+2022-12-06 Werner Koch <wk@gnupg.org>
+
+ Release 1.6.3.
+ + commit bffa9b346071725363a483db547e7dced9721cb5
+
+
+2022-11-23 Werner Koch <wk@gnupg.org>
+
+ Fix an integer overflow in the CRL signature parser.
+ + commit f61a5ea4e0f6a80fd4b28ef0174bee77793cf070
+ * src/crl.c (parse_signature): N+N2 now checked for overflow.
+
+ * src/ocsp.c (parse_response_extensions): Do not accept too large
+ values.
+ (parse_single_extensions): Ditto.
+
+2022-11-02 NIIBE Yutaka <gniibe@fsij.org>
+
+ build: Update m4/libgcrypt.m4.
+ + commit 4076b60f7cef4fddc3d30f6e6d4078081dbc7167
+ * m4/libgcrypt.m4: Update from libgcrypt master.
+
+2022-11-01 NIIBE Yutaka <gniibe@fsij.org>
+
+ build: Prefer gpgrt-config when available.
+ + commit 13307b22882a220d206341e1196e74fd37418c2f
+ * src/ksba.m4: Overriding the decision by --with-libksba-prefix, use
+ gpgrt-config ksba when gpgrt-config is available.
+
+2022-10-24 NIIBE Yutaka <gniibe@fsij.org>
+
+ build: Update gpg-error.m4.
+ + commit c3c1627f34234e3d54fe1f3411ac499dd7e3b3b0
+ * m4/gpg-error.m4: Update from libgpg-error 1.46.
+
2022-10-07 Werner Koch <wk@gnupg.org>
Release 1.6.2.
+Noteworthy changes in version 1.6.3 (2022-12-06) [C22/A14/R3]
+------------------------------------------------
+
+ * Fix another integer overflow in the CRL parser. [T6284]
+
+ Release-info: https://dev.gnupg.org/T6304
+
+
Noteworthy changes in version 1.6.2 (2022-10-07) [C22/A14/R2]
------------------------------------------------
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libksba 1.6.2.
+# Generated by GNU Autoconf 2.69 for libksba 1.6.3.
#
# Report bugs to <https://bugs.gnupg.org>.
#
# Identity of this package.
PACKAGE_NAME='libksba'
PACKAGE_TARNAME='libksba'
-PACKAGE_VERSION='1.6.2'
-PACKAGE_STRING='libksba 1.6.2'
+PACKAGE_VERSION='1.6.3'
+PACKAGE_STRING='libksba 1.6.3'
PACKAGE_BUGREPORT='https://bugs.gnupg.org'
PACKAGE_URL=''
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures libksba 1.6.2 to adapt to many kinds of systems.
+\`configure' configures libksba 1.6.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of libksba 1.6.2:";;
+ short | recursive ) echo "Configuration of libksba 1.6.3:";;
esac
cat <<\_ACEOF
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-libksba configure 1.6.2
+libksba configure 1.6.3
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by libksba $as_me 1.6.2, which was
+It was created by libksba $as_me 1.6.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
