summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJinWang An <jinwang.an@samsung.com>2023-01-17 13:32:00 +0900
committerJinWang An <jinwang.an@samsung.com>2023-01-17 13:32:00 +0900
commitba4b676859e3d757e02f0537b5d7308feadc26d7 (patch)
treeb9ea7a5f43c7f48943c41c83b347d8796c8574e6
parent7b1edcf8bf7ec69d323bc1bdb1619c2c6ab02030 (diff)
downloadlibksba-ba4b676859e3d757e02f0537b5d7308feadc26d7.tar.gz
libksba-ba4b676859e3d757e02f0537b5d7308feadc26d7.tar.bz2
libksba-ba4b676859e3d757e02f0537b5d7308feadc26d7.zip
Imported Upstream version 1.6.3upstream/1.6.3
-rw-r--r--ChangeLog35
-rw-r--r--NEWS8
-rwxr-xr-xconfigure34
-rw-r--r--configure.ac4
-rw-r--r--doc/ksba.info93
-rw-r--r--doc/ksba.texi22
-rw-r--r--doc/stamp-vti8
-rw-r--r--doc/version.texi8
-rw-r--r--m4/gpg-error.m46
-rw-r--r--m4/libgcrypt.m44
-rw-r--r--src/crl.c2
-rw-r--r--src/ksba.h4
-rw-r--r--src/ksba.m44
-rw-r--r--src/ocsp.c12
14 files changed, 154 insertions, 90 deletions
diff --git a/ChangeLog b/ChangeLog
index d0e0b5b..50bb94d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,38 @@
+2022-12-06 Werner Koch <wk@gnupg.org>
+
+ Release 1.6.3.
+ + commit bffa9b346071725363a483db547e7dced9721cb5
+
+
+2022-11-23 Werner Koch <wk@gnupg.org>
+
+ Fix an integer overflow in the CRL signature parser.
+ + commit f61a5ea4e0f6a80fd4b28ef0174bee77793cf070
+ * src/crl.c (parse_signature): N+N2 now checked for overflow.
+
+ * src/ocsp.c (parse_response_extensions): Do not accept too large
+ values.
+ (parse_single_extensions): Ditto.
+
+2022-11-02 NIIBE Yutaka <gniibe@fsij.org>
+
+ build: Update m4/libgcrypt.m4.
+ + commit 4076b60f7cef4fddc3d30f6e6d4078081dbc7167
+ * m4/libgcrypt.m4: Update from libgcrypt master.
+
+2022-11-01 NIIBE Yutaka <gniibe@fsij.org>
+
+ build: Prefer gpgrt-config when available.
+ + commit 13307b22882a220d206341e1196e74fd37418c2f
+ * src/ksba.m4: Overriding the decision by --with-libksba-prefix, use
+ gpgrt-config ksba when gpgrt-config is available.
+
+2022-10-24 NIIBE Yutaka <gniibe@fsij.org>
+
+ build: Update gpg-error.m4.
+ + commit c3c1627f34234e3d54fe1f3411ac499dd7e3b3b0
+ * m4/gpg-error.m4: Update from libgpg-error 1.46.
+
2022-10-07 Werner Koch <wk@gnupg.org>
Release 1.6.2.
diff --git a/NEWS b/NEWS
index 3c74e41..e87ae74 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+Noteworthy changes in version 1.6.3 (2022-12-06) [C22/A14/R3]
+------------------------------------------------
+
+ * Fix another integer overflow in the CRL parser. [T6284]
+
+ Release-info: https://dev.gnupg.org/T6304
+
+
Noteworthy changes in version 1.6.2 (2022-10-07) [C22/A14/R2]
------------------------------------------------
diff --git a/configure b/configure
index 3495ab1..33fce52 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libksba 1.6.2.
+# Generated by GNU Autoconf 2.69 for libksba 1.6.3.
#
# Report bugs to <https://bugs.gnupg.org>.
#
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='libksba'
PACKAGE_TARNAME='libksba'
-PACKAGE_VERSION='1.6.2'
-PACKAGE_STRING='libksba 1.6.2'
+PACKAGE_VERSION='1.6.3'
+PACKAGE_STRING='libksba 1.6.3'
PACKAGE_BUGREPORT='https://bugs.gnupg.org'
PACKAGE_URL=''
@@ -1384,7 +1384,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures libksba 1.6.2 to adapt to many kinds of systems.
