Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package libksba 1.3.2-1 which fixes CVE-2014-9087, a buffer overflow. <http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000359.html> Upstream has specifically released 1.3.2 to fix this single bug. unblock libksba/1.3.2-1 Find attached the filtered debdiff[1] thanks, cu Andreas [1] filterdiff -x '*/aclocal.m4' -x '*/config.guess' -x '*/config.sub' \ -x '*/configure' -x '*/Makefile.in' -x '*/stamp-vti' \ -x '*/version.texi' -x '*/install-sh' -x '*/ltmain.sh' -x '*/missing' \ -x '*/depcomp' -x '*/mdate-sh' -x '*/INSTALL' -x '*/config.rpath' \ -x '*/ABOUT-NLS' -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
diff -Nru libksba-1.3.1/autogen.sh libksba-1.3.2/autogen.sh
--- libksba-1.3.1/autogen.sh 2014-01-10 13:31:26.000000000 +0100
+++ libksba-1.3.2/autogen.sh 2014-11-25 12:18:29.000000000 +0100
@@ -15,7 +15,7 @@
# configure it for the respective package. It is maintained as part of
# GnuPG and source copied by other packages.
#
-# Version: 2014-01-10
+# Version: 2014-06-06
configure_ac="configure.ac"
@@ -41,7 +41,7 @@
info () {
if [ -z "${SILENT}" ]; then
- echo "autogen.sh:" "$*"
+ echo "autogen.sh:" "$*" >&2
fi
}
@@ -70,8 +70,11 @@
DIE=no
FORCE=
SILENT=
+PRINT_HOST=no
+PRINT_BUILD=no
tmp=$(dirname "$0")
tsdir=$(cd "${tmp}"; pwd)
+version_parts=3
if [ -n "${AUTOGEN_SH_SILENT}" ]; then
SILENT=" --silent"
@@ -88,6 +91,14 @@
FORCE=" --force"
shift
fi
+if test x"$1" = x"--print-host"; then
+ PRINT_HOST=yes
+ shift
+fi
+if test x"$1" = x"--print-build"; then
+ PRINT_BUILD=yes
+ shift
+fi
# Reject unsafe characters in $HOME, $tsdir and cwd. We consider spaces
@@ -133,6 +144,11 @@
myhost=""
myhostsub=""
case "$1" in
+ --find-version)
+ myhost="find-version"
+ SILENT=" --silent"
+ shift
+ ;;
--build-w32)
myhost="w32"
shift
@@ -172,16 +188,74 @@
. "$HOME/.gnupg-autogen.rc"
fi
+
+# **** FIND VERSION ****
+# This is a helper for the configure.ac M4 magic
+# Called
+# ./autogen.sh --find-version PACKAGE MAJOR MINOR [MICRO]
+# returns a complete version string with automatic beta numbering.
