27:54.000000000 +0200
+++ new/rnp-0.16.3/version.txt 2023-04-13 02:27:38.000000000 +0200
@@ -1 +1 @@
-0.16.2
+0.16.3