+\`configure' configures libksba 1.6.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1455,7 +1455,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of libksba 1.6.2:";;
+ short | recursive ) echo "Configuration of libksba 1.6.3:";;
esac
cat <<\_ACEOF
@@ -1584,7 +1584,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-libksba configure 1.6.2
+libksba configure 1.6.3
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2190,7 +2190,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by libksba $as_me 1.6.2, which was
+It was created by libksba $as_me 1.6.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2546,7 +2546,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
# Please remember to document interface changes in the NEWS file.
LIBKSBA_LT_CURRENT=22
LIBKSBA_LT_AGE=14
-LIBKSBA_LT_REVISION=2
+LIBKSBA_LT_REVISION=3
#-------------------
# If the API is changed in an incompatible way: increment the next counter.
KSBA_CONFIG_API_VERSION=1
@@ -3066,7 +3066,7 @@ fi
# Define the identity of the package.
PACKAGE='libksba'
- VERSION='1.6.2'
+ VERSION='1.6.3'
cat >>confdefs.h <<_ACEOF
@@ -12475,7 +12475,7 @@ fi
-VERSION_NUMBER=0x010602
+VERSION_NUMBER=0x010603
@@ -14398,6 +14398,10 @@ fi
fi
if test -n "$gpgrt_libdir"; then break; fi
done
+ if test -z "$libdir_candidates"; then
+ # No valid pkgconfig dir in any of the system directories, fallback
+ gpgrt_libdir=${possible_libdir1}
+ fi
else
# When we cannot determine system libdir-format, use this:
gpgrt_libdir=${possible_libdir1}
@@ -15257,11 +15261,11 @@ fi
# Generate extended version information for W32.
if test "$have_w32_system" = yes; then
BUILD_FILEVERSION=`echo "$VERSION" | sed 's/\([0-9.]*\).*/\1./;s/\./,/g'`
- BUILD_FILEVERSION="${BUILD_FILEVERSION}10625"
+ BUILD_FILEVERSION="${BUILD_FILEVERSION}49146"
fi
-BUILD_REVISION="2981495"
+BUILD_REVISION="bffa9b3"
cat >>confdefs.h <<_ACEOF
@@ -15878,7 +15882,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by libksba $as_me 1.6.2, which was
+This file was extended by libksba $as_me 1.6.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15944,7 +15948,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-libksba config.status 1.6.2
+libksba config.status 1.6.3
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@@ -17957,7 +17961,7 @@ fi
echo "
Libksba v${VERSION} has been configured as follows:
- Revision: 2981495 (10625)
+ Revision: bffa9b3 (49146)
Platform: $host
"
diff --git a/configure.ac b/configure.ac
index ef627c0..4640b90 100644
--- a/configure.ac
+++ b/configure.ac
@@ -30,7 +30,7 @@ min_automake_version="1.14"
m4_define([mym4_package],[libksba])
m4_define([mym4_major], [1])
m4_define([mym4_minor], [6])
-m4_define([mym4_micro], [2])
+m4_define([mym4_micro], [3])
# Below is m4 magic to extract and compute the git revision number,
# the decimalized short revision number, a beta version string and a
@@ -52,7 +52,7 @@ AC_INIT([mym4_package],[mym4_version],[https://bugs.gnupg.org])
# Please remember to document interface changes in the NEWS file.
LIBKSBA_LT_CURRENT=22
LIBKSBA_LT_AGE=14
-LIBKSBA_LT_REVISION=2
+LIBKSBA_LT_REVISION=3
#-------------------
# If the API is changed in an incompatible way: increment the next counter.
KSBA_CONFIG_API_VERSION=1
diff --git a/doc/ksba.info b/doc/ksba.info
index 63a62fc..c3f1ce3 100644
--- a/doc/ksba.info
+++ b/doc/ksba.info
@@ -8,8 +8,8 @@ END-INFO-DIR-ENTRY
This file documents the KSBA library to access X.509 and CMS data
structures.