+if [ "$myhost" = "find-version" ]; then
+ package="$1"
+ major="$2"
+ minor="$3"
+ micro="$4"
+
+ case "$version_parts" in
+ 2)
+ matchstr1="$package-$major.[0-9]*"
+ matchstr2="$package-$major-base"
+ vers="$major.$minor"
+ ;;
+ *)
+ matchstr1="$package-$major.$minor.[0-9]*"
+ matchstr2="$package-$major.$minor-base"
+ vers="$major.$minor.$micro"
+ ;;
+ esac
+
+ beta=no
+ if [ -d .git ]; then
+ ingit=yes
+ tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
+ if [ -n "$tmp" ]; then
+ tmp=$(echo "$tmp"|awk -F- '$3!=0 && $3 !~ /^beta/ {print"-beta"$3}')
+ else
+ tmp=$(git describe --match "${matchstr2}" --long 2>/dev/null \
+ | awk -F- '$4!=0{print"-beta"$4}')
+ fi
+ [ -n "$tmp" ] && beta=yes
+ rev=$(git rev-parse --short HEAD | tr -d '\n\r')
+ rvd=$((0x$(echo ${rev} | head -c 4)))
+ else
+ ingit=no
+ beta=yes
+ tmp="-unknown"
+ rev="0000000"
+ rvd="0"
+ fi
+
+ echo "$package-$vers$tmp:$beta:$ingit:$vers$tmp:$vers:$tmp:$rev:$rvd:"
+ exit 0
+fi
+# **** end FIND VERSION ****
+
+
+if [ ! -f "$tsdir/build-aux/config.guess" ]; then
+ fatal "$tsdir/build-aux/config.guess not found"
+ exit 1
+fi
+build=`$tsdir/build-aux/config.guess`
+if [ $PRINT_BUILD = yes ]; then
+ echo "$build"
+ exit 0
+fi
+
+
+
# ******************
# W32 build script
# ******************
if [ "$myhost" = "w32" ]; then
- if [ ! -f "$tsdir/build-aux/config.guess" ]; then
- fatal "$tsdir/build-aux/config.guess not found"
- exit 1
- fi
- build=`$tsdir/build-aux/config.guess`
-
case $myhostsub in
ce)
w32root="$w32ce_root"
@@ -189,6 +263,12 @@
toolprefixes="$w32ce_toolprefixes arm-mingw32ce"
extraoptions="$extraoptions $w32ce_extraoptions"
;;
+ 64)
+ w32root="$w64root"
+ [ -z "$w32root" ] && w32root="$HOME/w64root"
+ toolprefixes="$w64_toolprefixes x86_64-w64-mingw32"
+ extraoptions="$extraoptions $w64_extraoptions"
+ ;;
*)
[ -z "$w32root" ] && w32root="$HOME/w32root"
toolprefixes="$w32_toolprefixes i686-w64-mingw32 i586-mingw32msvc"
@@ -216,6 +296,10 @@
fi
die_p
fi
+ if [ $PRINT_HOST = yes ]; then
+ echo "$host"
+ exit 0
+ fi
if [ -f "$tsdir/config.log" ]; then
if ! head $tsdir/config.log | grep "$host" >/dev/null; then
@@ -226,7 +310,7 @@
$tsdir/configure --enable-maintainer-mode ${SILENT} \
--prefix=${w32root} \
- --host=${host} --build=${build} \
+ --host=${host} --build=${build} SYSROOT=${w32root} \
${configure_opts} ${extraoptions} "$@"
rc=$?
exit $rc
@@ -236,13 +320,6 @@
# ***** AMD64 cross build script *******
# Used to cross-compile for AMD64 (for testing)
if [ "$myhost" = "amd64" ]; then
- shift
- if [ ! -f $tsdir/build-aux/config.guess ]; then
- echo "$tsdir/build-aux/config.guess not found" >&2
- exit 1
- fi
- build=`$tsdir/build-aux/config.guess`
-
[ -z "$amd64root" ] && amd64root="$HOME/amd64root"
info "Using $amd64root as standard install directory"
replace_sysroot
@@ -263,6 +340,10 @@
echo "Stop." >&2
exit 1
fi
+ if [ $PRINT_HOST = yes ]; then
+ echo "$host"
+ exit 0
+ fi
if [ -f "$tsdir/config.log" ]; then
if ! head $tsdir/config.log | grep "$host" >/dev/null; then
diff -Nru libksba-1.3.1/ChangeLog libksba-1.3.2/ChangeLog
--- libksba-1.3.1/ChangeLog 2014-09-18 09:35:35.000000000 +0200
+++ libksba-1.3.2/ChangeLog 2014-11-25 12:38:13.000000000 +0100
@@ -1,3 +1,27 @@
+2014-11-25 Werner Koch <wk@gnupg.org>
+
+ Release 1.3.2.
+ * configure.ac: Set LT version to C19/A11/R3.
+
+ build: Update version number magic.
+ * autogen.sh: Update from gnupg master.
+ * configure.ac: Change for new init style. Create VERSION.
+ * Makefile.am (dist-hook): Do no create VERSION
+
+ Fix buffer overflow in ksba_oid_to_str.