# Please remember to document interface changes in the NEWS file.
LIBKSBA_LT_CURRENT=22
LIBKSBA_LT_AGE=14
-LIBKSBA_LT_REVISION=2
+LIBKSBA_LT_REVISION=3
#-------------------
# If the API is changed in an incompatible way: increment the next counter.
KSBA_CONFIG_API_VERSION=1
# Define the identity of the package.
PACKAGE='libksba'
- VERSION='1.6.2'
+ VERSION='1.6.3'
cat >>confdefs.h <<_ACEOF
-VERSION_NUMBER=0x010602
+VERSION_NUMBER=0x010603
fi
if test -n "$gpgrt_libdir"; then break; fi
done
+ if test -z "$libdir_candidates"; then
+ # No valid pkgconfig dir in any of the system directories, fallback
+ gpgrt_libdir=${possible_libdir1}
+ fi
else
# When we cannot determine system libdir-format, use this:
gpgrt_libdir=${possible_libdir1}
# Generate extended version information for W32.
if test "$have_w32_system" = yes; then
BUILD_FILEVERSION=`echo "$VERSION" | sed 's/\([0-9.]*\).*/\1./;s/\./,/g'`
- BUILD_FILEVERSION="${BUILD_FILEVERSION}10625"
+ BUILD_FILEVERSION="${BUILD_FILEVERSION}49146"
fi
-BUILD_REVISION="2981495"
+BUILD_REVISION="bffa9b3"
cat >>confdefs.h <<_ACEOF
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by libksba $as_me 1.6.2, which was
+This file was extended by libksba $as_me 1.6.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-libksba config.status 1.6.2
+libksba config.status 1.6.3
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
echo "
Libksba v${VERSION} has been configured as follows:
- Revision: 2981495 (10625)
+ Revision: bffa9b3 (49146)
Platform: $host
"
m4_define([mym4_package],[libksba])
m4_define([mym4_major], [1])
m4_define([mym4_minor], [6])
-m4_define([mym4_micro], [2])
+m4_define([mym4_micro], [3])
# Below is m4 magic to extract and compute the git revision number,
# the decimalized short revision number, a beta version string and a
# Please remember to document interface changes in the NEWS file.
LIBKSBA_LT_CURRENT=22
LIBKSBA_LT_AGE=14
-LIBKSBA_LT_REVISION=2
+LIBKSBA_LT_REVISION=3
#-------------------
# If the API is changed in an incompatible way: increment the next counter.
KSBA_CONFIG_API_VERSION=1
This file documents the KSBA library to access X.509 and CMS data
structures.
- This is edition 1.6.2, last updated 12 May 2020, of 'The KSBA
-Reference Manual', for Version 1.6.2.
+ This is edition 1.6.3, last updated 22 November 2022, of 'The KSBA
+Reference Manual', for Version 1.6.3.
Copyright (C) 2002, 2003, 2004 g10 Code GmbH
Main Menu
*********
-This is edition 1.6.2, last updated 12 May 2020, of 'The KSBA Reference
-Manual', for Version 1.6.2 of the KSBA library.
+This is edition 1.6.3, last updated 22 November 2022, of 'The KSBA
+Reference Manual', for Version 1.6.3 of the KSBA library.
Copyright (C) 2002, 2003, 2004 g10 Code GmbH
path (via the '-I' option).
However, the path to the include file is determined at the time the
-source is configured. To solve this problem, 'KSBA' ships with a small
-helper program 'ksba-config' that knows about the path to the include
-file and other configuration options. The options that need to be added
-to the compiler invocation at compile time are output by the '--cflags'
-option of 'ksba-config'. The following example shows how it can be used
-at the command line:
+source is configured. To solve this problem, 'KSBA' ships with
+'ksba.pc' file, that knows about the path to the include file and other
+configuration options. The options that need to be added to the
+compiler invocation at compile time are output by the '--cflags' option
+of 'pkg-config ksba'. The following example shows how it can be used at
+the command line:
- gcc -c foo.c `ksba-config --cflags`
+ gcc -c foo.c `pkg-config --cflags ksba`
- Adding the output of 'ksba-config --cflags' to the compiler's command
-line will ensure that the compiler can find the 'ksba.h' header file.
+ Adding the output of 'pkg-config --cflags ksba' to the compiler's
+command line will ensure that the compiler can find the 'ksba.h' header
+file.
A similar problem occurs when linking the program with the library.
Again, the compiler has to find the library files. For this to work,
the path to the library files has to be added to the library search path
-(via the '-L' option). For this, the option '--libs' of 'ksba-config'
-can be used. For convenience, this option also outputs all other
+(via the '-L' option). For this, the option '--libs' of 'pkg-config
+ksba' can be used. For convenience, this option also outputs all other
options that are required to link the program with the 'KSBA' libraries
(in particular, the '-lksba' option). The example shows how to link
'foo.o' with the 'KSBA' libraries to a program 'foo'.
