Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sequoia-octopus-librnp for
openSUSE:Factory checked in at 2025-08-22 17:48:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sequoia-octopus-librnp (Old)
and /work/SRC/openSUSE:Factory/.sequoia-octopus-librnp.new.29662 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sequoia-octopus-librnp"
Fri Aug 22 17:48:31 2025 rev:9 rq:1300843 version:1.11.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/sequoia-octopus-librnp/sequoia-octopus-librnp.changes
2025-05-08 20:39:59.504507259 +0200
+++
/work/SRC/openSUSE:Factory/.sequoia-octopus-librnp.new.29662/sequoia-octopus-librnp.changes
2025-08-22 17:49:10.987397125 +0200
@@ -1,0 +2,12 @@
+Wed Aug 6 18:06:21 UTC 2025 - Adam Mizerski <[email protected]>
+
+- update to 1.11.1
+ - This release fixes a DoS attack. An attacker can create an
+ OpenPGP message that includes a zip bomb. Instead of aborting
+ after having parsed a certain amount of data, the Octopus would
+ parse the whole message. When processing a message that contains
+ a zip bomb, this would cause Thunderbird to freeze for an
+ unacceptably long time. This issue was reported by codean via our
+ YesWeHack bug bounty program.
+
+-------------------------------------------------------------------
Old:
----
sequoia-octopus-librnp-1.11.0.tar.xz
New:
----
sequoia-octopus-librnp-1.11.1.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sequoia-octopus-librnp.spec ++++++
--- /var/tmp/diff_new_pack.ObpsxT/_old 2025-08-22 17:49:15.579588465 +0200
+++ /var/tmp/diff_new_pack.ObpsxT/_new 2025-08-22 17:49:15.595589132 +0200
@@ -16,7 +16,7 @@
#
Name: sequoia-octopus-librnp
-Version: 1.11.0
+Version: 1.11.1
Release: 0
Summary: librnp drop-in replacement using sequoia-pgp
License: LGPL-2.0-or-later
@@ -25,9 +25,9 @@
Source0: %{name}-%{version}.tar.xz
Source1: vendor.tar.xz
BuildRequires: cargo-packaging
-BuildRequires: cargo1.84
+BuildRequires: cargo1.85
BuildRequires: clang-devel
-BuildRequires: rust1.84
+BuildRequires: rust1.85
BuildRequires: pkgconfig(nettle)
BuildRequires: pkgconfig(openssl)
BuildRequires: pkgconfig(sqlite3)
++++++ _service ++++++
--- /var/tmp/diff_new_pack.ObpsxT/_old 2025-08-22 17:49:15.943603632 +0200
+++ /var/tmp/diff_new_pack.ObpsxT/_new 2025-08-22 17:49:15.999605966 +0200
@@ -3,7 +3,7 @@
<param
name="url">https://gitlab.com/sequoia-pgp/sequoia-octopus-librnp.git</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="scm">git</param>
- <param name="revision">v1.11.0</param>
+ <param name="revision">v1.11.1</param>
<param name="match-tag">*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ sequoia-octopus-librnp-1.11.0.tar.xz ->
sequoia-octopus-librnp-1.11.1.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sequoia-octopus-librnp-1.11.0/Cargo.lock
new/sequoia-octopus-librnp-1.11.1/Cargo.lock
--- old/sequoia-octopus-librnp-1.11.0/Cargo.lock 2025-03-12
17:21:01.000000000 +0100
+++ new/sequoia-octopus-librnp-1.11.1/Cargo.lock 2025-07-08
14:11:00.000000000 +0200
@@ -1,6 +1,6 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
-version = 3
+version = 4
[[package]]
name = "addr2line"
@@ -482,9 +482,9 @@
[[package]]
name = "crossbeam-channel"
-version = "0.5.14"
+version = "0.5.15"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "06ba6d68e24814cb8de6bb986db8222d3a027d15872cabc0d18817bc3c0e4471"
+checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2"
dependencies = [
"crossbeam-utils",
]
@@ -1576,6 +1576,17 @@
]
[[package]]
+name = "io-uring"
+version = "0.7.8"
+source = "registry+https://github.com/rust-lang/crates.io-index";
+checksum = "b86e202f00093dcba4275d4636b93ef9dd75d025ae560d2521b45ea28ab49013"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "libc",
+]
+
+[[package]]
name = "ipconfig"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index";
@@ -2081,9 +2092,9 @@
[[package]]
name = "openssl"
-version = "0.10.71"
+version = "0.10.73"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "5e14130c6a98cd258fdcb0fb6d744152343ff729cbfcb28c656a9d12b999fbcd"
