Hello community, here is the log from the commit of package perl-Convert-ASN1 for openSUSE:Factory checked in at 2020-11-06 23:42:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-Convert-ASN1 (Old) and /work/SRC/openSUSE:Factory/.perl-Convert-ASN1.new.11331 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-Convert-ASN1" Fri Nov 6 23:42:43 2020 rev:27 rq:845836 version:0.27 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-Convert-ASN1/perl-Convert-ASN1.changes 2020-01-12 23:18:50.530693149 +0100 +++ /work/SRC/openSUSE:Factory/.perl-Convert-ASN1.new.11331/perl-Convert-ASN1.changes 2020-11-06 23:42:44.263535959 +0100 @@ -1,0 +2,7 @@ +Tue Nov 3 10:12:38 UTC 2020 - Pedro Monreal <pmonr...@suse.com> + +- Security fix: [bsc#1168934, CVE-2013-7488] + * Fix infinite loop via unexpected input +- Add perl-Convert-ASN1-CVE-2013-7488.patch + +------------------------------------------------------------------- New: ---- perl-Convert-ASN1-CVE-2013-7488.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-Convert-ASN1.spec ++++++ --- /var/tmp/diff_new_pack.1Ey6Qm/_old 2020-11-06 23:42:44.959534622 +0100 +++ /var/tmp/diff_new_pack.1Ey6Qm/_new 2020-11-06 23:42:44.959534622 +0100 @@ -24,9 +24,13 @@ License: Artistic-1.0 OR GPL-1.0-or-later Group: Development/Libraries/Perl URL: https://metacpan.org/release/%{cpan_name} -Source0: http://www.cpan.org/authors/id/G/GB/GBARR/%{cpan_name}-%{version}.tar.gz +Source0: https://cpan.metacpan.org/authors/id/G/GB/GBARR/%{cpan_name}-%{version}.tar.gz Source1: cpanspec.yml +# MANUAL BEGIN Patch0: Convert-ASN1-0.22-test.diff +# PATCH-FIX-UPSTREAM bsc#1168934 CVE-2013-7488 Infinite loop via unexpected input +Patch1: perl-Convert-ASN1-CVE-2013-7488.patch +# MANUAL END BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: perl @@ -42,6 +46,7 @@ %prep %setup -q -n %{cpan_name}-%{version} %patch0 +%patch1 %build perl Makefile.PL INSTALLDIRS=vendor ++++++ cpanspec.yml ++++++ --- /var/tmp/diff_new_pack.1Ey6Qm/_old 2020-11-06 23:42:44.995534553 +0100 +++ /var/tmp/diff_new_pack.1Ey6Qm/_new 2020-11-06 23:42:44.995534553 +0100 @@ -1,3 +1,4 @@ --- patches: Convert-ASN1-0.22-test.diff: + perl-Convert-ASN1-CVE-2013-7488.patch: ++++++ perl-Convert-ASN1-CVE-2013-7488.patch ++++++ >From ce148a2e0872b708450005cf0b3a944014aae990 Mon Sep 17 00:00:00 2001 From: Dana Jacobsen <d...@acm.org> Date: Tue, 29 Oct 2013 08:37:48 -0700 Subject: [PATCH 1/2] Fix unsafe decoding in indef case --- lib/Convert/ASN1/_decode.pm | 1 + 1 file changed, 1 insertion(+) Index: lib/Convert/ASN1/_decode.pm =================================================================== --- lib/Convert/ASN1/_decode.pm.orig +++ lib/Convert/ASN1/_decode.pm @@ -683,14 +683,16 @@ sub _scan_indef { $pos += 2; next; } + return if $pos >= $end; my $tag = substr($_[0], $pos++, 1); if((unpack("C",$tag) & 0x1f) == 0x1f) { my $b; do { - $tag .= substr($_[0],$pos++,1); - $b = ord substr($tag,-1); + return if $pos >= $end; + $tag .= substr($_[0],$pos++,1); + $b = ord substr($tag,-1); } while($b & 0x80); } return if $pos >= $end;
