Hello community, here is the log from the commit of package mcrypt.1052 for openSUSE:11.4:Update checked in at 2012-11-05 09:25:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:11.4:Update/mcrypt.1052 (Old) and /work/SRC/openSUSE:11.4:Update/.mcrypt.1052.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mcrypt.1052", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2012-10-22 00:44:18.403455820 +0200 +++ /work/SRC/openSUSE:11.4:Update/.mcrypt.1052.new/mcrypt.changes 2012-11-05 09:25:18.000000000 +0100 @@ -0,0 +1,181 @@ +------------------------------------------------------------------- +Mon Oct 29 12:19:55 UTC 2012 - vdziewie...@suse.com + +-Fix bnc#786100 VUL-1: CVE-2012-4527: mcrypt: stack-based buffer +overflow via overly long file name - mcrypt-2.6.8-snprintf.patch + +------------------------------------------------------------------- +Wed Oct 10 14:08:58 UTC 2012 - vdziewie...@suse.com + +-Removed gaa build dependency to fix build failure. (bnc#779213) +------------------------------------------------------------------- +Mon Sep 10 14:04:10 UTC 2012 - vdziewie...@suse.com + +-Fix bnc#779213 - VUL-0: CVE-2012-4409: mcrypt: buffer overflow flaw + +------------------------------------------------------------------- +Mon Jan 3 20:42:51 UTC 2011 - a...@suse.de + +- Remove mcrypt-2.6.8-gettext.patch, it's not needed. Do not call + autoreconf, it just breaks the build. + +------------------------------------------------------------------- +Sun Oct 31 12:37:02 UTC 2010 - jeng...@medozas.de + +- Use %_smp_mflags + +------------------------------------------------------------------- +Thu Aug 6 16:37:25 UTC 2009 - pu...@novell.com + +- mcrypt-2.6.8-missing-fclose.patch (bnc#527721) + +------------------------------------------------------------------- +Fri Apr 24 16:15:49 CEST 2009 - pu...@suse.cz + +- added mcrypt-native-by-default.patch (partially resolve bnc#385951) + - openpgp format handling is seriously broken, so make native format default + like in Fedora and Debian +- added mcrypt-manpage-fix.patch + - fix typos in manpage + +------------------------------------------------------------------- +Mon Jan 19 13:58:16 CET 2009 - prus...@suse.cz + +- updated to 2.6.8 + * Updated non valid C code to comply with standard ANSI C + Affects openpgp code +- removed obsoleted overflow.patch + +------------------------------------------------------------------- +Wed Jan 16 14:07:53 CET 2008 - prus...@suse.cz + +- updated to 2.6.7 + * corrected bugs related to freeing mhash (const) data + * corrected bugs in the win32 random gatherer + * THE CODE IS NOW UNDER GPLv3! + +------------------------------------------------------------------- +Wed Jul 18 16:25:13 CEST 2007 - prus...@suse.cz + +- updated to 2.6.6 + * corrections in getpass() + * updates in OpenPGP code + * made the OpenPGP file format the default +- fixed uninitialized variable in rfc2440.c (uninitialized.patch) + +------------------------------------------------------------------- +Fri May 4 14:56:31 CEST 2007 - prus...@suse.cz + +- updated to 2.6.5 (maintenance update) +- cleaned spec file + +------------------------------------------------------------------- +Mon Apr 2 14:45:56 CEST 2007 - rguent...@suse.de + +- add zlib-devel BuildRequires + +------------------------------------------------------------------- +Wed Jan 24 17:46:25 CET 2007 - prus...