Hello community,
here is the log from the commit of package libsoup for openSUSE:11.4
checked in at Fri Jul 29 18:12:28 CEST 2011.
Patchinfo file has no description
Patchinfo file has no description
Patchinfo file has no description
--------
--- old-versions/11.4/all/libsoup/libsoup.changes 2010-11-30 10:36:16.000000000 +0100
+++ 11.4/libsoup/libsoup.changes 2011-07-29 10:21:22.000000000 +0200
@@ -1,0 +2,9 @@
+Fri Jul 29 10:18:00 CEST 2011 - vuntz(a)opensuse.org
+
+- Add libsoup-CVE-2011-2524.patch: Fixed a security hole that
+ caused some SoupServer users to unintentionally allow accessing
+ the entire local filesystem when they thought they were only
+ providing access to a single directory. Fix bnc#706630,
+ CVE-2011-2524.
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libsoup
Destination is old-versions/11.4/UPDATES/all/libsoup
calling whatdependson for 11.4-i586
New:
----
libsoup-CVE-2011-2524.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libsoup.spec ++++++
--- /var/tmp/diff_new_pack.qpY9I8/_old 2011-07-29 18:12:05.000000000 +0200
+++ /var/tmp/diff_new_pack.qpY9I8/_new 2011-07-29 18:12:05.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package libsoup (Version 2.32.2)
+# spec file for package libsoup
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
Name: libsoup
Summary: HTTP client/server library for GNOME
Version: 2.32.2
-Release: 1
+Release: 3.<RELEASE4>
License: LGPLv2.1+
Group: Development/Libraries/GNOME
Url: http://www.gnome.org
@@ -29,6 +29,8 @@
Source99: baselibs.conf
# PATCH-FIX-OPENSUSE libsoup-gnutls-allow-tls.patch bnc#634040 vuntz(a)opensuse.org -- Allow TLS usage instead of being SSL 3.0-only. Upstream does not want this, and rewriting a lot of code is needed to fix this correctly. However, the openSUSE security team wants TLS to be used if possible. This might lead to some websites being not accessible with libsoup.
Patch0: libsoup-gnutls-allow-tls.patch
+# PATCH-FIX-UPSTREAM libsoup-CVE-2011-2524.patch bnc#706630 CVE-2011-2524 vuntz(a)opensuse.org -- filesystem exposure flaw due to bad parsing of ".."
+Patch1: libsoup-CVE-2011-2524.patch
BuildRequires: gconf2-devel
BuildRequires: glib2-devel
BuildRequires: gnutls-devel
@@ -115,6 +117,7 @@
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
%build
%configure\
++++++ libsoup-CVE-2011-2524.patch ++++++
>From cbeeb7a0f7f0e8b16f2d382157496f9100218dea Mon Sep 17 00:00:00 2001
From: Dan Winship <danw(a)gnome.org>
Date: Wed, 29 Jun 2011 14:04:06 +0000
Subject: SoupServer: fix to not allow smuggling ".." into path
When SoupServer:raw-paths was set (the default), it was possible to
sneak ".." segments into the path passed to the SoupServerHandler,
which could then end up tricking some handlers into retrieving
arbitrary files from the filesystem. Fix that.
https://bugzilla.gnome.org/show_bug.cgi?id=653258
---
diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c
index d56efd1..7225337 100644
--- a/libsoup/soup-server.c
+++ b/libsoup/soup-server.c
@@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClientContext *client)
uri = soup_message_get_uri (req);
decoded_path = soup_uri_decode (uri->path);
+
+ if (strstr (decoded_path, "/../") ||
+ g_str_has_suffix (decoded_path, "/..")) {
+ /* Introducing new ".." segments is not allowed */
+ g_free (decoded_path);
+ soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST);
+ return;
+ }
+
soup_uri_set_path (uri, decoded_path);
g_free (decoded_path);
}
--
cgit v0.9
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
Hello community,
here is the log from the commit of package pwdutils for openSUSE:11.4
checked in at Fri Jul 29 18:11:30 CEST 2011.