+ * src/oid.c (ksba_oid_to_str): Fix unsigned underflow.
+
+ * tests/Makefile.am (noinst_PROGRAMS): Move t-oid to ..
+ (TESTS): here.
+ * tests/t-oid.c (test_oid_to_str): New.
+ (main): Run the new tests by default. The former functionality
+ requires the use of one of the new options.
+
+2014-09-25 Werner Koch <wk@gnupg.org>
+
+ Strip CRs while building the oid translation table.
+ * tests/Makefile.am (oidtranstbl.h): Strip CRs
+
2014-09-18 Werner Koch <wk@gnupg.org>
Release 1.3.1.
diff -Nru libksba-1.3.1/configure libksba-1.3.2/configure
diff -Nru libksba-1.3.1/configure.ac libksba-1.3.2/configure.ac
--- libksba-1.3.1/configure.ac 2014-09-18 09:33:28.000000000 +0200
+++ libksba-1.3.2/configure.ac 2014-11-25 12:30:38.000000000 +0100
@@ -27,23 +27,23 @@
# bump the version number immediately after the release and do another
# commit and push so that the git magic is able to work. See below
# for the LT versions.
-m4_define(mym4_version, [1.3.1])
+m4_define([mym4_package],[libksba])
+m4_define([mym4_major], [1])
+m4_define([mym4_minor], [3])
+m4_define([mym4_micro], [2])
-# Below is m4 magic to extract and compute the revision number, the
-# decimalized short revision number, a beta version string, and a flag
-# indicating a development version (mym4_isgit). Note that the m4
-# processing is done by autoconf and not during the configure run.
-m4_define([mym4_revision],
- m4_esyscmd([git rev-parse --short HEAD | tr -d '\n\r']))
-m4_define([mym4_revision_dec],
- m4_esyscmd_s([echo $((0x$(echo ]mym4_revision[|head -c 4)))]))
-m4_define([mym4_betastring],
- m4_esyscmd_s([git describe --match 'libksba-[0-9].*[0-9]' --long|\
- awk -F- '$3!=0{print"-beta"$3}']))
-m4_define([mym4_isgit],m4_if(mym4_betastring,[],[no],[yes]))
-m4_define([mym4_full_version],[mym4_version[]mym4_betastring])
-
-AC_INIT([libksba],[mym4_full_version],[http://bugs.gnupg.org])
+# Below is m4 magic to extract and compute the git revision number,
+# the decimalized short revision number, a beta version string and a
+# flag indicating a development version (mym4_isbeta). Note that the
+# m4 processing is done by autoconf and not during the configure run.
+m4_define([mym4_verslist], m4_split(m4_esyscmd([./autogen.sh --find-version] \
+ mym4_package mym4_major mym4_minor mym4_micro),[:]))
+m4_define([mym4_isbeta], m4_argn(2, mym4_verslist))
+m4_define([mym4_version], m4_argn(4, mym4_verslist))
+m4_define([mym4_revision], m4_argn(7, mym4_verslist))
+m4_define([mym4_revision_dec], m4_argn(8, mym4_verslist))
+m4_esyscmd([echo ]mym4_version[>VERSION])
+AC_INIT([mym4_package],[mym4_version], [http://bugs.gnupg.org])
# LT Version numbers: Remember to change them just *before* a release.
# (Interfaces removed: CURRENT++, AGE=0, REVISION=0)
@@ -52,7 +52,7 @@
# Please remember to document interface changes in the NEWS file.
LIBKSBA_LT_CURRENT=19
LIBKSBA_LT_AGE=11
-LIBKSBA_LT_REVISION=2
+LIBKSBA_LT_REVISION=3
#-------------------
# If the API is changed in an incompatible way: increment the next counter.
KSBA_CONFIG_API_VERSION=1
diff -Nru libksba-1.3.1/debian/changelog libksba-1.3.2/debian/changelog
--- libksba-1.3.1/debian/changelog 2014-09-26 19:27:40.000000000 +0200
+++ libksba-1.3.2/debian/changelog 2014-11-25 20:08:22.000000000 +0100
@@ -1,3 +1,10 @@
+libksba (1.3.2-1) unstable; urgency=high
+
+ * New upstream security release, fixing a buffer overflow in ksba_oid_to_str
+ in Libksba. Closes: #770972
+
+ -- Andreas Metzler <ametzler@debian.org> Tue, 25 Nov 2014 20:05:54 +0100
+
libksba (1.3.1-1) unstable; urgency=medium
* New upstream bugfix release.
