diff options
author | JinWang An <jinwang.an@samsung.com> | 2023-01-17 13:32:00 +0900 |
---|---|---|
committer | JinWang An <jinwang.an@samsung.com> | 2023-01-17 13:32:00 +0900 |
commit | ba4b676859e3d757e02f0537b5d7308feadc26d7 (patch) | |
tree | b9ea7a5f43c7f48943c41c83b347d8796c8574e6 | |
parent | 7b1edcf8bf7ec69d323bc1bdb1619c2c6ab02030 (diff) | |
download | libksba-ba4b676859e3d757e02f0537b5d7308feadc26d7.tar.gz libksba-ba4b676859e3d757e02f0537b5d7308feadc26d7.tar.bz2 libksba-ba4b676859e3d757e02f0537b5d7308feadc26d7.zip |
Imported Upstream version 1.6.3upstream/1.6.3
-rw-r--r-- | ChangeLog | 35 | ||||
-rw-r--r-- | NEWS | 8 | ||||
-rwxr-xr-x | configure | 34 | ||||
-rw-r--r-- | configure.ac | 4 | ||||
-rw-r--r-- | doc/ksba.info | 93 | ||||
-rw-r--r-- | doc/ksba.texi | 22 | ||||
-rw-r--r-- | doc/stamp-vti | 8 | ||||
-rw-r--r-- | doc/version.texi | 8 | ||||
-rw-r--r-- | m4/gpg-error.m4 | 6 | ||||
-rw-r--r-- | m4/libgcrypt.m4 | 4 | ||||
-rw-r--r-- | src/crl.c | 2 | ||||
-rw-r--r-- | src/ksba.h | 4 | ||||
-rw-r--r-- | src/ksba.m4 | 4 | ||||
-rw-r--r-- | src/ocsp.c | 12 |
14 files changed, 154 insertions, 90 deletions
@@ -1,3 +1,38 @@ +2022-12-06 Werner Koch <wk@gnupg.org> + + Release 1.6.3. + + commit bffa9b346071725363a483db547e7dced9721cb5 + + +2022-11-23 Werner Koch <wk@gnupg.org> + + Fix an integer overflow in the CRL signature parser. + + commit f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 + * src/crl.c (parse_signature): N+N2 now checked for overflow. + + * src/ocsp.c (parse_response_extensions): Do not accept too large + values. + (parse_single_extensions): Ditto. + +2022-11-02 NIIBE Yutaka <gniibe@fsij.org> + + build: Update m4/libgcrypt.m4. + + commit 4076b60f7cef4fddc3d30f6e6d4078081dbc7167 + * m4/libgcrypt.m4: Update from libgcrypt master. + +2022-11-01 NIIBE Yutaka <gniibe@fsij.org> + + build: Prefer gpgrt-config when available. + + commit 13307b22882a220d206341e1196e74fd37418c2f + * src/ksba.m4: Overriding the decision by --with-libksba-prefix, use + gpgrt-config ksba when gpgrt-config is available. + +2022-10-24 NIIBE Yutaka <gniibe@fsij.org> + + build: Update gpg-error.m4. + + commit c3c1627f34234e3d54fe1f3411ac499dd7e3b3b0 + * m4/gpg-error.m4: Update from libgpg-error 1.46. + 2022-10-07 Werner Koch <wk@gnupg.org> Release 1.6.2. @@ -1,3 +1,11 @@ +Noteworthy changes in version 1.6.3 (2022-12-06) [C22/A14/R3] +------------------------------------------------ + + * Fix another integer overflow in the CRL parser. [T6284] + + Release-info: https://dev.gnupg.org/T6304 + + Noteworthy changes in version 1.6.2 (2022-10-07) [C22/A14/R2] ------------------------------------------------ @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libksba 1.6.2. +# Generated by GNU Autoconf 2.69 for libksba 1.6.3. # # Report bugs to <https://bugs.gnupg.org>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='libksba' PACKAGE_TARNAME='libksba' -PACKAGE_VERSION='1.6.2' -PACKAGE_STRING='libksba 1.6.2' +PACKAGE_VERSION='1.6.3' +PACKAGE_STRING='libksba 1.6.3' PACKAGE_BUGREPORT='https://bugs.gnupg.org' PACKAGE_URL='' @@ -1384,7 +1384,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libksba 1.6.2 to adapt to many kinds of systems. +\`configure' configures libksba 1.6.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1455,7 +1455,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libksba 1.6.2:";; + short | recursive ) echo "Configuration of libksba 1.6.3:";; esac cat <<\_ACEOF @@ -1584,7 +1584,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libksba configure 1.6.2 +libksba configure 1.6.