@suse.cz + +- corrected fix for buffer overflow (overflow.patch) [#238192] + +------------------------------------------------------------------- +Tue May 9 15:25:31 CEST 2006 - ani...@suse.cz + +- fixed format string bug [#173839] + +------------------------------------------------------------------- +Wed Jan 25 21:38:13 CET 2006 - m...@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Apr 27 16:01:53 CEST 2005 - meiss...@suse.de + +- fixed buffer overflow. + +------------------------------------------------------------------- +Thu Jan 22 18:36:45 CET 2004 - r...@suse.de + +- remove old aclocal.m4 and acinclude.m4 + +------------------------------------------------------------------- +Sat Jan 10 17:00:17 CET 2004 - adr...@suse.de + +- add %defattr + +------------------------------------------------------------------- +Thu Jul 24 13:55:09 CEST 2003 - tcr...@suse.cz + +- update to version 2.6.4 + +------------------------------------------------------------------- +Thu Jun 19 21:22:15 CEST 2003 - r...@suse.de + +- build with current gettext + +------------------------------------------------------------------- +Thu Dec 19 15:38:00 CET 2002 - tcr...@suse.cz + +- update to version 2.6.3 + +------------------------------------------------------------------- +Fri Aug 16 14:28:07 CEST 2002 - pre...@suse.cz + +- mhash is no more built under mcrypt, it is a separate package now +- fixed %files section + +------------------------------------------------------------------- +Mon Aug 5 16:39:40 CEST 2002 - pre...@suse.cz + +- update to version 2.6.2 +- mhash updated to version 0.8.16 +- set path to includes before running of configure + +------------------------------------------------------------------- +Tue Apr 2 18:15:56 CEST 2002 - tcr...@suse.cz + +- build with new automake/autoconf + +------------------------------------------------------------------- +Wed Jan 30 10:42:01 CET 2002 - cih...@suse.cz + +- update mcrypt to 2.5.11 +- update mhash to 0.8.13 +- fixed %files + +------------------------------------------------------------------- +Mon Aug 6 14:23:10 CEST 2001 - cih...@suse.cz + +- fixed calls of autoconf, aclocal and automake + +------------------------------------------------------------------- +Tue Jun 26 13:37:57 CEST 2001 - pbl...@suse.cz + +- update on 2.5.7 and mhash on 0.8.9 + +------------------------------------------------------------------- +Mon May 28 17:23:14 CEST 2001 - pbl...@suse.cz + +- fix include on ia64 + +------------------------------------------------------------------- +Fri Apr 27 11:08:07 CEST 2001 - pbl...@suse.cz + +- fixed .po files for correct locale + +------------------------------------------------------------------- +Mon Oct 16 10:22:08 CEST 2000 - pbl...@suse.cz + +- update to 2.5.5 and repair czech locales + +------------------------------------------------------------------- +Mon May 29 14:09:00 CEST 2000 - bubn...@suse.cz + +- sorted + +------------------------------------------------------------------- +Mon Apr 17 11:10:29 CEST 2000 - bubn...@suse.cz + +- new package (2.5.3) + New: ---- mcrypt-2.6.8-format_strings.patch mcrypt-2.6.8-missing-fclose.patch mcrypt-2.6.8-snprintf.patch mcrypt-2.6.8-uninitialized.patch mcrypt-2.6.8.tar.bz2 mcrypt-CVE-2012-4409.patch mcrypt-manpage-fix.patch mcrypt-native-by-default.patch mcrypt.changes mcrypt.