diff -Nru libksba-1.3.1/doc/ksba.info libksba-1.3.2/doc/ksba.info
--- libksba-1.3.1/doc/ksba.info 2014-09-18 09:35:34.000000000 +0200
+++ libksba-1.3.2/doc/ksba.info 2014-11-25 12:38:13.000000000 +0100
@@ -9,8 +9,8 @@
This file documents the KSBA library to access X.509 and CMS data
structures.
- This is edition 1.3.1, last updated 15 March 2013, of `The KSBA
-Reference Manual', for Version 1.3.1.
+ This is edition 1.3.2, last updated 15 March 2013, of `The KSBA
+Reference Manual', for Version 1.3.2.
Copyright (C) 2002, 2003, 2004 g10 Code GmbH
@@ -26,8 +26,8 @@
Main Menu
*********
-This is edition 1.3.1, last updated 15 March 2013, of `The KSBA
-Reference Manual', for Version 1.3.1 of the KSBA library.
+This is edition 1.3.2, last updated 15 March 2013, of `The KSBA
+Reference Manual', for Version 1.3.2 of the KSBA library.
Copyright (C) 2002, 2003, 2004 g10 Code GmbH
diff -Nru libksba-1.3.1/doc/Makefile.in libksba-1.3.2/doc/Makefile.in
diff -Nru libksba-1.3.1/doc/stamp-vti libksba-1.3.2/doc/stamp-vti
diff -Nru libksba-1.3.1/doc/version.texi libksba-1.3.2/doc/version.texi
diff -Nru libksba-1.3.1/gl/Makefile.in libksba-1.3.2/gl/Makefile.in
diff -Nru libksba-1.3.1/m4/gpg-error.m4 libksba-1.3.2/m4/gpg-error.m4
--- libksba-1.3.1/m4/gpg-error.m4 2013-03-15 20:26:38.000000000 +0100
+++ libksba-1.3.2/m4/gpg-error.m4 2014-11-25 12:15:20.000000000 +0100
@@ -1,5 +1,5 @@
# gpg-error.m4 - autoconf macro to detect libgpg-error.
-# Copyright (C) 2002, 2003, 2004, 2011 g10 Code GmbH
+# Copyright (C) 2002, 2003, 2004, 2011, 2014 g10 Code GmbH
#
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
@@ -8,38 +8,64 @@
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#
+# Last-changed: 2014-10-02
+
dnl AM_PATH_GPG_ERROR([MINIMUM-VERSION,
dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
-dnl Test for libgpg-error and define GPG_ERROR_CFLAGS and GPG_ERROR_LIBS
+dnl
+dnl Test for libgpg-error and define GPG_ERROR_CFLAGS, GPG_ERROR_LIBS,
+dnl GPG_ERROR_MT_CFLAGS, and GPG_ERROR_MT_LIBS. The _MT_ variants are
+dnl used for programs requireing real multi thread support.
+dnl
+dnl If a prefix option is not used, the config script is first
+dnl searched in $SYSROOT/bin and then along $PATH. If the used
+dnl config script does not match the host specification the script
+dnl is added to the gpg_config_script_warn variable.
dnl
AC_DEFUN([AM_PATH_GPG_ERROR],
[ AC_REQUIRE([AC_CANONICAL_HOST])
+ gpg_error_config_prefix=""
dnl --with-libgpg-error-prefix=PFX is the preferred name for this option,
dnl since that is consistent with how our three siblings use the directory/
dnl package name in --with-$dir_name-prefix=PFX.