+checksum = "8505734d46c8ab1e19a1dce3aef597ad87dcb4c37e7188231769bd6bd51cebf8"
dependencies = [
"bitflags",
"cfg-if",
@@ -2113,9 +2124,9 @@
[[package]]
name = "openssl-sys"
-version = "0.9.106"
+version = "0.9.109"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "8bb61ea9811cc39e3c2069f40b8b8e2e70d8569b361f879786cc7ed48b777cdd"
+checksum = "90096e2e47630d78b7d1c20952dc621f957103f8bc2c8359ec81290d75238571"
dependencies = [
"cc",
"libc",
@@ -2747,7 +2758,7 @@
[[package]]
name = "sequoia-octopus-librnp"
-version = "1.11.0"
+version = "1.11.1"
dependencies = [
"anyhow",
"chrono",
@@ -2771,7 +2782,7 @@
"serde",
"serde_json",
"tempfile",
- "thiserror 2.0.12",
+ "thiserror 1.0.69",
"tokio",
"vergen",
]
@@ -3223,15 +3234,17 @@
[[package]]
name = "tokio"
-version = "1.44.0"
+version = "1.46.1"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "9975ea0f48b5aa3972bf2d888c238182458437cc2a19374b81b25cdf1023fb3a"
+checksum = "0cc3a2344dafbe23a245241fe8b09735b521110d30fcefbbd5feb1797ca35d17"
dependencies = [
"backtrace",
"bytes",
+ "io-uring",
"libc",
"mio",
"pin-project-lite",
+ "slab",
"socket2",
"tokio-macros",
"windows-sys 0.52.0",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sequoia-octopus-librnp-1.11.0/Cargo.toml
new/sequoia-octopus-librnp-1.11.1/Cargo.toml
--- old/sequoia-octopus-librnp-1.11.0/Cargo.toml 2025-03-12
17:21:01.000000000 +0100
+++ new/sequoia-octopus-librnp-1.11.1/Cargo.toml 2025-07-08
14:11:00.000000000 +0200
@@ -1,7 +1,7 @@
[package]
name = "sequoia-octopus-librnp"
description = "Reimplementation of RNP's interface using Sequoia for use with
Thunderbird"
-version = "1.11.0"
+version = "1.11.1"
authors = [
"Justus Winter <[email protected]>",
"Neal H. Walfield <[email protected]>",
@@ -16,7 +16,7 @@
license = "LGPL-2.0-or-later"
edition = "2021"
build = "build.rs"
-rust-version = "1.79"
+rust-version = "1.85"
[badges]
gitlab = { repository = "sequoia-pgp/sequoia-octopus-librnp" }
@@ -52,6 +52,15 @@
rusqlite = { version = ">=0.24, <0.32", features = ["bundled"] }
[build-dependencies]
+
+[target.'cfg(windows)'.build-dependencies]
+# Use the git command line tool to get the version.
+# https://docs.rs/vergen/8.3.2/vergen/index.html
+vergen = { version = "8", default-features = false, features = ["git",
"gitcl"] }
+
+[target.'cfg(not(windows))'.build-dependencies]
+# Use the git library to get the version.
+# https://docs.rs/vergen/8.3.2/vergen/index.html
vergen = { version = "8", default-features = false, features = ["git", "git2"]
}
[lib]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/sequoia-octopus-librnp-1.11.0/src/dump_packets/dump.rs
new/sequoia-octopus-librnp-1.11.1/src/dump_packets/dump.rs
--- old/sequoia-octopus-librnp-1.11.0/src/dump_packets/dump.rs 2025-03-12
17:21:01.000000000 +0100
+++ new/sequoia-octopus-librnp-1.11.1/src/dump_packets/dump.rs 2025-07-08
14:11:00.000000000 +0200
@@ -106,12 +106,20 @@
#[allow(clippy::redundant_pattern_matching)]
pub fn dump<W>(input: &mut (dyn io::Read + Sync + Send),
output: &mut dyn io::Write,
+ max_decompressed_literal_data: Option<usize>,
mpis: bool, hex: bool,
sk: Option<&SessionKey>,
width: W)
-> Result<Kind>
where W: Into<Option<usize>>
{
+ rnp_function!(dump, crate::TRACE);
+
+ // If no limit is supplied, stop after 100 MB.
+ let max_decompressed_literal_data
+ = max_decompressed_literal_data.unwrap_or(100 * 1024 * 1024);
+ let mut saw_decompression_packet = false;
+
let mut ppr
= self::openpgp::parse::PacketParserBuilder::from_reader(input)?;
@@ -145,14 +153,55 @@
skesks.push(p.clone());
vec![]
},
+ Packet::CompressedData(_) => {
+ t!("Encountered compressed data packet. \
+ Activating zip bomb protection.");
+ saw_decompression_packet = true;
+ Vec::new()
+ }
Packet::Literal(_) => {
let mut prefix = vec![0; 40];
let n = pp.read(&mut prefix)?;
- vec![
+ let summary = vec![
format!("Content: {:?}{}",
String::from_utf8_lossy(&prefix[..n]),
if n == prefix.len() { "..." } else { "" }),
- ]
+ ];
+
+ if saw_decompression_packet {
+ // Protect against a possible zip bomb.