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mcrypt.spec ++++++ # # spec file for package mcrypt # # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: mcrypt BuildRequires: libmcrypt-devel BuildRequires: mhash-devel BuildRequires: zlib-devel Version: 2.6.8 Release: 0 Summary: Replacement for the crypt Command License: GPL-3.0+ Group: Productivity/Security Source: %{name}-%{version}.tar.bz2 Patch1: %{name}-%{version}-format_strings.patch Patch2: %{name}-%{version}-uninitialized.patch # PATCH-FEATURE-OPENSUSE mcrypt-native-by-default.patch bnc385951 petr.u...@suse.cz -- make native encryption format default (patch from Fedora) Patch3: mcrypt-native-by-default.patch # PATCH-FIX-OPENSUSE mcrypt-manpage-fix.patch petr.u...@suse.cz -- fix manpage typos (patch from Debian) Patch4: mcrypt-manpage-fix.patch Patch5: mcrypt-2.6.8-missing-fclose.patch Patch6: mcrypt-CVE-2012-4409.patch #PATCH-FIX-UPSTREAM bnc#786100 Patch7: mcrypt-2.6.8-snprintf.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Url: http://mcrypt.sourceforge.net/ %description A replacement for the old unix crypt(1) command. Mcrypt uses the following encryption (block) algorithms: BLOWFISH, DES, TripleDES, 3-WAY, SAFER-SK64, SAFER-SK128, CAST-128, RC2 TEA (extended), TWOFISH, RC6, IDEA, and GOST. The Unix crypt algorithm is also included to allow compatibility with the crypt(1) command. CBC, ECB, OFB, and CFB modes of encryption are supported. Authors: -------- Nikos Mavroyanopoulos <n...@hellug.gr> %prep %setup -q %patch1 %patch2 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %build test -f po/Makevars || mv po/Makevars.template po/Makevars %configure make %{?_smp_mflags} %install make install DESTDIR=$RPM_BUILD_ROOT %find_lang %{name} %clean rm -rf $RPM_BUILD_ROOT %files -f %{name}.lang %defattr(-,root,root) %doc AUTHORS ChangeLog NEWS README THANKS TODO %doc doc/FORMAT doc/magic doc/sample.mcryptrc %{_bindir}/* %doc %{_mandir}/man1/* %changelog ++++++ mcrypt-2.6.8-format_strings.patch ++++++ --- src/errors.c +++ src/errors.c @@ -25,24 +25,24 @@ void err_quit(char *errmsg) { - fprintf(stderr, errmsg); + fprintf(stderr, "%s", errmsg); exit(-1); } void err_warn(char *errmsg) { if (quiet <= 1) - fprintf(stderr, errmsg); + fprintf(stderr, "%s", errmsg); } void err_info(char *errmsg) { if (quiet == 0) - fprintf(stderr, errmsg); + fprintf(stderr, "%s", errmsg); } void err_crit(char *errmsg) { if (quiet <= 2) - fprintf(stderr, errmsg); + fprintf(stderr, "%s", errmsg); } ++++++ mcrypt-2.6.8-missing-fclose.patch ++++++ Index: mcrypt-2.6.8/src/extra.c =================================================================== --- mcrypt-2.6.8.orig/src/extra.c 2007-11-07 18:10:20.000000000 +0100 +++ mcrypt-2.6.8/src/extra.c 2009-08-06 18:23:52.000000000 +0200 @@ -503,6 +503,7 @@ char **read_key_file(char *file, int *nu } *num = x; + fclose(FROMF); return keys; ++++++ mcrypt-2.6.8-snprintf.patch ++++++ Index: mcrypt-2.6.8/src/mcrypt.c =================================================================== --- mcrypt-2.6.8.orig/src/mcrypt.c +++ mcrypt-2.6.8/src/mcrypt.c @@ -41,10 +41,12 @@ # include <time.h> #endif +#define WIDTH 132 + static char rcsid[] = "$Id: mcrypt.c,v 1.2 2007/11/07 17:10:21 nmav Exp $"; -char tmperr[128]; +char tmperr[WIDTH]; unsigned int stream_flag = FALSE; char *keymode = NULL; char *mode = NULL; @@ -482,7 +484,7 @@ int main(int argc, char **argv) #ifdef HAVE_STAT if (stream_flag == FALSE) { if (is_normal_file(file[i]) == FALSE) { - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("%s: %s is not a regular file. Skipping...