Hello community, here is the log from the commit of package libzrtpcpp.2097 for openSUSE:12.2:Update checked in at 2013-10-29 11:16:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/libzrtpcpp.2097 (Old) and /work/SRC/openSUSE:12.2:Update/.libzrtpcpp.2097.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libzrtpcpp.2097" Changes: -------- New Changes file: --- /dev/null 2013-10-11 12:16:15.204037506 +0200 +++ /work/SRC/openSUSE:12.2:Update/.libzrtpcpp.2097.new/libzrtpcpp.changes 2013-10-29 11:16:40.000000000 +0100 @@ -0,0 +1,99 @@ +------------------------------------------------------------------- +Fri Oct 18 14:08:13 UTC 2013 - jeng...@inai.de + +- Add cve-fixes-bnc828028.diff: backport patch for fixing + CVE-2013-2221, CVE-2013-2222, CVE-2013-2223 (bnc#828028) + +------------------------------------------------------------------- +Thu Apr 5 13:28:26 UTC 2012 - dval...@suse.com + +- better libdir handling + +------------------------------------------------------------------- +Thu Apr 5 11:59:40 UTC 2012 - dval...@suse.com + +- fix libdir for ppc64 + +------------------------------------------------------------------- +Tue Sep 27 08:02:08 UTC 2011 - co...@suse.com + +- fix the shared library policy packaging + +------------------------------------------------------------------- +Sat Aug 20 07:17:04 UTC 2011 - werner.dittm...@t-online.de + +- Modify and rename spec file to adhere to naming policies + * remove rpmlintrc file - not longer used + +------------------------------------------------------------------- +Mon Aug 1 15:54:33 UTC 2011 - werner.dittm...@t-online.de + +- update to version 2.0 to be in sync with version number of GNU ccRTP + * Update configuration to use the new GNU uCommon library + +------------------------------------------------------------------- +Sat Jan 8 09:10:00 MEZ 2011 - werner.dittm...@t-online.de + +- Update to latest version of GNU ZRTP C++ + * Cumulative update that implements all fixes and + versions since 1.3.0 (see below) + * Protocol implementation compliant with latest ZRTP + specification. + * lots of documentation added (doxygen ready) + * some code cleanup + +------------------------------------------------------------------- +Thu Dec 9 15:36:27 UTC 2010 - rguent...@novell.com + +- drop bogus libgcc BuildRequires + +------------------------------------------------------------------- +Tue Nov 3 19:09:29 UTC 2009 - co...@novell.com + +- updated patches to apply with fuzz=0 + +------------------------------------------------------------------- +Mon Sep 8 14:21:01 CEST 2008 - hvo...@suse.de + +- Update to 1.3.0 + * implements the latest changes define in the ZRTP draft + * The Method ''setSipsSecret(...)'' is no longer available. + * The method ''setOtherSecret(...)'' was renamed to + ''setPbxSecret(...)'' + * The methos ''setSrtpsSecret(...)'' is was renamed to + ''setAuxSecret(...)'' + +------------------------------------------------------------------- +Sun May 11 23:30:44 CEST 2008 - crrodrig...@suse.de + +- fix no-return-in-nonvoid-function errors +- fix both buildRequires and -devel package dependencies +- remove static libraries and "la" files + +------------------------------------------------------------------- +Wed Apr 2 15:49:00 CEST 2008 - hvo...@suse.de + +- update to version 1.0.1 + * various bugfixes +- add libzrtpcpp1 sub-package + +------------------------------------------------------------------- +Tue Mar 27 14:37:07 CEST 2007 - mski...@suse.de + +- fix compiler warnings +- fix changlog date problems + +------------------------------------------------------------------- +Fri Mar 2 11:44:38 CET 2007 - mski...@suse.de + +- libzrtpcpp-devel has a broken epoch and packaging bugs (#249532) + +------------------------------------------------------------------- +Thu Feb 15 09:51:45 CET 2007 - mski...