Hello community, here is the log from the commit of package libotr for openSUSE:Factory checked in at 2016-03-26 15:08:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libotr (Old) and /work/SRC/openSUSE:Factory/.libotr.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libotr" Changes: -------- --- /work/SRC/openSUSE:Factory/libotr/libotr.changes 2014-10-31 18:27:19.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libotr.new/libotr.changes 2016-03-26 15:08:38.000000000 +0100 @@ -1,0 +2,15 @@ +Mon Mar 7 12:46:26 UTC 2016 - astieger@suse.com + +- libotr 4.1.1: + * Fix an integer overflow bug that can cause a heap buffer + overflow (and from there remote code execution) on 64-bit + platforms - CVE-2016-2851 (boo#969785) + * Fix possible free() of an uninitialized pointer + * Be stricter about parsing v3 fragments + * Add a testsuite ("make check" to run it) + * Fix a memory leak when reading a malformed instance tag file + * Protocol documentation clarifications +- add libotr-4.1.1-fix-base64-tests.patch to fix test suite failure +- skip failing tests on ppc architectures + +------------------------------------------------------------------- Old: ---- libotr-4.1.0.tar.gz libotr-4.1.0.tar.gz.asc New: ---- libotr-4.1.1-fix-base64-tests.patch libotr-4.1.1.tar.gz libotr-4.1.1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libotr.spec ++++++ --- /var/tmp/diff_new_pack.9IF7ud/_old 2016-03-26 15:08:39.000000000 +0100 +++ /var/tmp/diff_new_pack.9IF7ud/_new 2016-03-26 15:08:39.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libotr # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,18 +17,17 @@ Name: libotr -Version: 4.1.0 +Version: 4.1.1 Release: 0 Summary: "Off The Record" messaging library toolkit License: LGPL-2.1 and GPL-2.0 Group: Development/Libraries/C and C++ Url: https://www.cypherpunks.ca/otr/ Source: https://www.cypherpunks.ca/otr/%{name}-%{version}.tar.gz -# http://www.cypherpunks.ca/otr/gpgkey.asc Source1: https://www.cypherpunks.ca/otr/%{name}-%{version}.tar.gz.asc -Source2: libotr.keyring -BuildRequires: libgcrypt-devel -BuildRequires: libtool +Source2: http://www.cypherpunks.ca/otr/gpgkey.asc#/libotr.keyring +Patch0: libotr-4.1.1-fix-base64-tests.patch +BuildRequires: libgcrypt-devel >= 1.2.0 BuildRequires: pkgconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -93,9 +92,10 @@ %prep %setup -q +%patch0 -p1 %build -%ifarch %{arm} +%ifarch %arm export CFLAGS="%{optflags} -O1" %else export CFLAGS="%{optflags}" @@ -104,10 +104,13 @@ make %{?_smp_mflags} %check +# https://bugs.otr.im/issues/129 +%ifnarch ppc ppc64 ppc64le make %{?