Patchinfo file has no description
Patchinfo file has no description
Patchinfo file has no description
--------
--- old-versions/11.4/all/pwdutils/pwdutils.changes 2011-02-02 13:05:56.000000000 +0100
+++ 11.4/pwdutils/pwdutils.changes 2011-07-20 17:21:36.000000000 +0200
@@ -1,0 +2,5 @@
+Wed Jul 20 15:18:37 UTC 2011 - lnussel(a)suse.de
+
+- change blowfish id from 2a to 2y (bnc#700876, CVE-2011-2483)
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.4/all/pwdutils
Destination is old-versions/11.4/UPDATES/all/pwdutils
calling whatdependson for 11.4-i586
New:
----
pwdutils-3.2.14-CVE-2011-2483.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pwdutils.spec ++++++
--- /var/tmp/diff_new_pack.yWtTws/_old 2011-07-29 18:11:18.000000000 +0200
+++ /var/tmp/diff_new_pack.yWtTws/_new 2011-07-29 18:11:18.000000000 +0200
@@ -29,14 +29,16 @@
Group: System/Base
AutoReqProv: on
Version: 3.2.14
-Release: 1
+Release: 4.<RELEASE5>
Summary: Utilities to Manage User and Group Accounts
Requires: pam-modules
+Requires: libxcrypt-crypt_blowfish >= 1.2
Source: pwdutils-%{version}.tar.bz2
Source2: ldap.conf
Source3: useradd.default
Source4: baselibs.conf
Patch0: %{name}-selinux-useradd.patch
+Patch1: pwdutils-3.2.14-CVE-2011-2483.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -77,6 +79,7 @@
%prep
%setup -q
%patch0
+%patch1 -p1
%build
%configure --with-ldap-conf-file=/etc/ldap.conf \
++++++ pwdutils-3.2.14-CVE-2011-2483.diff ++++++
Index: pwdutils-3.2.14/src/chpasswd.c
===================================================================
--- pwdutils-3.2.14.orig/src/chpasswd.c
+++ pwdutils-3.2.14/src/chpasswd.c
@@ -342,7 +342,7 @@ main (int argc, char *argv[])
/* blowfish has a limit of 72 characters */
if (use_crypt == BLOWFISH && strlen (cp) > 72)
cp[72] = '\0';
- salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */);
+ salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */);
if (salt != NULL)
pw_data->newpassword = strdup (crypt_r (cp, salt, &output));
else
Index: pwdutils-3.2.14/src/gpasswd.c
===================================================================
--- pwdutils-3.2.14.orig/src/gpasswd.c
+++ pwdutils-3.2.14/src/gpasswd.c
@@ -432,7 +432,7 @@ main (int argc, char **argv)
/* blowfish has a limit of 72 characters */
if (use_crypt == BLOWFISH && strlen (p1) > 72)
p1[72] = '\0';
- salt = make_crypt_salt ("$2a$", 0 /* XXX crypt_rounds */);
+ salt = make_crypt_salt ("$2y$", 0 /* XXX crypt_rounds */);
if (salt != NULL)
gr_data->newpassword = strdup (crypt_r (p1, salt, &output));
else
Index: pwdutils-3.2.14/etc/default/passwd
===================================================================
--- pwdutils-3.2.14.orig/etc/default/passwd
+++ pwdutils-3.2.14/etc/default/passwd
@@ -26,3 +26,20 @@ BLOWFISH_CRYPT_FILES=10
# For NIS, we should always use DES:
CRYPT_YP=des
+
+# In June 2011 it was discovered that the Linux crypt_blowfish
+# implementation contained a bug that made passwords with non-ASCII
+# characters easier to crack (CVE-2011-2483). Affected passwords are
+# also incompatible with the original, correct OpenBSD
+# implementation. Therefore the $2a hash identifier previously used
+# for blowfish now is ambiguous as it could mean the hash was
+# generated with the correct implementation on OpenBSD or the buggy
+# one on Linux. To avoid the ambiguity two new identifier were
+# introduced. $2x now explicitly identifies hashes that were
+# generated with the buggy algorithm while $2y is used for hashes
+# generated with the correct algorithm. New passwords are now
+# generated with the $2y identifier.