@suse.de + +- change package for SuSE + +------------------------------------------------------------------- +Sun Oct 15 12:00:00 CET 2006 - c...@linux-administrator.com + +- initial package build for SuSE 10.1 New: ---- cve-fixes-bnc828028.diff libzrtpcpp-2.0.0.tar.bz2 libzrtpcpp-libdir.patch libzrtpcpp.changes libzrtpcpp.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libzrtpcpp.spec ++++++ # # spec file for package libzrtpcpp # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libzrtpcpp %define lname libzrtpcpp2 Version: 2.0.0 Release: 0 Summary: A ccrtp extension for ZRTP support License: GPL-3.0+ Group: Development/Libraries/Other Url: http://www.gnu.org/software/commoncpp/commoncpp.html Source0: libzrtpcpp-%{version}.tar.bz2 Patch1: cve-fixes-bnc828028.diff BuildRequires: ccrtp-devel >= 2.0.0 BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: libopenssl-devel >= 0.9.8 BuildRequires: pkgconfig Patch0: libzrtpcpp-libdir.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This library is a GPL licensed extension to the GNU RTP Stack, ccrtp, that offers compatibility with Phil Zimmermann's zrtp/Zfone voice encryption, and which can be directly embedded into telephony applications. %package -n %lname Summary: A ccrtp extension for ZRTP support Group: Development/Libraries/Other %description -n %lname This library is a GPL licensed extension to the GNU RTP Stack, ccrtp, that offers compatibility with Phil Zimmermann's zrtp/Zfone voice encryption, and which can be directly embedded into telephony applications. %package devel Summary: Headers and link library for libzrtpcpp Group: Development/Libraries/Other Requires: %{lname} = %{version} Requires: ccrtp-devel >= 2.0.0 %description devel This package provides the header files, link libraries, and documentation for building applications that use libzrtpcpp. %prep %setup -q %patch0 -p1 %patch -P 1 -p1 %build mkdir build cd build cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} \ -DSYSCONFDIR=%{_sysconfdir} \ -DMANDIR=%{_mandir} \ -DCMAKE_VERBOSE_MAKEFILE=TRUE \ -DCMAKE_C_FLAGS_RELEASE:STRING="%{optflags}" \ -DCMAKE_CXX_FLAGS_RELEASE:STRING="%{optflags}" \ %ifarch x86_64 ppc64 s390x -DLIB_SUFFIX=64 \ %endif .. make %{?_smp_mflags} V=1 %install cd build rm -rf %{buildroot} %make_install %clean rm -rf %{buildroot} %files -n %lname %defattr(-,root,root,0755) %doc AUTHORS COPYING README %{_libdir}/*.so.* %files devel %defattr(-,root,root,0755) %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %{_includedir}/libzrtpcpp/*.h %dir %{_includedir}/libzrtpcpp %post -p /sbin/ldconfig -n %lname %postun -p /sbin/ldconfig -n %lname %changelog ++++++ cve-fixes-bnc828028.diff ++++++ commit c8617100f359b217a974938c5539a1dd8a120b0e Author: Werner Dittmann <werner.dittm...@t-online.de> Date: Tue Jun 25 10:22:06 2013 +0200 Fix vulnerabilities found and reported by Mark Dowd - limit length of memcpy - limit number of offered algorithms in Hello packet - length check in PING packet - fix a small coding error [Backport to 2.0.0 attempted by Jan Engelhardt <jeng...@inai.de>] References: https://bugzilla.novell.com/show_bug.cgi?id=828028 References: CVE-2013-2221, CVE-2013-2222, CVE-2013-2223 --- src/ZRtp.cpp | 8 +++++--- src/ZrtpPacketHello.cpp | 5 +++++ src/ZrtpQueue.cpp | 4 ++++ src/ZrtpStateClass.cpp | 4 +++- 4 files changed, 17 insertions(+), 4 deletions(-) Index: libzrtpcpp-1.6.0/src/ZRtp.cpp =================================================================== --- libzrtpcpp-1.6.0.orig/src/ZRtp.cpp +++ libzrtpcpp-1.6.0/src/ZRtp.cpp @@ -1143,7 +1143,8 @@ ZrtpPacketError* ZRtp::prepareError(uint } ZrtpPacketPingAck* ZRtp::preparePingAck(ZrtpPacketPing* ppkt) { - + if (ppkt->getLength() != 6) // A PING packet must have a length of 6 words + return NULL; // Because we do