AC_ARG_WITH(libgpg-error-prefix,
- AC_HELP_STRING([--with-libgpg-error-prefix=PFX],
- [prefix where GPG Error is installed (optional)]),
- gpg_error_config_prefix="$withval", gpg_error_config_prefix="")
+ AC_HELP_STRING([--with-libgpg-error-prefix=PFX],
+ [prefix where GPG Error is installed (optional)]),
+ [gpg_error_config_prefix="$withval"])
dnl Accept --with-gpg-error-prefix and make it work the same as
dnl --with-libgpg-error-prefix above, for backwards compatibility,
dnl but do not document this old, inconsistently-named option.
AC_ARG_WITH(gpg-error-prefix,,
- gpg_error_config_prefix="$withval", gpg_error_config_prefix="")
+ [gpg_error_config_prefix="$withval"])
- if test x$gpg_error_config_prefix != x ; then
- if test x${GPG_ERROR_CONFIG+set} != xset ; then
- GPG_ERROR_CONFIG=$gpg_error_config_prefix/bin/gpg-error-config
+ if test x"${GPG_ERROR_CONFIG}" = x ; then
+ if test x"${gpg_error_config_prefix}" != x ; then
+ GPG_ERROR_CONFIG="${gpg_error_config_prefix}/bin/gpg-error-config"
+ else
+ case "${SYSROOT}" in
+ /*)
+ if test -x "${SYSROOT}/bin/gpg-error-config" ; then
+ GPG_ERROR_CONFIG="${SYSROOT}/bin/gpg-error-config"
+ fi
+ ;;
+ '')
+ ;;
+ *)
+ AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.])
+ ;;
+ esac
fi
fi
- AC_PATH_TOOL(GPG_ERROR_CONFIG, gpg-error-config, no)
+ AC_PATH_PROG(GPG_ERROR_CONFIG, gpg-error-config, no)
min_gpg_error_version=ifelse([$1], ,0.0,$1)
AC_MSG_CHECKING(for GPG Error - version >= $min_gpg_error_version)
ok=no
- if test "$GPG_ERROR_CONFIG" != "no" ; then
+ if test "$GPG_ERROR_CONFIG" != "no" \
+ && test -f "$GPG_ERROR_CONFIG" ; then
req_major=`echo $min_gpg_error_version | \
sed 's/\([[0-9]]*\)\.\([[0-9]]*\)/\1/'`
req_minor=`echo $min_gpg_error_version | \
@@ -62,6 +88,8 @@
if test $ok = yes; then
GPG_ERROR_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --cflags`
GPG_ERROR_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --libs`
+ GPG_ERROR_MT_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --cflags 2>/dev/null`
+ GPG_ERROR_MT_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --libs 2>/dev/null`
AC_MSG_RESULT([yes ($gpg_error_config_version)])
ifelse([$2], , :, [$2])
gpg_error_config_host=`$GPG_ERROR_CONFIG $gpg_error_config_args --host 2>/dev/null || echo none`
@@ -73,16 +101,21 @@
*** built for $gpg_error_config_host and thus may not match the
*** used host $host.
*** You may want to use the configure option --with-gpg-error-prefix
-*** to specify a matching config script.
+*** to specify a matching config script or use \$SYSROOT.
***]])
+ gpg_config_script_warn="$gpg_config_script_warn libgpg-error"
fi
fi
else
GPG_ERROR_CFLAGS=""
GPG_ERROR_LIBS=""
+ GPG_ERROR_MT_CFLAGS=""
+ GPG_ERROR_MT_LIBS=""
AC_MSG_RESULT(no)
ifelse([$3], , :, [$3])
fi
AC_SUBST(GPG_ERROR_CFLAGS)
AC_SUBST(GPG_ERROR_LIBS)
+ AC_SUBST(GPG_ERROR_MT_CFLAGS)
+ AC_SUBST(GPG_ERROR_MT_LIBS)
])
diff -Nru libksba-1.3.1/m4/libgcrypt.m4 libksba-1.3.2/m4/libgcrypt.m4
--- libksba-1.3.1/m4/libgcrypt.m4 2013-03-15 20:26:38.000000000 +0100
+++ libksba-1.3.2/m4/libgcrypt.m4 2014-11-25 12:15:33.000000000 +0100
@@ -1,13 +1,15 @@
-dnl Autoconf macros for libgcrypt
-dnl Copyright (C) 2002, 2004, 2011 Free Software Foundation, Inc.
