Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package otpclient for openSUSE:Factory
checked in at 2023-11-03 22:20:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/otpclient (Old)
and /work/SRC/openSUSE:Factory/.otpclient.new.17445 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "otpclient"
Fri Nov 3 22:20:43 2023 rev:30 rq:1123143 version:3.2.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/otpclient/otpclient.changes 2023-10-25
18:04:40.998197539 +0200
+++ /work/SRC/openSUSE:Factory/.otpclient.new.17445/otpclient.changes
2023-11-03 22:21:37.131302657 +0100
@@ -1,0 +2,8 @@
+Fri Nov 3 08:50:47 UTC 2023 - Paolo Stivanin <i...@paolostivanin.com>
+
+- Update to 3.2.1:
+ * FIX: increase secure memory pool to 64 MB, if possible
+ * FIX: parsing of big aegis encrypted json (#309)
+ * FIX: better memory management
+
+-------------------------------------------------------------------
Old:
----
v3.2.0.tar.gz
v3.2.0.tar.gz.asc
New:
----
v3.2.1.tar.gz
v3.2.1.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ otpclient.spec ++++++
--- /var/tmp/diff_new_pack.kjZwIh/_old 2023-11-03 22:21:37.823328114 +0100
+++ /var/tmp/diff_new_pack.kjZwIh/_new 2023-11-03 22:21:37.823328114 +0100
@@ -18,7 +18,7 @@
%define uclname OTPClient
Name: otpclient
-Version: 3.2.0
+Version: 3.2.1
Release: 0
Summary: Simple GTK+ client for managing TOTP and HOTP
License: GPL-3.0-or-later
++++++ v3.2.0.tar.gz -> v3.2.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/OTPClient-3.2.0/CMakeLists.txt
new/OTPClient-3.2.1/CMakeLists.txt
--- old/OTPClient-3.2.0/CMakeLists.txt 2023-10-25 09:29:16.000000000 +0200
+++ new/OTPClient-3.2.1/CMakeLists.txt 2023-11-03 08:25:56.000000000 +0100
@@ -1,5 +1,5 @@
cmake_minimum_required(VERSION 3.16)
-project(OTPClient VERSION "3.2.0" LANGUAGES "C")
+project(OTPClient VERSION "3.2.1" LANGUAGES "C")
include(GNUInstallDirs)
configure_file("src/common/version.h.in" "version.h")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/OTPClient-3.2.0/data/com.github.paolostivanin.OTPClient.appdata.xml
new/OTPClient-3.2.1/data/com.github.paolostivanin.OTPClient.appdata.xml
--- old/OTPClient-3.2.0/data/com.github.paolostivanin.OTPClient.appdata.xml
2023-10-25 09:29:16.000000000 +0200
+++ new/OTPClient-3.2.1/data/com.github.paolostivanin.OTPClient.appdata.xml
2023-11-03 08:25:56.000000000 +0100
@@ -84,6 +84,15 @@
</content_rating>
<releases>
+ <release version="3.2.1" date="2023-10-31">
+ <description>
+ <p>OTPClient 3.2.1 fixes a couple of issues.</p>
+ <ul>
+ <li>FIX: increase secure memory pool to 64 MB, if possible</li>
+ <li>FIX: parsing of big aegis encrypted json</li>
+ </ul>
+ </description>
+ </release>
<release version="3.2.0" date="2023-10-25">
<description>
<p>OTPClient 3.2.0 fixes a couple of issues.</p>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/OTPClient-3.2.0/src/app.c
new/OTPClient-3.2.1/src/app.c
--- old/OTPClient-3.2.0/src/app.c 2023-10-25 09:29:16.000000000 +0200
+++ new/OTPClient-3.2.1/src/app.c 2023-11-03 08:25:56.000000000 +0100
@@ -179,7 +179,7 @@
}
#endif
- if (max_file_size < (96 * 1024) && get_warn_data () == TRUE) {
+ if (max_file_size < LOW_MEMLOCK_VALUE && get_warn_data () == TRUE) {
if (show_memlock_warn_dialog (max_file_size, app_data->builder) ==
TRUE) {