+#
+# Setting the following option to "yes" tells the sytem that $2a
+# hashes are to be treated as generated with the buggy algorithm.
+BLOWFISH_2a2x=yes
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
Hello community,
here is the log from the commit of package glibc for openSUSE:11.4
checked in at Fri Jul 29 18:08:13 CEST 2011.
Patchinfo file has no description
Patchinfo file has no description
Patchinfo file has no description
--------
--- old-versions/11.4/all/glibc/glibc.changes 2011-02-22 13:33:00.000000000 +0100
+++ 11.4/glibc/glibc.changes 2011-07-27 10:18:08.000000000 +0200
@@ -1,0 +2,7 @@
+Tue Jul 19 11:55:41 UTC 2011 - lnussel(a)suse.de
+
+- update crypt_blowfish to version 1.2 (bnc#700876, CVE-2011-2483)
+ * due to the signedness bug fix 2a hashes are incompatible with
+ previous versions if the password contains 8bit chracters!
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.4/all/glibc
Destination is old-versions/11.4/UPDATES/all/glibc
calling whatdependson for 11.4-i586
Old:
----
minmem
New:
----
crypt_blowfish-1.2.tar.gz
crypt_blowfish-1.2.tar.gz.sign
crypt_blowfish-noasm.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ glibc.spec ++++++
--- /var/tmp/diff_new_pack.Ro7xfn/_old 2011-07-29 18:07:34.000000000 +0200
+++ /var/tmp/diff_new_pack.Ro7xfn/_new 2011-07-29 18:07:34.000000000 +0200
@@ -17,6 +17,7 @@
# norootforbuild
+%define crypt_bf_version 1.2
Name: glibc
BuildRequires: gcc-c++ libstdc++-devel
@@ -64,7 +65,7 @@
Provides: rtld(GNU_HASH)
AutoReqProv: on
Version: 2.11.3
-Release: 12.<RELEASE2>
+Release: 12.<RELEASE17>
Url: http://www.gnu.org/software/libc/libc.html
PreReq: filesystem
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -80,6 +81,8 @@
Source12: glibc_post_upgrade.c
Source15: glibc.rpmlintrc
Source16: baselibs.conf
+Source50: http://www.openwall.com/crypt/crypt_blowfish-%{crypt_bf_version}.tar.gz
+Source51: http://www.openwall.com/crypt/crypt_blowfish-%{crypt_bf_version}.tar.gz.sign
%if %_target_cpu == "i686"
# We need to avoid to have only the src rpm from i686 on the media,
# since it does not work on other architectures.
@@ -92,6 +95,7 @@
Patch3: glibc-resolv-reload.diff
Patch4: glibc-2.3.locales.diff.bz2
Patch5: crypt_blowfish-1.0-suse.diff
+Patch6: crypt_blowfish-noasm.diff
Patch7: glibc-version.diff
Patch8: glibc-2.4.90-revert-only-euro.diff
Patch9: glibc-2.3-regcomp.diff
@@ -292,11 +296,12 @@
# add glibc-ports for arm
# this is CURRENTLY BROKEN; ARM-interested contributors need to provide
# new tested glibc-ports source
-%setup -n glibc-%{version} -q -a 2 -a 3 -a 4
+%setup -n glibc-%{version} -q -a 2 -a 3 -a 4 -a 50
%else
# any other leave out ports
-%setup -n glibc-%{version} -q -a 3 -a 4
+%setup -n glibc-%{version} -q -a 3 -a 4 -a 50
%endif
+mv crypt_blowfish-%crypt_bf_version/crypt_blowfish.[ch] crypt/
%patch0
# libNoVersion part is only active on ix86
%patch1
@@ -304,6 +309,7 @@
%patch3
%patch4
%patch5
+%patch6
%patch7
%patch8
%patch9
++++++ crypt_blowfish-1.0-suse.diff ++++++
++++ 773 lines (skipped)
++++ between old-versions/11.4/all/glibc/crypt_blowfish-1.0-suse.diff
++++ and 11.4/glibc/crypt_blowfish-1.0-suse.diff
++++++ crypt_blowfish-noasm.diff ++++++
Index: crypt/crypt_blowfish.c
===================================================================
--- crypt/crypt_blowfish.c.orig
+++ crypt/crypt_blowfish.c
@@ -54,7 +54,7 @@
#include "crypt_blowfish.h"
#ifdef __i386__
-#define BF_ASM 1
+#define BF_ASM 0
#define BF_SCALE 1
#elif defined(__x86_64__) || defined(__alpha__) || defined(__hppa__)
#define BF_ASM 0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org
Hello community,
here is the log from the commit of package libsoup for openSUSE:11.3
checked in at Fri Jul 29 18:08:01 CEST 2011.
