Hello community, here is the log from the commit of package Botan for openSUSE:Factory checked in at 2017-04-20 20:47:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/Botan (Old) and /work/SRC/openSUSE:Factory/.Botan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "Botan" Thu Apr 20 20:47:59 2017 rev:42 rq:487837 version:1.10.16 Changes: -------- --- /work/SRC/openSUSE:Factory/Botan/Botan.changes 2017-01-15 11:09:50.528396097 +0100 +++ /work/SRC/openSUSE:Factory/.Botan.new/Botan.changes 2017-04-20 20:48:02.036703730 +0200 @@ -1,0 +2,25 @@ +Wed Apr 12 14:52:45 UTC 2017 - [email protected] + +- Add patch to build SLES11 (allows for simplified backporting, e.g. bsc#968030) + * add no-cpuid-header.patch +- Clean up spec file + +------------------------------------------------------------------- +Tue Apr 11 11:57:53 UTC 2017 - [email protected] + +- Update to 1.10.16 (Fixes CVE-2017-2801, bsc#1033605) + * Fix a bug in X509 DN string comparisons that could result in out of bound + reads. This could result in information leakage, denial of service, or + potentially incorrect certificate validation results. (CVE-2017-2801) + * Avoid use of C++11 std::to_string in some code added in 1.10.14 (GH #747 #834) +- Changes from 1.10.15: + * Change an unintended behavior of 2.0.0, which named the include directory + botan-2.0. Since future release of Botan-2 should be compatible with code + written against old versions, there does not seem to be any reason to + * version the include directory with the minor number. (GH #830 #833) + * Fix a bug which caused an error when building on Cygwin or other platforms + where shared libraries are not supported. (GH #821) + * Enable use of readdir on Cygwin, which allows the tests to run (GH #824) + * Switch to readthedocs Sphinx theme by default (GH #822 #823) + +------------------------------------------------------------------- Old: ---- Botan-1.10.14.tgz Botan-1.10.14.tgz.asc New: ---- Botan-1.10.16.tgz Botan-1.10.16.tgz.asc no-cpuid-header.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ Botan.spec ++++++ --- /var/tmp/diff_new_pack.5yU05v/_old 2017-04-20 20:48:03.080556138 +0200 +++ /var/tmp/diff_new_pack.5yU05v/_new 2017-04-20 20:48:03.080556138 +0200 @@ -1,7 +1,7 @@ # # spec file for package Botan # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define version_suffix 1_10-1 %define short_version 1.10 Name: Botan -Version: 1.10.14 +Version: 1.10.16 Release: 0 Summary: A C++ Crypto Library License: BSD-2-Clause @@ -37,9 +37,9 @@ Patch7: dont-set-mach-value.diff Patch8: aarch64-support.patch Patch9: ppc64le-support.patch +Patch10: no-cpuid-header.patch BuildRequires: bzip2 >= 1.0.2 BuildRequires: gcc-c++ -BuildRequires: gmp-devel BuildRequires: gmp-devel >= 4.1 BuildRequires: libbz2-devel BuildRequires: openssl-devel @@ -71,7 +71,7 @@ %define botan_docdir %{_docdir}/%{name}-%{version} Summary: Development files for Botan Group: Development/Libraries/C and C++ -Requires: gmp-devel +Requires: gmp-devel >= 4.1 Requires: libbotan-%{version_suffix} = %{version} Requires: libbz2-devel Provides: Botan-devel = %{version} @@ -91,6 +91,9 @@ %patch7 -p1 %patch8 %patch9 +%if 0%{?suse_version} == 1110 +%patch10 -p1 +%endif %build export RPM_OPT_FLAGS ++++++ Botan-1.10.14.tgz -> Botan-1.10.16.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-1.10.14/botan_version.py new/Botan-1.10.16/botan_version.py --- old/Botan-1.10.14/botan_version.py 2016-11-28 11:53:22.000000000 +0100 +++ new/Botan-1.10.16/botan_version.py 2017-04-05 03:07:02.000000000 +0200 @@ -1,11 +1,11 @@ release_major = 1 release_minor = 10 -release_patch = 14 +release_patch = 16 release_so_abi_rev = 1 # These are set by the distribution script -release_vc_rev = 'git:c0d847b20cbc1b7d8b29705072e1f9c4715d48ae' -release_datestamp = 20161128 +release_vc_rev = 'git:3756c97d295d06ac19cec6736e05003afb10623e' +release_datestamp = 20170404 release_type = 'released' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-1.10.14/doc/log.txt new/Botan-1.10.16/doc/log.txt --- old/Botan-1.10.14/doc/log.txt 2016-11-28 11:52:20.000000000 +0100 +++ new/Botan-1.10.16/doc/log.txt 2017-04-05 03:06:45.000000000 +0200 @@ -7,6 +7,25 @@ Series 1.10 ---------------------------------------- +Version 1.10.16, 2017-04-04 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a bug in X509 DN string comparisons that could result in out of bound + reads. This could result in information leakage, denial of service, or + potentially incorrect certificate validation results. (CVE-2017-2801) + +* Avoid throwing during a destructor since this is undefined in C++11 + and rarely a good idea. (GH #930) + +Version 1.10.15, 2017-01-12 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* Fix a bug causing modular exponentiations done modulo even numbers + to almost always be incorrect, unless the values were small. This + bug is not known to affect any cryptographic operation in Botan. (GH #754) + +* Avoid use of C++11 std::to_string in some code added in 1.10.14 (GH #747 #834) + Version 1.10.14, 2016-11-28 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-1.10.14/readme.txt new/Botan-1.10.16/readme.txt --- old/Botan-1.10.14/readme.txt 2016-11-28 11:52:20.000000000 +0100 +++ new/Botan-1.10.16/readme.txt 2017-04-05 03:06:45.000000000 +0200 @@ -1,4 +1,8 @@ +This branch (1.10) of Botan is only supported for security fixes until +the end of 2017. Please upgrade to 2.0 API as soon as possible. + + Botan is a C++ library for performing a wide variety of cryptographic operations. It is released under the 2 clause BSD license; see doc/license.rst for the specifics. You can file bugs on GitHub diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-1.10.14/src/alloc/alloc_mmap/mmap_mem.cpp new/Botan-1.10.16/src/alloc/alloc_mmap/mmap_mem.cpp --- old/Botan-1.10.14/src/alloc/alloc_mmap/mmap_mem.cpp 2016-11-28 11:52:20.000000000 +0100 +++ new/Botan-1.10.16/src/alloc/alloc_mmap/mmap_mem.cpp 2017-04-05 03:06:45.000000000 +0200 @@ -73,8 +73,7 @@ * will continue to exist until the mmap is unmapped from * our address space upon deallocation (or process exit). */ - if(fd != -1 && ::close(fd) == -1) - throw MemoryMapping_Failed("Could not close file"); + fd != -1 && ::close(fd); } private: int fd; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-1.10.14/src/math/numbertheory/powm_fw.cpp new/Botan-1.10.16/src/math/numbertheory/powm_fw.cpp --- old/Botan-1.10.14/src/math/numbertheory/powm_fw.cpp 2016-11-28 11:52:20.000000000 +0100 +++ new/Botan-1.10.16/src/math/numbertheory/powm_fw.cpp 2017-04-05 03:06:45.000000000 +0200 @@ -31,7 +31,7 @@ g[1] = base; for(size_t i = 2; i != g.size(); ++i) - g[i] = reducer.multiply(g[i-1], g[0]); + g[i] = reducer.multiply(g[i-1], g[1]); } /* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-1.10.14/src/utils/parsing.cpp new/Botan-1.10.16/src/utils/parsing.cpp --- old/Botan-1.10.14/src/utils/parsing.cpp 2016-11-28 11:52:20.000000000 +0100 +++ new/Botan-1.10.16/src/utils/parsing.cpp 2017-04-05 03:06:45.000000000 +0200 @@ -230,6 +230,8 @@ if(p1 == name1.end() && p2 == name2.end()) return true; + if(p1 == name1.end() || p2 == name2.end()) + return false; } if(!Charset::caseless_cmp(*p1, *p2)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-1.10.14/src/utils/safeint.h new/Botan-1.10.16/src/utils/safeint.h --- old/Botan-1.10.14/src/utils/safeint.h 2016-11-28 11:52:20.000000000 +0100 +++ new/Botan-1.10.16/src/utils/safeint.h 2017-04-05 03:06:45.000000000 +0200 @@ -17,7 +17,7 @@ { public: Integer_Overflow_Detected(const std::string& file, int line) : - Exception("Integer overflow detected at " + file + ":" + std::to_string(line)) + Exception("Integer overflow detected at " + file + ":" + to_string(line)) {} }; ++++++ no-cpuid-header.patch ++++++ diff --git a/src/utils/cpuid.cpp b/src/utils/cpuid.cpp index f6581f09c..ae087fac3 100644 --- a/src/utils/cpuid.cpp +++ b/src/utils/cpuid.cpp @@ -36,7 +36,7 @@ #include <ia32intrin.h> #define CALL_CPUID(type, out) do { __cpuid(out, type); } while(0) -#elif defined(BOTAN_BUILD_COMPILER_IS_GCC) && (BOTAN_GCC_VERSION >= 430) +#elif defined(BOTAN_BUILD_COMPILER_IS_GCC) && 0 // Only available starting in GCC 4.3 #include <cpuid.h>