+ t!("Zip bomb protection activated. Will abort after \
+ reading more than {} bytes of literal data.",
+ max_decompressed_literal_data);
+
+ const BUFFER_SIZE: usize = 1024 * 1024;
+ let mut buffer = vec![0; BUFFER_SIZE];
+ let mut literal_data_read = prefix.len();
+ while literal_data_read <= max_decompressed_literal_data {
+ let remaining
+ = max_decompressed_literal_data -
literal_data_read + 1;
+
+ let read = pp.read(
+ &mut buffer[..remaining.min(BUFFER_SIZE)])?;
+ if read == 0 {
+ // EOF.
+ break;
+ }
+
+ literal_data_read += read;
+ }
+ t!("Read {} bytes of literal data",
+ literal_data_read);
+
+ if literal_data_read > max_decompressed_literal_data {
+ t!("Zip bomb detected");
+ return Err(crate::Error::BadParameters.into());
+ } else {
+ t!("No zip bomb detected");
+ }
+ }
+
+ summary
},
Packet::SEIP(ref s) => {
let version = s.version();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sequoia-octopus-librnp-1.11.0/src/dump_packets.rs
new/sequoia-octopus-librnp-1.11.1/src/dump_packets.rs
--- old/sequoia-octopus-librnp-1.11.0/src/dump_packets.rs 2025-03-12
17:21:01.000000000 +0100
+++ new/sequoia-octopus-librnp-1.11.1/src/dump_packets.rs 2025-07-08
14:11:00.000000000 +0200
@@ -30,7 +30,15 @@
// Key grips are a proprietary GnuPG extension. No.
let _dump_grip = flags & RNP_DUMP_GRIP > 0;
- rnp_try_or!(dump::dump(input, output, dump_mpis, dump_hex, None, None),
+ let max_decompressed_literal_data
+ = if let RnpOutput::Buf((_buf, Some(max))) = output {
+ Some(*max)
+ } else {
+ None
+ };
+
+ rnp_try_or!(dump::dump(input, output, max_decompressed_literal_data,
+ dump_mpis, dump_hex, None, None),
RNP_ERROR_GENERIC);
rnp_success!()
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sequoia-octopus-librnp-1.11.0/src/lib.rs
new/sequoia-octopus-librnp-1.11.1/src/lib.rs
--- old/sequoia-octopus-librnp-1.11.0/src/lib.rs 2025-03-12
17:21:01.000000000 +0100
+++ new/sequoia-octopus-librnp-1.11.1/src/lib.rs 2025-07-08
14:11:00.000000000 +0200
@@ -32,10 +32,12 @@
UserID,
},
policy::{
+ HashAlgoSecurity,
NullPolicy,
StandardPolicy,
},
serialize::Serialize,
+ types::HashAlgorithm,
};
/// Controls tracing.
@@ -169,12 +171,12 @@
plaintext_cache: recombine::PlaintextCache,
}
-type RnpPasswordCb = unsafe extern fn(*mut RnpContext,
- *mut c_void,
- *const RnpKey,
- *const c_char,
- *mut c_char,
- size_t) -> bool;
+type RnpPasswordCb = unsafe extern "C" fn(*mut RnpContext,
+ *mut c_void,
+ *const RnpKey,
+ *const c_char,
+ *mut c_char,
+ size_t) -> bool;
#[no_mangle] pub unsafe extern "C"
fn rnp_ffi_create(ctx: *mut *mut RnpContext,
@@ -252,7 +254,29 @@
if let Err(e) = policy.parse_default_config() {
global_warn!("Reading crypto policy: {}", e);
}
- let policy = policy.build();
+ let mut policy = policy.build();
+
+ // Thunderbird checks that MD5 and SHA-1 for self-signatures are
+ // disabled and refuses to fully initialize RNP otherwise. Meet
+ // its expectations.
+
+ let now = std::time::SystemTime::now();
+ for (algo, prop) in [
+ (HashAlgorithm::MD5, HashAlgoSecurity::CollisionResistance),
+ (HashAlgorithm::MD5, HashAlgoSecurity::SecondPreImageResistance),
+ (HashAlgorithm::SHA1, HashAlgoSecurity::CollisionResistance),
+ ]
+ {
+ let cutoff = policy.hash_cutoff(algo, prop);
+ t!("{} for {:?}: {:?}", algo, prop, cutoff);
+ if cutoff.unwrap_or(now) >= now {
+ warn!("Your crypto policy enables {} in contexts where {:?} is \
+ needed ({:?}). Unconditionally rejecting it.",
+ algo, prop, cutoff);
+ policy.reject_hash_property_at(
+ algo, prop, std::time::UNIX_EPOCH);
+ }
+ }
*ctx = Box::into_raw(Box::new(RnpContext {
policy: Arc::new(RwLock::new(policy)),
++++++ vendor.tar.xz ++++++
/work/SRC/openSUSE:Factory/sequoia-octopus-librnp/vendor.tar.xz
/work/SRC/openSUSE:Factory/.sequoia-octopus-librnp.new.29662/vendor.tar.xz
differ: char 15, line 1