Patchinfo file has no description
Patchinfo file has no description
Patchinfo file has no description
--------
--- old-versions/11.3/all/libsoup/libsoup.changes 2010-05-03 11:13:46.000000000 +0200
+++ 11.3/libsoup/libsoup.changes 2011-07-29 10:20:41.000000000 +0200
@@ -1,0 +2,9 @@
+Fri Jul 29 10:18:00 CEST 2011 - vuntz(a)opensuse.org
+
+- Add libsoup-CVE-2011-2524.patch: Fixed a security hole that
+ caused some SoupServer users to unintentionally allow accessing
+ the entire local filesystem when they thought they were only
+ providing access to a single directory. Fix bnc#706630,
+ CVE-2011-2524.
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.3/all/libsoup
Destination is old-versions/11.3/UPDATES/all/libsoup
calling whatdependson for 11.3-i586
New:
----
libsoup-CVE-2011-2524.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libsoup.spec ++++++
--- /var/tmp/diff_new_pack.jTMmki/_old 2011-07-29 18:07:21.000000000 +0200
+++ /var/tmp/diff_new_pack.jTMmki/_new 2011-07-29 18:07:21.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package libsoup (Version 2.30.1)
+# spec file for package libsoup
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -38,9 +38,11 @@
#
Summary: HTTP client/server library for GNOME
Version: 2.30.1
-Release: 1
+Release: 2.<RELEASE2>
Source: ftp://ftp.gnome.org/pub/GNOME/stable/sources/libsoup/2.2/%{name}-%{version}…
Source99: baselibs.conf
+# PATCH-FIX-UPSTREAM libsoup-CVE-2011-2524.patch bnc#706630 CVE-2011-2524 vuntz(a)opensuse.org -- filesystem exposure flaw due to bad parsing of ".."
+Patch0: libsoup-CVE-2011-2524.patch
Url: http://www.gnome.org
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: %{name}-2_4-1 = %{version}
@@ -111,6 +113,7 @@
%prep
%setup -q
+%patch0 -p1
%build
%configure\
++++++ libsoup-CVE-2011-2524.patch ++++++
>From cbeeb7a0f7f0e8b16f2d382157496f9100218dea Mon Sep 17 00:00:00 2001
From: Dan Winship <danw(a)gnome.org>
Date: Wed, 29 Jun 2011 14:04:06 +0000
Subject: SoupServer: fix to not allow smuggling ".." into path
When SoupServer:raw-paths was set (the default), it was possible to
sneak ".." segments into the path passed to the SoupServerHandler,
which could then end up tricking some handlers into retrieving
arbitrary files from the filesystem. Fix that.
https://bugzilla.gnome.org/show_bug.cgi?id=653258
---
diff --git a/libsoup/soup-server.c b/libsoup/soup-server.c
index d56efd1..7225337 100644
--- a/libsoup/soup-server.c
+++ b/libsoup/soup-server.c
@@ -779,6 +779,15 @@ got_headers (SoupMessage *req, SoupClientContext *client)
uri = soup_message_get_uri (req);
decoded_path = soup_uri_decode (uri->path);
+
+ if (strstr (decoded_path, "/../") ||
+ g_str_has_suffix (decoded_path, "/..")) {
+ /* Introducing new ".." segments is not allowed */
+ g_free (decoded_path);
+ soup_message_set_status (req, SOUP_STATUS_BAD_REQUEST);
+ return;
+ }
+
soup_uri_set_path (uri, decoded_path);
g_free (decoded_path);
}
--
cgit v0.9
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org