-dnl
-dnl This file is free software; as a special exception the author gives
-dnl unlimited permission to copy and/or distribute it, with or without
-dnl modifications, as long as this notice is preserved.
-dnl
-dnl This file is distributed in the hope that it will be useful, but
-dnl WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
-dnl implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# libgcrypt.m4 - Autoconf macros to detect libgcrypt
+# Copyright (C) 2002, 2003, 2004, 2011, 2014 g10 Code GmbH
+#
+# This file is free software; as a special exception the author gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#
+# Last-changed: 2014-10-02
dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION,
@@ -20,19 +22,37 @@
dnl this features allows to prevent build against newer versions of libgcrypt
dnl with a changed API.
dnl
+dnl If a prefix option is not used, the config script is first
+dnl searched in $SYSROOT/bin and then along $PATH. If the used
+dnl config script does not match the host specification the script
+dnl is added to the gpg_config_script_warn variable.
+dnl
AC_DEFUN([AM_PATH_LIBGCRYPT],
[ AC_REQUIRE([AC_CANONICAL_HOST])
AC_ARG_WITH(libgcrypt-prefix,
AC_HELP_STRING([--with-libgcrypt-prefix=PFX],
[prefix where LIBGCRYPT is installed (optional)]),
libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="")
- if test x$libgcrypt_config_prefix != x ; then
- if test x${LIBGCRYPT_CONFIG+set} != xset ; then
- LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config
+ if test x"${LIBGCRYPT_CONFIG}" = x ; then
+ if test x"${libgcrypt_config_prefix}" != x ; then
+ LIBGCRYPT_CONFIG="${libgcrypt_config_prefix}/bin/libgcrypt-config"
+ else
+ case "${SYSROOT}" in
+ /*)
+ if test -x "${SYSROOT}/bin/libgcrypt-config" ; then
+ LIBGCRYPT_CONFIG="${SYSROOT}/bin/libgcrypt-config"
+ fi
+ ;;
+ '')
+ ;;
+ *)
+ AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.])
+ ;;
+ esac
fi
fi
- AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, no)
+ AC_PATH_PROG(LIBGCRYPT_CONFIG, libgcrypt-config, no)
tmp=ifelse([$1], ,1:1.2.0,$1)
if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then
req_libgcrypt_api=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\1/'`
@@ -108,8 +128,9 @@
*** built for $libgcrypt_config_host and thus may not match the
*** used host $host.
*** You may want to use the configure option --with-libgcrypt-prefix
-*** to specify a matching config script.
+*** to specify a matching config script or use \$SYSROOT.
***]])
+ gpg_config_script_warn="$gpg_config_script_warn libgcrypt"
fi
fi
else
diff -Nru libksba-1.3.1/m4/Makefile.in libksba-1.3.2/m4/Makefile.in
diff -Nru libksba-1.3.1/Makefile.am libksba-1.3.2/Makefile.am
--- libksba-1.3.1/Makefile.am 2014-01-10 12:56:56.000000000 +0100
+++ libksba-1.3.2/Makefile.am 2014-11-25 12:22:47.000000000 +0100
@@ -41,7 +41,6 @@
SUBDIRS = m4 gl src ${tests} doc
dist-hook: gen-ChangeLog
- @set -e; echo "$(VERSION)" > $(distdir)/VERSION
gen_start_date = 2011-12-01T00:00:00
diff -Nru libksba-1.3.1/Makefile.in libksba-1.3.2/Makefile.in
diff -Nru libksba-1.3.1/NEWS libksba-1.3.2/NEWS
--- libksba-1.3.1/NEWS 2014-09-18 09:33:28.000000000 +0200
+++ libksba-1.3.2/NEWS 2014-11-25 12:32:57.000000000 +0100
@@ -1,3 +1,9 @@
+Noteworthy changes in version 1.3.2 (2014-11-25) [C19/A11/R3]
+------------------------------------------------
+
+ * Fixed a buffer overflow in ksba_oid_to_str.