\n"), program_name, file[i]); @@ -501,7 +503,7 @@ int main(int argc, char **argv) dinfile = file[i]; if ((isatty(fileno((FILE *) (stdin))) == 1) && (stream_flag == TRUE) && (force == 0)) { /* not a tty */ - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("%s: Encrypted data will not be read from a terminal.\n"), program_name); @@ -520,7 +522,7 @@ int main(int argc, char **argv) einfile = file[i]; if ((isatty(fileno((FILE *) (stdout))) == 1) && (stream_flag == TRUE) && (force == 0)) { /* not a tty */ - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("%s: Encrypted data will not be written to a terminal.\n"), program_name); @@ -544,7 +546,7 @@ int main(int argc, char **argv) strcpy(outfile, einfile); /* if file has already the .nc ignore it */ if (strstr(outfile, ".nc") != NULL) { - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("%s: file %s has the .nc suffix... skipping...\n"), program_name, outfile); @@ -590,10 +592,10 @@ int main(int argc, char **argv) if (x == 0) { if (stream_flag == FALSE) { - sprintf(tmperr, _("File %s was decrypted.\n"), dinfile); + snprintf(tmperr, WIDTH, _("File %s was decrypted.\n"), dinfile); err_warn(tmperr); } else { - sprintf(tmperr, _("Stdin was decrypted.\n")); + snprintf(tmperr, WIDTH, _("Stdin was decrypted.\n")); err_warn(tmperr); } #ifdef HAVE_STAT @@ -610,7 +612,7 @@ int main(int argc, char **argv) } else { if (stream_flag == FALSE) { - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("File %s was NOT decrypted successfully.\n"), dinfile); @@ -636,10 +638,10 @@ int main(int argc, char **argv) if (x == 0) { if (stream_flag == FALSE) { - sprintf(tmperr, _("File %s was encrypted.\n"), einfile); + snprintf(tmperr, WIDTH, _("File %s was encrypted.\n"), einfile); err_warn(tmperr); } else { - sprintf(tmperr, _("Stdin was encrypted.\n")); + snprintf(tmperr, WIDTH, _("Stdin was encrypted.\n")); err_warn(tmperr); } #ifdef HAVE_STAT @@ -655,7 +657,7 @@ int main(int argc, char **argv) } else { if (stream_flag == FALSE) { - sprintf(tmperr, + snprintf(tmperr, WIDTH, _ ("File %s was NOT encrypted successfully.\n"), einfile); ++++++ mcrypt-2.6.8-uninitialized.patch ++++++ --- src/rfc2440.c +++ src/rfc2440.c @@ -406,7 +406,7 @@ len += (buf[pos+1] + 192); } else if (buf[pos] == 255) { - len += (buf[pos+1] << 24); + len = (buf[pos+1] << 24); len += (buf[pos+2] << 16); len += (buf[pos+3] << 8); len += buf[pos+4]; ++++++ mcrypt-CVE-2012-4409.patch ++++++ Index: mcrypt-2.6.8/src/extra.c =================================================================== --- mcrypt-2.6.8.orig/src/extra.c +++ mcrypt-2.6.8/src/extra.c @@ -242,6 +242,8 @@ int check_file_head(FILE * fstream, char if (m_getbit(0, sflag) != 0) { /* if the first bit is set */ *salt_size = m_setbit(0, sflag, 0); if (*salt_size > 0) { + if (*salt_size > sizeof(tmp_buf)) + err_quit(_("Salt is too long\n")); fread(tmp_buf, 1, *salt_size, fstream); memmove(salt, tmp_buf, *salt_size); ++++++ mcrypt-manpage-fix.patch ++++++ Index: mcrypt-2.6.8/doc/mcrypt.1 =================================================================== --- mcrypt-2.6.8.orig/doc/mcrypt.1 