- gcc -o foo foo.o `ksba-config --libs`
+ gcc -o foo foo.o `pkg-config --libs ksba`
Of course you can also combine both examples to a single command by
-specifying both options to 'ksba-config':
+specifying both options to 'pkg-config ksba':
- gcc -o foo foo.c `ksba-config --cflags --libs`
+ gcc -o foo foo.c `pkg-config --cflags --libs ksba`
\1f
File: ksba.info, Node: Certificate Handling, Next: CMS, Prev: Preparation, Up: Top
\1f
Tag Table:
-Node: Top\7f738
-Node: Introduction\7f2768
-Node: Getting Started\7f3046
-Node: Features\7f3912
-Node: Overview\7f5003
-Node: Preparation\7f5252
-Node: Header\7f5735
-Node: Version Check\7f6331
-Node: Building the source\7f7423
-Node: Certificate Handling\7f9267
-Node: Creating certificates\7f10248
-Node: Retrieving attributes\7f12709
-Node: Setting attributes\7f26927
-Node: User data\7f27192
-Node: CMS\7f29112
-Node: CMS Basics\7f29571
-Node: CMS Parser\7f31634
-Node: CRLs\7f35612
-Node: PKCS10\7f35895
-Node: Utilities\7f36156
-Node: Names\7f36560
-Node: OIDs\7f38872
-Node: DNs\7f39076
-Node: Error Handling\7f40207
-Node: Component Labels\7f41562
-Node: Copying\7f43125
-Node: Concept Index\7f80652
-Node: Function and Data Index\7f80780
+Node: Top\7f743
+Node: Introduction\7f2778
+Node: Getting Started\7f3056
+Node: Features\7f3922
+Node: Overview\7f5013
+Node: Preparation\7f5262
+Node: Header\7f5745
+Node: Version Check\7f6341
+Node: Building the source\7f7433
+Node: Certificate Handling\7f9284
+Node: Creating certificates\7f10265
+Node: Retrieving attributes\7f12726
+Node: Setting attributes\7f26944
+Node: User data\7f27209
+Node: CMS\7f29129
+Node: CMS Basics\7f29588
+Node: CMS Parser\7f31651
+Node: CRLs\7f35629
+Node: PKCS10\7f35912
+Node: Utilities\7f36173
+Node: Names\7f36577
+Node: OIDs\7f38889
+Node: DNs\7f39093
+Node: Error Handling\7f40224
+Node: Component Labels\7f41579
+Node: Copying\7f43142
+Node: Concept Index\7f80669
+Node: Function and Data Index\7f80797
\1f
End Tag Table
path (via the @option{-I} option).
However, the path to the include file is determined at the time the
-source is configured. To solve this problem, `KSBA' ships with a small
-helper program @command{ksba-config} that knows about the path to the
-include file and other configuration options. The options that need to
-be added to the compiler invocation at compile time are output by the
-@option{--cflags} option of @command{ksba-config}. The following
+source is configured. To solve this problem, `KSBA' ships with
+@code{ksba.pc} file, that knows about the path to the include file and
+other configuration options. The options that need to be added to the
+compiler invocation at compile time are output by the
+@option{--cflags} option of @command{pkg-config ksba}. The following
example shows how it can be used at the command line:
@example
-gcc -c foo.c `ksba-config --cflags`
+gcc -c foo.c `pkg-config --cflags ksba`
@end example
-Adding the output of @samp{ksba-config --cflags} to the compiler's
+Adding the output of @samp{pkg-config --cflags ksba} to the compiler's
command line will ensure that the compiler can find the @file{ksba.h}
header file.
Again, the compiler has to find the library files. For this to work,
the path to the library files has to be added to the library search path
(via the @option{-L} option). For this, the option @option{--libs} of
-@command{ksba-config} can be used. For convenience, this option also
+@command{pkg-config ksba} can be used. For convenience, this option also
outputs all other options that are required to link the program with the
`KSBA' libraries (in particular, the @samp{-lksba} option). The
example shows how to link @file{foo.o} with the `KSBA' libraries to a
program @command{foo}.