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2190,7 +2190,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libksba $as_me 1.6.2, which was +It was created by libksba $as_me 1.6.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2546,7 +2546,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu # Please remember to document interface changes in the NEWS file. LIBKSBA_LT_CURRENT=22 LIBKSBA_LT_AGE=14 -LIBKSBA_LT_REVISION=2 +LIBKSBA_LT_REVISION=3 #------------------- # If the API is changed in an incompatible way: increment the next counter. KSBA_CONFIG_API_VERSION=1 @@ -3066,7 +3066,7 @@ fi # Define the identity of the package. PACKAGE='libksba' - VERSION='1.6.2' + VERSION='1.6.3' cat >>confdefs.h <<_ACEOF @@ -12475,7 +12475,7 @@ fi -VERSION_NUMBER=0x010602 +VERSION_NUMBER=0x010603 @@ -14398,6 +14398,10 @@ fi fi if test -n "$gpgrt_libdir"; then break; fi done + if test -z "$libdir_candidates"; then + # No valid pkgconfig dir in any of the system directories, fallback + gpgrt_libdir=${possible_libdir1} + fi else # When we cannot determine system libdir-format, use this: gpgrt_libdir=${possible_libdir1} @@ -15257,11 +15261,11 @@ fi # Generate extended version information for W32. if test "$have_w32_system" = yes; then BUILD_FILEVERSION=`echo "$VERSION" | sed 's/\([0-9.]*\).*/\1./;s/\./,/g'` - BUILD_FILEVERSION="${BUILD_FILEVERSION}10625" + BUILD_FILEVERSION="${BUILD_FILEVERSION}49146" fi -BUILD_REVISION="2981495" +BUILD_REVISION="bffa9b3" cat >>confdefs.h <<_ACEOF @@ -15878,7 +15882,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libksba $as_me 1.6.2, which was +This file was extended by libksba $as_me 1.6.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -15944,7 +15948,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libksba config.status 1.6.2 +libksba config.status 1.6.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -17957,7 +17961,7 @@ fi echo " Libksba v${VERSION} has been configured as follows: - Revision: 2981495 (10625) + Revision: bffa9b3 (49146) Platform: $host " diff --git a/configure.ac b/configure.ac index ef627c0..4640b90 100644 --- a/configure.ac +++ b/configure.ac @@ -30,7 +30,7 @@ min_automake_version="1.14" m4_define([mym4_package],[libksba]) m4_define([mym4_major], [1]) m4_define([mym4_minor], [6]) -m4_define([mym4_micro], [2]) +m4_define([mym4_micro], [3]) # Below is m4 magic to extract and compute the git revision number, # the decimalized short revision number, a beta version string and a @@ -52,7 +52,7 @@ AC_INIT([mym4_package],[mym4_version],[https://bugs.gnupg.org]) # Please remember to document interface changes in the NEWS file. LIBKSBA_LT_CURRENT=22 LIBKSBA_LT_AGE=14 -LIBKSBA_LT_REVISION=2 +LIBKSBA_LT_REVISION=3 #------------------- # If the API is changed in an incompatible way: increment the next counter. KSBA_CONFIG_API_VERSION=1 diff --git a/doc/ksba.info b/doc/ksba.info index 63a62fc..c3f1ce3 100644 --- a/doc/ksba.info +++ b/doc/ksba.info @@ -8,8 +8,8 @@ END-INFO-DIR-ENTRY This file documents the KSBA library to access X.509 and CMS data structures. - This is edition 1.6.2, last updated 12 May 2020, of 'The KSBA -Reference Manual', for Version 1.6.2. + This is edition 1.6.3, last updated 22 November 2022, of 'The KSBA +Reference Manual', for Version 1.6.3. Copyright (C) 2002, 2003, 2004 g10 Code GmbH @@ -25,8 +25,8 @@ File: ksba.info, Node: Top, Next: Introduction, Up: (dir) Main Menu ********* -This is edition 1.6.2, last updated 12 May 2020, of 'The KSBA