+
+
Noteworthy changes in version 1.3.1 (2014-09-18)
------------------------------------------------
diff -Nru libksba-1.3.1/src/Makefile.in libksba-1.3.2/src/Makefile.in
diff -Nru libksba-1.3.1/src/oid.c libksba-1.3.2/src/oid.c
--- libksba-1.3.1/src/oid.c 2013-03-15 20:26:38.000000000 +0100
+++ libksba-1.3.2/src/oid.c 2014-11-25 10:11:20.000000000 +0100
@@ -94,6 +94,8 @@
val <<= 7;
val |= buf[n] & 0x7f;
}
+ if (val < 80)
+ goto badoid;
val -= 80;
sprintf (p, "2.%lu", val);
p += strlen (p);
diff -Nru libksba-1.3.1/tests/Makefile.am libksba-1.3.2/tests/Makefile.am
--- libksba-1.3.1/tests/Makefile.am 2014-07-22 09:24:19.000000000 +0200
+++ libksba-1.3.2/tests/Makefile.am 2014-11-25 09:30:20.000000000 +0100
@@ -39,13 +39,13 @@
BUILT_SOURCES = oidtranstbl.h
CLEANFILES = oidtranstbl.h
-TESTS = cert-basic t-crl-parser t-dnparser
+TESTS = cert-basic t-crl-parser t-dnparser t-oid
AM_CFLAGS = $(GPG_ERROR_CFLAGS)
AM_LDFLAGS = -no-install
noinst_HEADERS = t-common.h
-noinst_PROGRAMS = $(TESTS) t-cms-parser t-crl-parser t-dnparser t-ocsp t-oid
+noinst_PROGRAMS = $(TESTS) t-cms-parser t-crl-parser t-dnparser t-ocsp
LDADD = ../src/libksba.la $(GPG_ERROR_LIBS)
t_ocsp_SOURCES = t-ocsp.c sha1.c
@@ -59,6 +59,6 @@
for i in /etc/dumpasn1 /usr/local/bin /usr/local/share /usr/bin \
/usr/share ; do \
if test -f $$i/dumpasn1.cfg; then f=$$i/dumpasn1.cfg; break; fi; \
- done; $(AWK) -f $(srcdir)/mkoidtbl.awk $$f >$@
+ done; tr -d '\r' <$$f | $(AWK) -f $(srcdir)/mkoidtbl.awk >$@
LOG_COMPILER = $(VALGRIND)
diff -Nru libksba-1.3.1/tests/Makefile.in libksba-1.3.2/tests/Makefile.in
diff -Nru libksba-1.3.1/tests/t-dnparser.c libksba-1.3.2/tests/t-dnparser.c
--- libksba-1.3.1/tests/t-dnparser.c 2014-04-15 22:11:42.000000000 +0200
+++ libksba-1.3.2/tests/t-dnparser.c 2014-11-25 10:16:43.000000000 +0100
@@ -143,7 +143,7 @@
if (!feof (stdin))
fail ("read error or input too large");
- fail ("no yet implemented");
+ fail ("not yet implemented");
}
else if (argc == 2 && !strcmp (argv[1], "--to-der") )
diff -Nru libksba-1.3.1/tests/t-oid.c libksba-1.3.2/tests/t-oid.c
--- libksba-1.3.1/tests/t-oid.c 2013-03-15 20:26:38.000000000 +0100
+++ libksba-1.3.2/tests/t-oid.c 2014-11-25 11:36:11.000000000 +0100
@@ -27,6 +27,9 @@
#include "../src/ksba.h"
+#define PGM "t-oid"
+#define BADOID "1.3.6.1.4.1.11591.2.12242973"
+
static void *
read_into_buffer (FILE *fp, size_t *r_length)