not support ZRTP proxy mode use the truncated ZID. // If this code shall be used in ZRTP proxy implementation the computation // of the endpoint hash must be enhanced (see chaps 5.15ff and 5.16) @@ -1398,7 +1399,7 @@ AlgorithmEnum* ZRtp::findBestSASType(Zrt // Build list of offered known algos in Hello, append mandatory algos if necessary for (numAlgosOffered = 0, i = 0; i < num; i++) { - algosOffered[numAlgosOffered] = &zrtpSasTypes.getByName((const char*)hello->getSasType(i++)); + algosOffered[numAlgosOffered] = &zrtpSasTypes.getByName((const char*)hello->getSasType(i)); if(!algosOffered[numAlgosOffered]->isValid()) continue; if (*(int32_t*)(algosOffered[numAlgosOffered++]->getName()) == *(int32_t*)mandatorySasType) { @@ -2214,7 +2215,8 @@ void ZRtp::setClientId(std::string id) { } void ZRtp::storeMsgTemp(ZrtpPacketBase* pkt) { - int32_t length = pkt->getLength() * ZRTP_WORD_SIZE; + uint32_t length = pkt->getLength() * ZRTP_WORD_SIZE; + length = (length > sizeof(tempMsgBuffer)) ? sizeof(tempMsgBuffer) : length; memset(tempMsgBuffer, 0, sizeof(tempMsgBuffer)); memcpy(tempMsgBuffer, (uint8_t*)pkt->getHeaderBase(), length); lengthOfMsgData = length; Index: libzrtpcpp-1.6.0/src/ZrtpPacketHello.cpp =================================================================== --- libzrtpcpp-1.6.0.orig/src/ZrtpPacketHello.cpp +++ libzrtpcpp-1.6.0/src/ZrtpPacketHello.cpp @@ -105,10 +105,15 @@ ZrtpPacketHello::ZrtpPacketHello(uint8_t uint32_t temp = ntohl(helloHeader->flagLength); nHash = (temp & (0xf << 16)) >> 16; + nHash &= 0x7; // restrict to max 7 algorithms nCipher = (temp & (0xf << 12)) >> 12; + nCipher &= 0x7; nAuth = (temp & (0xf << 8)) >> 8; + nAuth &= 0x7; nPubkey = (temp & (0xf << 4)) >> 4; + nPubkey &= 0x7; nSas = temp & 0xf; + nSas &= 0x7; oHash = sizeof(Hello_t); oCipher = oHash + (nHash * ZRTP_WORD_SIZE); Index: libzrtpcpp-1.6.0/src/ZrtpQueue.cpp =================================================================== --- libzrtpcpp-1.6.0.orig/src/ZrtpQueue.cpp +++ libzrtpcpp-1.6.0/src/ZrtpQueue.cpp @@ -158,6 +158,10 @@ ZrtpQueue::takeInDataPacket(void) // if ZRTP processing is enabled. Because valid RTP packets are // already handled we delete any packets here after processing. if (enableZrtp && zrtpEngine != NULL) { + // Fixed header length + smallest ZRTP packet (includes CRC) + if (rtn < (12 + sizeof(HelloAckPacket_t))) // data too small, dismiss + return 0; + // Get CRC value into crc (see above how to compute the offset) uint16_t temp = rtn - CRC_SIZE; uint32_t crc = *(uint32_t*)(buffer + temp); Index: libzrtpcpp-1.6.0/src/ZrtpStateClass.cpp =================================================================== --- libzrtpcpp-1.6.0.orig/src/ZrtpStateClass.cpp +++ libzrtpcpp-1.6.0/src/ZrtpStateClass.cpp @@ -113,7 +113,9 @@ void ZrtpStateClass::processEvent(Event_ else if (first == 'p' && middle == ' ' && last == ' ') { ZrtpPacketPing ppkt(pkt); ZrtpPacketPingAck* ppktAck = parent->preparePingAck(&ppkt); - parent->sendPacketZRTP(static_cast<ZrtpPacketBase *>(ppktAck)); + if (ppktAck != NULL) { // ACK only to valid PING packet, otherwise ignore it + parent->sendPacketZRTP(static_cast<ZrtpPacketBase *>(ppktAck)); + } parent->synchLeave(); return; } ++++++ libzrtpcpp-libdir.patch ++++++ --- libzrtpcpp-2.0.0/CMakeLists.txt.orig 2012-04-05 15:26:17.231590000 +0200 +++ libzrtpcpp-2.0.0/CMakeLists.txt 2012-04-05 15:26:37.471769000 +0200 @@ -50,12 +50,7 @@ args_help() # this caused problems in debian where it has to always be lib.... -set(LIBDIRNAME "lib") -if (NOT EXISTS /etc/debian_version) - if ( "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64" ) - set(LIBDIRNAME "lib64") - endif() -endif() +set(LIBDIRNAME "lib${LIB_SUFFIX}") # setup the Thread include and lib find_package(Threads) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org