2003-09-08 19:25:41.000000000 +0200 +++ mcrypt-2.6.8/doc/mcrypt.1 2009-04-24 15:13:27.000000000 +0200 @@ -217,13 +217,13 @@ succeeds. This is not the default in ord to remove sensitive data. .TP .B \ --list -Lists all the algorithms current supported. +Lists all the algorithms currently supported. .TP .B \ --list-keymodes -Lists all the key modes current supported. +Lists all the key modes currently supported. .TP .B \ --list-hash -Lists all the hash algorithms current supported. +Lists all the hash algorithms currently supported. .TP .B \-r --random Use /dev/(s)random instead of /dev/urandom. This may need some key input ++++++ mcrypt-native-by-default.patch ++++++ Index: mcrypt-2.6.8/src/gaaout.c =================================================================== --- mcrypt-2.6.8.orig/src/gaaout.c 2007-06-09 10:39:14.000000000 +0200 +++ mcrypt-2.6.8/src/gaaout.c 2009-04-24 14:47:12.000000000 +0200 @@ -123,7 +123,7 @@ void gaa_help(void) { printf(_("Mcrypt encrypts and decrypts files with symmetric encryption algorithms.\nUsage: mcrypt [-dFusgbhLvrzp] [-f keyfile] [-k key1 key2 ...] [-m mode] [-o keymode] [-s keysize] [-a algorithm] [-c config_file] [file ...]\n\n")); __gaa_helpsingle('g', "openpgp", "", _("Use the OpenPGP (RFC2440) file format.")); - __gaa_helpsingle(0, "no-openpgp", "", _("Use the native (mcrypt) file format.")); + __gaa_helpsingle(0, "no-openpgp", "", _("Use the native (mcrypt) file format. (DEFAULT)")); __gaa_helpsingle(0, "openpgp-z", _("INTEGER "), _("Sets the compression level for openpgp packets (0 disables).")); __gaa_helpsingle('d', "decrypt", "", _("decrypts.")); __gaa_helpsingle('s', "keysize", _("INTEGER "), _("Set the algorithm's key size (in bytes).")); @@ -1036,7 +1036,7 @@ int gaa(int argc, char **argv, gaainfo * gaaval->config_file=NULL; gaaval->mode=NULL; gaaval->input=NULL; gaaval->ed_specified=0; gaaval->double_check=0; gaaval->noecho=1; gaaval->flush=0; gaaval->keysize=0; gaaval->algorithms_directory=NULL; gaaval->modes_directory=NULL; gaaval->nodelete=0; - gaaval->hash=NULL; gaaval->timer=0; gaaval->openpgp=1; gaaval->openpgp_z = 0; ;}; + gaaval->hash=NULL; gaaval->timer=0; gaaval->openpgp=0; gaaval->openpgp_z = 0; ;}; } inited = 1; Index: mcrypt-2.6.8/src/mcrypt.gaa =================================================================== --- mcrypt-2.6.8.orig/src/mcrypt.gaa 2007-06-09 10:38:38.000000000 +0200 +++ mcrypt-2.6.8/src/mcrypt.gaa 2009-04-24 14:47:12.000000000 +0200 @@ -12,7 +12,7 @@ helpnode "Mcrypt encrypts and decrypts f #int openpgp; option (g, openpgp) { $openpgp = 1 } "Use the OpenPGP (RFC2440) file format." -option (no-openpgp) { $openpgp = 0 } "Use the native (mcrypt) file format." +option (no-openpgp) { $openpgp = 0 } "Use the native (mcrypt) file format. (DEFAULT)" #int openpgp_z; option (openpgp-z) INT "INTEGER" { $openpgp_z = $1 } "Sets the compression level for openpgp packets (0 disables)." @@ -119,7 +119,7 @@ init { $force=0; $quiet=1; $real_random_ $config_file=NULL; $mode=NULL; $input=NULL; $ed_specified=0; $double_check=0; $noecho=1; $flush=0; $keysize=0; $algorithms_directory=NULL; $modes_directory=NULL; $nodelete=0; - $hash=NULL; $timer=0; $openpgp=1; $openpgp_z = 0; } + $hash=NULL; $timer=0; $openpgp=0; $openpgp_z = 0; } INCOMP kf INCOMP Vq -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