@example
-gcc -o foo foo.o `ksba-config --libs`
+gcc -o foo foo.o `pkg-config --libs ksba`
@end example
Of course you can also combine both examples to a single command by
-specifying both options to @command{ksba-config}:
+specifying both options to @command{pkg-config ksba}:
@example
-gcc -o foo foo.c `ksba-config --cflags --libs`
+gcc -o foo foo.c `pkg-config --cflags --libs ksba`
@end example
-@set UPDATED 12 May 2020
-@set UPDATED-MONTH May 2020
-@set EDITION 1.6.2
-@set VERSION 1.6.2
+@set UPDATED 22 November 2022
+@set UPDATED-MONTH November 2022
+@set EDITION 1.6.3
+@set VERSION 1.6.3
-@set UPDATED 12 May 2020
-@set UPDATED-MONTH May 2020
-@set EDITION 1.6.2
-@set VERSION 1.6.2
+@set UPDATED 22 November 2022
+@set UPDATED-MONTH November 2022
+@set EDITION 1.6.3
+@set VERSION 1.6.3
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
-# Last-changed: 2022-02-15
+# Last-changed: 2022-09-21
dnl AM_PATH_GPG_ERROR([MINIMUM-VERSION,
fi
if test -n "$gpgrt_libdir"; then break; fi
done
+ if test -z "$libdir_candidates"; then
+ # No valid pkgconfig dir in any of the system directories, fallback
+ gpgrt_libdir=${possible_libdir1}
+ fi
else
# When we cannot determine system libdir-format, use this:
gpgrt_libdir=${possible_libdir1}
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
-# Last-changed: 2020-09-27
+# Last-changed: 2022-11-01
dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION,
fi
use_gpgrt_config=""
- if test x"${LIBGCRYPT_CONFIG}" = x -a x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then
+ if test x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then
if $GPGRT_CONFIG libgcrypt --exists; then
LIBGCRYPT_CONFIG="$GPGRT_CONFIG libgcrypt"
AC_MSG_NOTICE([Use gpgrt-config as libgcrypt-config])
&& !ti.is_constructed) )
return gpg_error (GPG_ERR_INV_CRL_OBJ);
n2 = ti.nhdr + ti.length;
- if (n + n2 >= DIM(tmpbuf))
+ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n)
return gpg_error (GPG_ERR_TOO_LARGE);
memcpy (tmpbuf+n, ti.buf, ti.nhdr);
err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length);
/* The version of this header should match the one of the library. Do
* not use this symbol in your application; use assuan_check_version
* instead. */
-#define KSBA_VERSION "1.6.2"
+#define KSBA_VERSION "1.6.3"
/* The version number of this header. It may be used to handle minor
* API incompatibilities. */
-#define KSBA_VERSION_NUMBER 0x010602
+#define KSBA_VERSION_NUMBER 0x010603
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
-# Last-changed: 2020-11-18
+# Last-changed: 2022-11-01
dnl AM_PATH_KSBA([MINIMUM-VERSION,
dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
fi
use_gpgrt_config=""
- if test x"$KSBA_CONFIG" = x -a x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then
+ if test x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then
if $GPGRT_CONFIG ksba --exists; then
KSBA_CONFIG="$GPGRT_CONFIG ksba"
AC_MSG_NOTICE([Use gpgrt-config as ksba-config])
|| memcmp (ocsp->nonce, data, ti.length))
ocsp->bad_nonce = 1;
}
+ if (ti.length > (1<<24))
+ {
+ /* Bail out on much too large objects. */
+ err = gpg_error (GPG_ERR_BAD_BER);
+ goto leave;
+ }
ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
if (!ex)
{
err = parse_octet_string (&data, &datalen, &ti);
if (err)
goto leave;
+ if (ti.length > (1<<24))
+ {
+ /* Bail out on much too large objects. */
+ err = gpg_error (GPG_ERR_BAD_BER);
+ goto leave;
+ }
ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
if (!ex)
{