Reference -Manual', for Version 1.6.2 of the KSBA library. +This is edition 1.6.3, last updated 22 November 2022, of 'The KSBA +Reference Manual', for Version 1.6.3 of the KSBA library. Copyright (C) 2002, 2003, 2004 g10 Code GmbH @@ -228,33 +228,34 @@ which the header file is located to the compiler's include file search path (via the '-I' option). However, the path to the include file is determined at the time the -source is configured. To solve this problem, 'KSBA' ships with a small -helper program 'ksba-config' that knows about the path to the include -file and other configuration options. The options that need to be added -to the compiler invocation at compile time are output by the '--cflags' -option of 'ksba-config'. The following example shows how it can be used -at the command line: +source is configured. To solve this problem, 'KSBA' ships with +'ksba.pc' file, that knows about the path to the include file and other +configuration options. The options that need to be added to the +compiler invocation at compile time are output by the '--cflags' option +of 'pkg-config ksba'. The following example shows how it can be used at +the command line: - gcc -c foo.c `ksba-config --cflags` + gcc -c foo.c `pkg-config --cflags ksba` - Adding the output of 'ksba-config --cflags' to the compiler's command -line will ensure that the compiler can find the 'ksba.h' header file. + Adding the output of 'pkg-config --cflags ksba' to the compiler's +command line will ensure that the compiler can find the 'ksba.h' header +file. A similar problem occurs when linking the program with the library. Again, the compiler has to find the library files. For this to work, the path to the library files has to be added to the library search path -(via the '-L' option). For this, the option '--libs' of 'ksba-config' -can be used. For convenience, this option also outputs all other +(via the '-L' option). For this, the option '--libs' of 'pkg-config +ksba' can be used. For convenience, this option also outputs all other options that are required to link the program with the 'KSBA' libraries (in particular, the '-lksba' option). The example shows how to link 'foo.o' with the 'KSBA' libraries to a program 'foo'. - gcc -o foo foo.o `ksba-config --libs` + gcc -o foo foo.o `pkg-config --libs ksba` Of course you can also combine both examples to a single command by -specifying both options to 'ksba-config': +specifying both options to 'pkg-config ksba': - gcc -o foo foo.c `ksba-config --cflags --libs` + gcc -o foo foo.c `pkg-config --cflags --libs ksba` File: ksba.info, Node: Certificate Handling, Next: CMS, Prev: Preparation, Up: Top @@ -1870,33 +1871,33 @@ Function and Data Index Tag Table: -Node: Top738 -Node: Introduction2768 -Node: Getting Started3046 -Node: Features3912 -Node: Overview5003 -Node: Preparation5252 -Node: Header5735 -Node: Version Check6331 -Node: Building the source7423 -Node: Certificate Handling9267 -Node: Creating certificates10248 -Node: Retrieving attributes12709 -Node: Setting attributes26927 -Node: User data27192 -Node: CMS29112 -Node: CMS Basics29571 -Node: CMS Parser31634 -Node: CRLs35612 -Node: PKCS1035895 -Node: Utilities36156 -Node: Names36560 -Node: OIDs38872 -Node: DNs39076 -Node: Error Handling40207 -Node: Component Labels41562 -Node: Copying43125 -Node: Concept Index80652 -Node: Function and Data Index80780 +Node: Top743 +Node: Introduction2778 +Node: Getting Started3056 +Node: Features3922 +Node: Overview5013 +Node: Preparation5262 +Node: Header5745 +Node: Version Check6341 +Node: Building the source7433 +Node: Certificate Handling9284 +Node: Creating certificates10265 +Node: Retrieving attributes12726 +Node: Setting attributes26944 +Node: User data27209 +Node: CMS29129 +Node: CMS Basics29588 +Node: CMS Parser31651 +Node: CRLs35629 +Node: PKCS1035912 +Node: Utilities36173 +Node: Names36577 +Node: OIDs38889 +Node: DNs39093 +Node: Error Handling40224 +Node: Component Labels41579 +Node: Copying43142 +Node: Concept Index80669 +Node: Function and Data Index80797 End Tag Table diff --git a/doc/ksba.texi b/doc/ksba.texi index 65cf10c..97a806b 100644 --- a/doc/ksba.texi +++ b/doc/ksba.texi @@ -259,18 +259,18 @@ which the header file is located to the compiler's include file search path (via the @option{-I} option). However, the path to the include file is determined at the time the -source is configured. To solve this problem, `KSBA' ships with a small -helper program @command{ksba-config} that knows about the path to the -include file and other configuration options. The options that need to -be added to the compiler invocation at compile time are output by the -@option{--cflags} option of @command{ksba-config}. The following +source is configured. To solve this problem, `KSBA' ships with +@code{ksba.pc} file, that knows about the path to the include file and +other configuration options. The options that need to be added to the +compiler invocation at compile time are output by the +@option{--cflags} option of @command{pkg-config ksba}. The following example shows how it can be used at the command line: @example -gcc -c foo.c `ksba-config --cflags` +gcc -c foo.c `pkg-config --cflags ksba` @end example -Adding the output of @samp{ksba-config --cflags} to the compiler's +Adding the output of @samp{pkg-config --cflags ksba} to the compiler's command line will ensure that the compiler can find the @file{ksba.h} header file. @@ -278,21 +278,21 @@ A similar problem occurs when linking the program with the library. Again, the compiler has to find the library files. For this to work, the path to the library files has to be added to the library search path (via the @option{-L} option). For this, the option @option{--libs} of -@command{ksba-config} can be used. For convenience, this option also +@command{pkg-config ksba} can be used. For convenience, this option also outputs all other options that are required to link the program with the `KSBA' libraries (in particular, the @samp{-lksba} option). The example shows how to link @file{foo.o} with the `KSBA' libraries to a program @command{foo}. @example -gcc -o foo foo.o `ksba-config --libs` +gcc -o foo foo.o `pkg-config --libs ksba` @end example Of course you can also combine both examples to a single command by -specifying both options to @command{ksba-config}: +specifying both options to @command{pkg-config ksba}: @example -gcc -o foo foo.c `ksba-config --cflags --libs` +gcc -o foo foo.c `pkg-config --cflags --libs ksba` @end example diff --git a/doc/stamp-vti b/doc/stamp-vti index 729de08..b3c98cf 100644 --- a/doc/stamp-vti +++ b/doc/stamp-vti @@ -1,4 +1,4 @@ -@set UPDATED 12 May 2020 -@set UPDATED-MONTH May 2020 -@set EDITION 1.6.2 -@set VERSION 1.6.2 +@set UPDATED 22 November 2022 +@set UPDATED-MONTH November 2022 +@set EDITION 1.6.3 +@set VERSION 1.6.3 diff --git a/doc/version.texi b/doc/version.texi index 729de08..b3c98cf 100644 --- a/doc/version.texi +++ b/doc/version.texi @@ -1,4 +1,4 @@ -@set UPDATED 12 May 2020 -@set UPDATED-MONTH May 2020 -@set EDITION 1.6.2 -@set VERSION 1.6.2 +@set UPDATED 22 November 2022 +@set UPDATED-MONTH November 2022 +@set EDITION 1.6.3 +@set VERSION 1.6.3 diff --git a/m4/gpg-error.m4 b/m4/gpg-error.m4 index 4b5cd40..a975e53 100644 --- a/m4/gpg-error.m4 +++ b/m4/gpg-error.m4 @@ -10,7 +10,7 @@ # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # -# Last-changed: 2022-02-15 +# Last-changed: 2022-09-21 dnl AM_PATH_GPG_ERROR([MINIMUM-VERSION, @@ -120,6 +120,10 @@ AC_DEFUN([AM_PATH_GPG_ERROR], fi if test -n "$gpgrt_libdir"; then break; fi done + if test -z "$libdir_candidates"; then + # No valid pkgconfig dir in any of the system directories, fallback + gpgrt_libdir=${possible_libdir1} + fi else # When we cannot determine system libdir-format, use this: gpgrt_libdir=${possible_libdir1} diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4 index 19d514f..cd4249e 100644 --- a/m4/libgcrypt.m4 +++ b/m4/libgcrypt.m4 @@ -9,7 +9,7 @@ # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # -# Last-changed: 2020-09-27 +# Last-changed: 2022-11-01 dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION, @@ -40,7 +40,7 @@ AC_DEFUN([AM_PATH_LIBGCRYPT], fi use_gpgrt_config="" - if test x"${LIBGCRYPT_CONFIG}" = x -a x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then + if test x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then if $GPGRT_CONFIG libgcrypt --exists; then LIBGCRYPT_CONFIG="$GPGRT_CONFIG libgcrypt" AC_MSG_NOTICE([Use gpgrt-config as libgcrypt-config]) @@ -1349,7 +1349,7 @@ parse_signature (ksba_crl_t crl) && !ti.is_constructed) ) return gpg_error (GPG_ERR_INV_CRL_OBJ); n2 = ti.nhdr + ti.length; - if (n + n2 >= DIM(tmpbuf)) + if (n + n2 >= DIM(tmpbuf) || (n + n2) < n) return gpg_error (GPG_ERR_TOO_LARGE); memcpy (tmpbuf+n, ti.buf, ti.nhdr); err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length); @@ -46,11 +46,11 @@ extern "C" { /* The version of this header should match the one of the library. Do * not use this symbol in your application; use assuan_check_version * instead. */ -#define KSBA_VERSION "1.6.2" +#define KSBA_VERSION "1.6.3" /* The version number of this header. It may be used to handle minor * API incompatibilities. */ -#define KSBA_VERSION_NUMBER 0x010602 +#define KSBA_VERSION_NUMBER 0x010603 diff --git a/src/ksba.m4 b/src/ksba.m4 index 6b55bb8..452c245 100644 --- a/src/ksba.m4 +++ b/src/ksba.m4 @@ -9,7 +9,7 @@ # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # -# Last-changed: 2020-11-18 +# Last-changed: 2022-11-01 dnl AM_PATH_KSBA([MINIMUM-VERSION, dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]]) @@ -44,7 +44,7 @@ AC_DEFUN([AM_PATH_KSBA], fi use_gpgrt_config="" - if test x"$KSBA_CONFIG" = x -a x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then + if test x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then if $GPGRT_CONFIG ksba --exists; then KSBA_CONFIG="$GPGRT_CONFIG ksba" AC_MSG_NOTICE([Use gpgrt-config as ksba-config]) @@ -721,6 +721,12 @@ parse_response_extensions (ksba_ocsp_t ocsp, || memcmp (ocsp->nonce, data, ti.length)) ocsp->bad_nonce = 1; } + if (ti.length > (1<<24)) + { + /* Bail out on much too large objects. */ + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); if (!ex) { @@ -788,6 +794,12 @@ parse_single_extensions (struct ocsp_reqitem_s *ri, err = parse_octet_string (&data, &datalen, &ti); if (err) goto leave; + if (ti.length > (1<<24)) + { + /* Bail out on much too large objects. */ + err = gpg_error (GPG_ERR_BAD_BER); + goto leave; + } ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); if (!ex) { |