- This is edition 1.6.2, last updated 12 May 2020, of 'The KSBA
-Reference Manual', for Version 1.6.2.
+ This is edition 1.6.3, last updated 22 November 2022, of 'The KSBA
+Reference Manual', for Version 1.6.3.
Copyright (C) 2002, 2003, 2004 g10 Code GmbH
@@ -25,8 +25,8 @@ File: ksba.info, Node: Top, Next: Introduction, Up: (dir)
Main Menu
*********
-This is edition 1.6.2, last updated 12 May 2020, of 'The KSBA Reference
-Manual', for Version 1.6.2 of the KSBA library.
+This is edition 1.6.3, last updated 22 November 2022, of 'The KSBA
+Reference Manual', for Version 1.6.3 of the KSBA library.
Copyright (C) 2002, 2003, 2004 g10 Code GmbH
@@ -228,33 +228,34 @@ which the header file is located to the compiler's include file search
path (via the '-I' option).
However, the path to the include file is determined at the time the
-source is configured. To solve this problem, 'KSBA' ships with a small
-helper program 'ksba-config' that knows about the path to the include
-file and other configuration options. The options that need to be added
-to the compiler invocation at compile time are output by the '--cflags'
-option of 'ksba-config'. The following example shows how it can be used
-at the command line:
+source is configured. To solve this problem, 'KSBA' ships with
+'ksba.pc' file, that knows about the path to the include file and other
+configuration options. The options that need to be added to the
+compiler invocation at compile time are output by the '--cflags' option
+of 'pkg-config ksba'. The following example shows how it can be used at
+the command line:
- gcc -c foo.c `ksba-config --cflags`
+ gcc -c foo.c `pkg-config --cflags ksba`
- Adding the output of 'ksba-config --cflags' to the compiler's command
-line will ensure that the compiler can find the 'ksba.h' header file.
+ Adding the output of 'pkg-config --cflags ksba' to the compiler's
+command line will ensure that the compiler can find the 'ksba.h' header
+file.
A similar problem occurs when linking the program with the library.
Again, the compiler has to find the library files. For this to work,
the path to the library files has to be added to the library search path
-(via the '-L' option). For this, the option '--libs' of 'ksba-config'
-can be used. For convenience, this option also outputs all other
+(via the '-L' option). For this, the option '--libs' of 'pkg-config
+ksba' can be used. For convenience, this option also outputs all other
options that are required to link the program with the 'KSBA' libraries
(in particular, the '-lksba' option). The example shows how to link
'foo.o' with the 'KSBA' libraries to a program 'foo'.
- gcc -o foo foo.o `ksba-config --libs`
+ gcc -o foo foo.o `pkg-config --libs ksba`
Of course you can also combine both examples to a single command by
-specifying both options to 'ksba-config':
+specifying both options to 'pkg-config ksba':
- gcc -o foo foo.c `ksba-config --cflags --libs`
+ gcc -o foo foo.c `pkg-config --cflags --libs ksba`

File: ksba.info, Node: Certificate Handling, Next: CMS, Prev: Preparation, Up: Top
@@ -1870,33 +1871,33 @@ Function and Data Index

Tag Table:
-Node: Top738
-Node: Introduction2768
-Node: Getting Started3046
-Node: Features3912
-Node: Overview5003
-Node: Preparation5252
-Node: Header5735
-Node: Version Check6331
-Node: Building the source7423
-Node: Certificate Handling9267
-Node: Creating certificates10248
-Node: Retrieving attributes12709
-Node: Setting attributes26927
-Node: User data27192
-Node: CMS29112
-Node: CMS Basics29571
-Node: CMS Parser31634
-Node: CRLs35612
-Node: PKCS1035895
-Node: Utilities36156
-Node: Names36560
-Node: OIDs38872
-Node: DNs39076
-Node: Error Handling40207
-Node: Component Labels41562
-Node: Copying43125
-Node: Concept Index80652
-Node: Function and Data Index80780
+Node: Top743
+Node: Introduction2778
+Node: Getting Started3056
+Node: Features3922
+Node: Overview5013
+Node: Preparation5262
+Node: Header5745
+Node: Version Check6341
+Node: Building the source7433
+Node: Certificate Handling9284
+Node: Creating certificates10265
+Node: Retrieving attributes12726
+Node: Setting attributes26944
+Node: User data27209
+Node: CMS29129
+Node: CMS Basics29588
+Node: CMS Parser31651
+Node: CRLs35629
+Node: PKCS1035912
+Node: Utilities36173
+Node: Names36577
+Node: OIDs38889
+Node: DNs39093
+Node: Error Handling40224
+Node: Component Labels41579
+Node: Copying43142
+Node: Concept Index80669
+Node: Function and Data Index80797

End Tag Table
diff --git a/doc/ksba.texi b/doc/ksba.texi
index 65cf10c..97a806b 100644
--- a/doc/ksba.texi
+++ b/doc/ksba.texi
@@ -259,18 +259,18 @@ which the header file is located to the compiler's include file search
path (via the @option{-I} option).