@@ -68,23 +71,104 @@
}
+static void
+test_oid_to_str (void)
+{
+ struct {
+ unsigned int binlen;
+ unsigned char *bin;
+ char *str;
+ } tests[] = {
+
+ { 7, "\x02\x82\x06\x01\x0A\x0C\x00",
+ "0.2.262.1.10.12.0"
+ },
+ { 7, "\x02\x82\x06\x01\x0A\x0C\x01",
+ "0.2.262.1.10.12.1"
+ },
+ { 7, "\x2A\x86\x48\xCE\x38\x04\x01",
+ "1.2.840.10040.4.1"
+ },
+ { 7, "\x2A\x86\x48\xCE\x38\x04\x03",
+ "1.2.840.10040.4.3"
+ },
+ { 10, "\x2B\x06\x01\x04\x01\xDA\x47\x02\x01\x01",
+ "1.3.6.1.4.1.11591.2.1.1"
+ },
+ { 3, "\x55\x1D\x0E",
+ "2.5.29.14"
+ },
+ { 9, "\x80\x02\x70\x50\x25\x46\xfd\x0c\xc0",
+ BADOID
+ },
+ { 1, "\x80",
+ BADOID
+ },
+ { 2, "\x81\x00",
+ "2.48"
+ },
+ { 2, "\x81\x01",
+ "2.49"
+ },
+ { 2, "\x81\x7f",
+ "2.175"
+ },
+ { 2, "\x81\x80", /* legal encoding? */
+ "2.48"
+ },
+ { 2, "\x81\x81\x01", /* legal encoding? */
+ "2.49"
+ },
+ { 0, "",
+ ""
+ },
+
+ { 0, NULL, NULL }
+ };
+ int tidx;
+ char *str;
+
+ for (tidx=0; tests[tidx].bin; tidx++)
+ {
+ str = ksba_oid_to_str (tests[tidx].bin, tests[tidx].binlen);
+ if (!str)
+ {
+ perror ("ksba_oid_to_str failed");
+ exit (1);
+ }
+ if (strcmp (tests[tidx].str, str))
+ {
+ fprintf (stderr, "ksba_oid_to_str test %d failed\n", tidx);
+ fprintf (stderr, " got=%s\n", str);
+ fprintf (stderr, " want=%s\n", tests[tidx].str);
+ exit (1);
+ }
+ }
+}
+
int
main (int argc, char **argv)
{
gpg_error_t err;
+
if (argc)
{
argc--;
argv++;
}
- if (argc)
+
+ if (!argc)
+ {
+ test_oid_to_str ();
+ }
+ else if (!strcmp (*argv, "--from-str"))
{
unsigned char *buffer;
size_t n, buflen;
- for ( ;argc ; argc--, argv++)
+ for (argv++,argc-- ; argc; argc--, argv++)
{
err = ksba_oid_from_str (*argv, &buffer, &buflen);
if (err)
@@ -100,18 +184,25 @@
free (buffer);
}
}
- else
+ else if (!strcmp (*argv, "--to-str"))
{
char *buffer;
size_t buflen;
char *result;
+ argv++;argc--;
+
buffer = read_into_buffer (stdin, &buflen);
result = ksba_oid_to_str (buffer, buflen);
free (buffer);
printf ("%s\n", result? result:"[malloc failed]");
free (result);
}
+ else
+ {
+ fputs ("usage: "PGM" [--from-str|--to-str]\n", stderr);
+ return 1;
+ }
return 0;
}
diff -Nru libksba-1.3.1/VERSION libksba-1.3.2/VERSION
--- libksba-1.3.1/VERSION 2014-09-18 09:35:35.000000000 +0200
+++ libksba-1.3.2/VERSION 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-1.3.1
Attachment:
signature.asc
Description: Digital signature