_smp_mflags} check +%endif %install -make DESTDIR=%{buildroot} install %{?_smp_mflags} +make %{?_smp_mflags} DESTDIR=%{buildroot} install rm -f %{buildroot}%{_libdir}/libotr.la %files tools @@ -131,7 +134,6 @@ %{_libdir}/pkgconfig/libotr.pc %post -n libotr5 -p /sbin/ldconfig - %postun -n libotr5 -p /sbin/ldconfig %changelog ++++++ libotr-4.1.1-fix-base64-tests.patch ++++++
From 635755b57f6e750dbfc9356eda54d7a4366b8965 Mon Sep 17 00:00:00 2001 From: Andreas Stieger <astieger@suse.com> Date: Mon, 7 Mar 2016 08:12:19 -0500 Subject: [PATCH] Test: fix test_otrl_base64_otr_decode References: https://bugs.otr.im/issues/91 Upstream: in review
otrl_base64_decode does not null terminate the output buffer, therefore the string compare operation in the test must be passed the length. Signed-off-by: Andreas Stieger <astieger@suse.com> Signed-off-by: David Goulet <dgoulet@ev0ke.net> --- tests/unit/test_b64.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tests/unit/test_b64.c b/tests/unit/test_b64.c index 6d55992..e29b831 100644 --- a/tests/unit/test_b64.c +++ b/tests/unit/test_b64.c @@ -26,7 +26,7 @@ GCRY_THREAD_OPTION_PTHREAD_IMPL; -#define NUM_TESTS 10 +#define NUM_TESTS 11 const char *alphanum_encoded = "?OTR:" "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY3ODkwCg==" "."; @@ -64,8 +64,9 @@ static void test_otrl_base64_otr_decode(void) ok(otrl_base64_otr_decode(alphanum_encoded, &bufp, &len) == 0, "Call with valid data successfull"); - ok(strcmp((const char*)bufp, alphanum_decoded) == 0 - && len == 37, "Decoded valid b64 test vector with success"); + ok(len == 37, "Decoded valid b64 test vector with correct length"); + ok(strncmp((const char*)bufp, alphanum_decoded, len) == 0, + "Decoded valid b64 test vector with success"); free(bufp); bufp = NULL; len = 0; -- 2.6.2 ++++++ libotr-4.1.0.tar.gz -> libotr-4.1.1.tar.gz ++++++ ++++ 17774 lines of diff (skipped) ++++++ libotr.keyring ++++++ --- /var/tmp/diff_new_pack.9IF7ud/_old 2016-03-26 15:08:39.000000000 +0100 +++ /var/tmp/diff_new_pack.9IF7ud/_new 2016-03-26 15:08:39.000000000 +0100 @@ -1,30 +1,60 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: SKS 1.1.0 +Version: GnuPG v1 -mQGiBEGuU5kRBACNWahvxEOQ1QN0+ds1ji5JR0VtAyPhOQn3m1FSexgyzvNzVClYpx/7nvli -mKabImUHQRaOEln+7/lFz3aoMyHQUJaa8ftc6GwgpBCOQkk8itPUv2TgjkQb/DrCtIhGgRay -tph35i8gCHlU7Dy7HPIfCrfhtDgxHAOLAJEx+qWvlwCg1sgrsDjCQ9w24m1z/zMgEeHcwsME -AIqt6SqLlQqsNrj+cLyFjOLUN1u/v4HMxq2HK04qiusNye+/RwNI0suZX2hPy9NE6COfOJnP -+j+Tyl22Xgeq1YFt+NJXUeV4iJ/vpT86stoC0GDNyV7MMSee0QS+S70vpOK73EQd2CH9LDks -VEuEhWeUUWETs7brRFpU55WO/Fy7A/4uv/jypgnAWGdq6908MTU3PCjQ/nOYH55xKELaasAZ -3Zsqe+EYn87JTyaL2NQvguWX0zVZCzDlM1MtQizEOZbWeiOhyYCzqIVNf9Ao5SSWu2czrLx6 -E93kI57EezGhgOaZozZ9/l37F/pENHcu4t15JIcBD4YSdjUZqGgPSM4sY7QhT1RSIERldiBU -ZWFtIDxvdHJAY3lwaGVycHVua3MuY2E+iEYEEBECAAYFAkGvc7sACgkQyyhygoBySXsh6ACg -1DGTgtga5e1ci0GBdYV4RoTC3xQAoJkIq/VjnuFtigVmHrBBu2nLW0a+iF4EExECAB4FAkGu -U5kCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQ3tZOuyuofFwKRgCdHe4ozbAEpC7B67N7 -Dro51LJP8W0AoItbsNlIkaCp0bZIVFyrJ+ycLnoZiJwEEAEBAAYFAkGuV2QACgkQRlGJMStI -9vXhYgP/cEtYz+DBC/FWtI8TYScwZQCZh15l82lUao7fTi98++URArAUl0CyCdRnS9qjiS5a -VAbG6fcbgZyGtBLF/8d4+KrfBJgyLk/I6/n5M1A9zh0E7dXjIcP6ngwD40Jrr+DhV98FirK3 -qWbpasWplgh9LqQbmtsd6kjbO5xeF3Wc6/OJAhwEEAECAAYFAk3mCdcACgkQUn55uqO1OZhC -3A//dRx6enzMg8J1X3x5can77DbjmxF10gk6FstNbPGqp7EyLNo00yUGO0dfGYGQexR7jXEl -jGrpkTj9IFu9CNJDV4g2GL7w7hQ0L3WCUf+MVTBmWLKK3km3qh4qkmlBejg5pSt/3mBNypSE -sugAw1EGlLOdCwUhMLWbPRGCM8XhHG8K33cWUaizxyGUB+XEjNIOWF/NVVAhdasmC5M2Eo5/ -Tx/lD08bQUVDX1o4dcwbADWXtaa6QtucJEAbs9AggiGUOpeOyEcq5NZ5NtmsTYsvvjwBLdkw -gtjMdSfJe3+1oaWsEXuseu14Z7IGL6A6Deu9A/FgabNc1hx9y5XdH+uVe27t/JBmV7/o+5t8 -9DdzQl0Iv9YBZn6CeknAN2UEjvISot01ijIfZsmjARE9Yib0epgIRKKXTFrgeRmNcHYZiiJP -q9kdJyajXvanD+QC55SetFqJwZ/0t4MLv/xAcSx4qR5YdCh240Pb6HO8sDj8egFIsIqwLhQq -7OuaF+2Wq9tAd1hZvUZNVkHdHtTfJYCUjx50FyvWkz/mtlB90gXIUT+Wk+cojEAW/1kO3CZZ -ICbO7/68p8BUeANa95uH5IfFpJZaqLipwoF+Z/PPKnUbB0rOf8F+3fFETBFM1UfHMTRm8jcw -/kSx/QnJ+k7XSc6C3/rHwoUOd5Q/sCeQA5/hLJg= -=cyu2 +mQINBFbcavcBEAC/msxCfUylpRAFSJSoosbl8VPxPAWSse2uuGpb3cuV4trOWxpa +r97C+eAFJokovFGbhPAYRxoOmLEpgR0T8UhoWk4UtnDfTBoi7vIrq4o0AbClSAuG +QVZIq8/0MmLsV95CDECpHgEOkvWmNgB0QdeWfTOF6KSr4udvtcIzX2Gvqdruj0bY +AkrV3QlX+xVAdvXDnxh/aX5lzRpUaqSUEw3R2QfQKdo5AMT4aqlJgUvDxgGzs4Ju +9yNFdfrhziy5/EoO1uEvAX4XMdZIDVNZaF/PARa0IVP9zO4kBCjrWA38R+pAei7j +wSaxBmfWlZdb98zV69Ok2sbJrA4HRuA38cjhoFXzGJ+j3HZMEpsKIQgf35m2d/fj +zONRisKC9/9nwOtvtiaRTpN6N0bzhe0X/cbcR4LRxDWm5BuRV96EyWmG4Asy51c6 +nuDCKE1sAtdclgwMees+EYdipa/CbnsynnNHiD+Ms9wdvSm3D0piW+NITaSJGYik +pb5FvdFDNOa7e2DKbwQrudSWwDdLhPJOtk47OQUnmZaA0aBY0VuzW4s+8vlT0qqB +79r8wiYiyeHs+r+CtowBx73vtFb61ZeVujAVwJxsEZGZXoeKNawlbY8jjqA1G4Jc +/pxIRSYjKEfICp0AsU2FXZSnjYGKrPxjbOgVcmUIIy4ENe5npRAVs7SFZQARAQAB +tC9PVFIgRGV2IFRlYW0gKFNpZ25pbmcgS2V5KSA8b3RyQGN5cGhlcnB1bmtzLmNh +PokCOAQTAQIAIgUCVtxq9wIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ +8k3gj0LCq61FSA//dOgq4lGVhhLU9h70JL2dRvSh3EkS04LNZScXoMRC6lCvTUGV +brht5JV0Cvx9phVu9u0axmWgurZiL1RMzCdyoDrSfYLhqbMw1ZS2vFhGgjcnZQFk +ZZLM8mNZ9bjxW+jL/qk81kRpGF6mTfm4XKUeZ5OR/H0j4HIb/A1dLlKBWxVksl+2 +lasZXPyPgrZggrSU+eI91b72iDakYT9fyHAbntD7PEJifW10b0VMlQLn1kioDVe1 +1Qsf9hMMPwNwp1+4ij2X1nyD19V4FanWDs+7Zr3bDN+cU6s4xhgEpvrF+QFwj1OB +UPTr6tOnh+9VZu98Qa264G5zDIy1K3YX1bV7DfYcnj1uonwlVzVbzEA38kGZioLQ +EIPqtOD/UVZWEZwVWo9NXYtO4MmZbN5tsi4OBJzSHDUdqpl3VNQb+XHTvAvu+Lve +D1LZ33ZIjcC8M43FmWXQVBFxblI6RWrSCDByarawDmScbeLB1Q5sx0rVL/bi1Zdx +7lL9je7DhggiSmeGrlhnC956KMbq36MuAUGY62X9LcNAM6ZqbSMPbytjsKOAJ2u0 +wiBlJ0XCrl5ud6JffuMhC4uIhaBB8xw9ioFVRNENPgH02W7atGUCw9+Nl0yIfuGX +2x29e5bMINkKrCM/Ql3iatATLOY09xoIjJbFcC5JWt/Z7G66kbkdoik6KC+IRgQQ +EQIABgUCVtxuNQAKCRDe1k67K6h8XK0LAKCVPip2xIg5fdjCtA3IUd9C9Crv4QCg +qwF2gBF4klDErKFOVLl6Lkj7NgOJAhwEEAECAAYFAlbcbkkACgkQRnVkt1Bdpiu1 +hQ/5AQ6zxZmUmVuaotINgk+9q6bd87X2zbCiy9C2QsPOCiMARMS6L4V6fHn8IXRy +xD1SlqbgGlUKpPb1Cs2Bd9BA+VHmYlYqlYzbhF4FiVlYRtREkVQo2FH01QqzyIEB +FewBZMj9B5DWAI2RoLxRzDOlHjGjOVi2PDxF+1fgtvtOYhmdcmbLWIB0GRQb2xmR +4/HeI+JyAVWYVPSqtWPCGkyL5SwhUT9xDuBJAMsbcLWNQizlJfenan69J/Ba2VtT +6oQCINGOG1m16cs6+jfUwPuMEbQejLnmpz26R7QvtbHXbP/GI/NWb8hmupThF3Pf +NbY7VcPZO81yT3Zj0Jm9mxmgr2ppV2A11YhkoobznhXpQ/L4HWXvfiUiGoToIXtG +8Q2+2t06+oJTCBB3XYrvdRG2WWTvoR52K2Wgaok7ZyZmz+BlZuKuXEa4NsbXBmrV +uwgQCtKm1DUf6jJ2NqQK7j/0/t8MfZK2CWoHUuKHXf5IIkGbiHk8EsOUSr5okkjr +LlLhma7/SoWB1VDYqLoGirdfApw6PsnGK1REcxMJA2Hrq05RA85ghqn/PVl0a61K +qZyquEGqNBNNDREwuoQ+2vRp/iZcXijTYnzE8dSBWsJ8eCCF9zl2sA7VZ0t0oQy5 +HfvPHPWDRgGqeYXDHThMiDkYC7LTwxyKhIsPbAjtRQMjQmeJARwEEAEIAAYFAlbc +cp4ACgkQQuhqKhH0jTZTxgf9GELODCeyb7P4rmvhYqb/f2QtQS3SO836xBSHzBsA +SUp2Opy1QkIB2Z86Zdg5gm6ofipu1ZvQn02rM5taZ2/IkUdmvwn2e7WQL6JTtYSr +Gbv+zn6/rNBA9iZIjEe+KuYszZmWTl8ewR7udDHn6P5jHH2/npEsgue/oNOZ4Bil +CUaqUM+JZ5wcbf2rursd3/4c7o3eqgjloAN+DuZmN2Hcp/zMTxX9yoMZXhJTxoYG +hAasI01GnMJHAUOKWV6FAcJL90C3o2dMOi26/2MlKsfjEKe4xA8/NWZqK690I0Rk +qhqzZUVnDkjHs0lgRLhpFQDoG7zInAlRb1ce7nhaelkvUIkCHAQQAQoABgUCVt9a +kAAKCRCVhthLcNyujGBdD/sGmPF/GS8fOxtWh1Sgxc0R0+CVDhbheN2Tc6HG+sPq +kkpsKIEryjiwOBtFDiIWiHJfTJSzX8ET6JBipek9R0twh9mx886W92RS8tS1HnVc +3zXpglfZNmiW/43VbcsUMLPx49nMzE7I8K2Fw1b61OTOX7JPQp2XSQmWkHaiFppg +fnBNNJ/IUjXQEcOAD7RlZ3VY+UjH1vP0Q5znneLFrtmnUEuv7krvJkv4Sj151PKu +HlZOND68niAB10FqjL87cnwORiAq9qFJILxQS0jLAhDmtrvlrN1KAHrPqplznUuB +9VRaf+Vl2exQsuIZ/Qe8SSjIPEpD6rOyLdwuybiKcEckqTuhTJaFPjgBA+28D6vi +JrVC3wCbd1L/J1sd/t94nteTgBgmAmh6/TXKAofBnPZQJg+6DTd9FL73WLVoLJ8h +W9nXO/ToaCVKMtQjhe+JI9GaGUfx7OdwY9Z71T5AKs6SeVvVUizjMwYor/JiZm0B +ri0GszkssxpnWIvmIJmW8PfKltyeWISw1zgosVwuvTeXUTscnZ0ahWGjuMKWcOwC +P/fh3ea5ArpSegrRHJDAOiASJvYqzOWAmCGGl/4Uaa/EMB/XX2g3/L3tMChsuwyF +CGJ3wFrF9aDGc7T+Np4j01d4TbNur/4Df9yh/8LvQm/Xmwufeogk3orLQje6OmS4 +/g== +=Hb6J -----END PGP PUBLIC KEY BLOCK-----