However, the path to the include file is determined at the time the
-source is configured. To solve this problem, `KSBA' ships with a small
-helper program @command{ksba-config} that knows about the path to the
-include file and other configuration options. The options that need to
-be added to the compiler invocation at compile time are output by the
-@option{--cflags} option of @command{ksba-config}. The following
+source is configured. To solve this problem, `KSBA' ships with
+@code{ksba.pc} file, that knows about the path to the include file and
+other configuration options. The options that need to be added to the
+compiler invocation at compile time are output by the
+@option{--cflags} option of @command{pkg-config ksba}. The following
example shows how it can be used at the command line:
@example
-gcc -c foo.c `ksba-config --cflags`
+gcc -c foo.c `pkg-config --cflags ksba`
@end example
-Adding the output of @samp{ksba-config --cflags} to the compiler's
+Adding the output of @samp{pkg-config --cflags ksba} to the compiler's
command line will ensure that the compiler can find the @file{ksba.h}
header file.
@@ -278,21 +278,21 @@ A similar problem occurs when linking the program with the library.
Again, the compiler has to find the library files. For this to work,
the path to the library files has to be added to the library search path
(via the @option{-L} option). For this, the option @option{--libs} of
-@command{ksba-config} can be used. For convenience, this option also
+@command{pkg-config ksba} can be used. For convenience, this option also
outputs all other options that are required to link the program with the
`KSBA' libraries (in particular, the @samp{-lksba} option). The
example shows how to link @file{foo.o} with the `KSBA' libraries to a
program @command{foo}.
@example
-gcc -o foo foo.o `ksba-config --libs`
+gcc -o foo foo.o `pkg-config --libs ksba`
@end example
Of course you can also combine both examples to a single command by
-specifying both options to @command{ksba-config}:
+specifying both options to @command{pkg-config ksba}:
@example
-gcc -o foo foo.c `ksba-config --cflags --libs`
+gcc -o foo foo.c `pkg-config --cflags --libs ksba`
@end example
diff --git a/doc/stamp-vti b/doc/stamp-vti
index 729de08..b3c98cf 100644
--- a/doc/stamp-vti
+++ b/doc/stamp-vti
@@ -1,4 +1,4 @@
-@set UPDATED 12 May 2020
-@set UPDATED-MONTH May 2020
-@set EDITION 1.6.2
-@set VERSION 1.6.2
+@set UPDATED 22 November 2022
+@set UPDATED-MONTH November 2022
+@set EDITION 1.6.3
+@set VERSION 1.6.3
diff --git a/doc/version.texi b/doc/version.texi
index 729de08..b3c98cf 100644
--- a/doc/version.texi
+++ b/doc/version.texi
@@ -1,4 +1,4 @@
-@set UPDATED 12 May 2020
-@set UPDATED-MONTH May 2020
-@set EDITION 1.6.2
-@set VERSION 1.6.2
+@set UPDATED 22 November 2022
+@set UPDATED-MONTH November 2022
+@set EDITION 1.6.3
+@set VERSION 1.6.3
diff --git a/m4/gpg-error.m4 b/m4/gpg-error.m4
index 4b5cd40..a975e53 100644
--- a/m4/gpg-error.m4
+++ b/m4/gpg-error.m4
@@ -10,7 +10,7 @@
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
-# Last-changed: 2022-02-15
+# Last-changed: 2022-09-21
dnl AM_PATH_GPG_ERROR([MINIMUM-VERSION,
@@ -120,6 +120,10 @@ AC_DEFUN([AM_PATH_GPG_ERROR],
fi
if test -n "$gpgrt_libdir"; then break; fi
done
+ if test -z "$libdir_candidates"; then
+ # No valid pkgconfig dir in any of the system directories, fallback
+ gpgrt_libdir=${possible_libdir1}
+ fi
else
# When we cannot determine system libdir-format, use this:
gpgrt_libdir=${possible_libdir1}
diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4
index 19d514f..cd4249e 100644
--- a/m4/libgcrypt.m4
+++ b/m4/libgcrypt.m4
@@ -9,7 +9,7 @@
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
-# Last-changed: 2020-09-27
+# Last-changed: 2022-11-01
dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION,
@@ -40,7 +40,7 @@ AC_DEFUN([AM_PATH_LIBGCRYPT],
fi
use_gpgrt_config=""
- if test x"${LIBGCRYPT_CONFIG}" = x -a x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then
+ if test x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then
if $GPGRT_CONFIG libgcrypt --exists; then
LIBGCRYPT_CONFIG="$GPGRT_CONFIG libgcrypt"
AC_MSG_NOTICE([Use gpgrt-config as libgcrypt-config])
diff --git a/src/crl.c b/src/crl.c
index 9f71c85..2e6ca29 100644
--- a/src/crl.c
+++ b/src/crl.c
@@ -1349,7 +1349,7 @@ parse_signature (ksba_crl_t crl)
&& !ti.is_constructed) )
return gpg_error (GPG_ERR_INV_CRL_OBJ);
n2 = ti.nhdr + ti.length;
- if (n + n2 >= DIM(tmpbuf))
+ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n)
return gpg_error (GPG_ERR_TOO_LARGE);
memcpy (tmpbuf+n, ti.buf, ti.nhdr);
err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length);
diff --git a/src/ksba.h b/src/ksba.h
index aec5e4d..ec42a50 100644
--- a/src/ksba.h
+++ b/src/ksba.h
@@ -46,11 +46,11 @@ extern "C" {
/* The version of this header should match the one of the library. Do
* not use this symbol in your application; use assuan_check_version
* instead. */
-#define KSBA_VERSION "1.6.2"
+#define KSBA_VERSION "1.6.3"
/* The version number of this header. It may be used to handle minor
* API incompatibilities. */
-#define KSBA_VERSION_NUMBER 0x010602
+#define KSBA_VERSION_NUMBER 0x010603
diff --git a/src/ksba.m4 b/src/ksba.m4
index 6b55bb8..452c245 100644
--- a/src/ksba.m4
+++ b/src/ksba.m4
@@ -9,7 +9,7 @@
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
-# Last-changed: 2020-11-18
+# Last-changed: 2022-11-01
dnl AM_PATH_KSBA([MINIMUM-VERSION,
dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
@@ -44,7 +44,7 @@ AC_DEFUN([AM_PATH_KSBA],
fi
use_gpgrt_config=""
- if test x"$KSBA_CONFIG" = x -a x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then
+ if test x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then
if $GPGRT_CONFIG ksba --exists; then
KSBA_CONFIG="$GPGRT_CONFIG ksba"
AC_MSG_NOTICE([Use gpgrt-config as ksba-config])
diff --git a/src/ocsp.c b/src/ocsp.c
index d4cba04..657d15f 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -721,6 +721,12 @@ parse_response_extensions (ksba_ocsp_t ocsp,
|| memcmp (ocsp->nonce, data, ti.length))
ocsp->bad_nonce = 1;
}
+ if (ti.length > (1<<24))
+ {
+ /* Bail out on much too large objects. */
+ err = gpg_error (GPG_ERR_BAD_BER);
+ goto leave;
+ }
ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
if (!ex)
{
@@ -788,6 +794,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri,
err = parse_octet_string (&data, &datalen, &ti);
if (err)
goto leave;
+ if (ti.length > (1<<24))
+ {
+ /* Bail out on much too large objects. */
+ err = gpg_error (GPG_ERR_BAD_BER);
+ goto leave;
+ }
ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
if (!ex)
{