g_free (app_data->db_data);
g_free (app_data);
@@ -742,6 +742,7 @@
save_window_size (w, h);
g_object_unref (app_data->builder);
g_free (app_data);
+ gcry_control (GCRYCTL_TERM_SECMEM);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/OTPClient-3.2.0/src/common/aegis.c
new/OTPClient-3.2.1/src/common/aegis.c
--- old/OTPClient-3.2.0/src/common/aegis.c 2023-10-25 09:29:16.000000000
+0200
+++ new/OTPClient-3.2.1/src/common/aegis.c 2023-11-03 08:25:56.000000000
+0100
@@ -98,6 +98,7 @@
g_free (key_nonce);
g_free (key_tag);
gcry_free (keybuf);
+ json_decref (json);
return NULL;
}
@@ -108,6 +109,7 @@
g_free (key_nonce);
g_free (key_tag);
gcry_free (keybuf);
+ json_decref (json);
return NULL;
}
@@ -121,6 +123,7 @@
gcry_free (master_key);
gcry_free (keybuf);
gcry_cipher_close (hd);
+ json_decref (json);
return NULL;
}
gpg_error_t gpg_err = gcry_cipher_checktag (hd, key_tag, TAG_SIZE);
@@ -133,6 +136,7 @@
gcry_free (master_key);
gcry_free (keybuf);
gcry_cipher_close (hd);
+ json_decref (json);
return NULL;
}
@@ -151,20 +155,24 @@
g_free (tag);
g_free (nonce);
gcry_free (master_key);
+ json_decref (json);
return NULL;
}
gsize out_len;
- guchar *b64decoded_db = g_base64_decode_secure (json_string_value
(json_object_get (json, "db")), &out_len);
+ guchar *b64decoded_db = g_base64_decode (json_string_value
(json_object_get (json, "db")), &out_len);
if (out_len > max_file_size) {
g_set_error (err, file_too_big_gquark (), FILE_TOO_BIG, "File is too
big");
g_free (tag);
g_free (nonce);
gcry_free (master_key);
- gcry_free (b64decoded_db);
+ g_free (b64decoded_db);
gcry_cipher_close (hd);
+ json_decref (json);
return NULL;
}
+ // we no longer need the json object, so we can free up some secure memory
+ json_decref (json);
gchar *decrypted_db = gcry_calloc_secure (out_len, 1);
gpg_err = gcry_cipher_decrypt (hd, decrypted_db, out_len, b64decoded_db,
out_len);
@@ -175,24 +183,30 @@
if (gpg_err != 0) {
g_set_error (err, bad_tag_gquark (), BAD_TAG_ERRCODE, "Invalid TAG
(database). Either the password is wrong or the file is corrupted.");
clean_and_exit:
+ g_free (b64decoded_db);
g_free (nonce);
g_free (tag);
gcry_free (master_key);
gcry_free (decrypted_db);
- gcry_free (b64decoded_db);
gcry_cipher_close (hd);
return NULL;
}
+ g_free (b64decoded_db);
g_free (nonce);
g_free (tag);
gcry_cipher_close (hd);
gcry_free (master_key);
- gcry_free (b64decoded_db);
- GSList *otps = parse_json_data (decrypted_db, err);
+ // we remove the icon field (and the icon_mime while at it too) because it
uses lots of secure memory for nothing
+ GRegex *regex = g_regex_new
(".*\"icon\":(\\s)*\".*\",\\n|.*\"icon_mime\":(\\s)*\".*\",\\n",
G_REGEX_MULTILINE, 0, NULL);
+ gchar *cleaned_db = secure_strdup (g_regex_replace (regex, decrypted_db,
-1, 0, "", 0, NULL));
+ g_regex_unref (regex);
gcry_free (decrypted_db);
+ GSList *otps = parse_json_data (cleaned_db, err);
+ gcry_free (cleaned_db);
+
return otps;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/OTPClient-3.2.0/src/common/common.c
new/OTPClient-3.2.1/src/common/common.c
--- old/OTPClient-3.2.0/src/common/common.c 2023-10-25 09:29:16.000000000
+0200
+++ new/OTPClient-3.2.1/src/common/common.c 2023-11-03 08:25:56.000000000
+0100
@@ -1,12 +1,10 @@
#include <glib.h>
#include <sys/resource.h>
#include <cotp.h>
-#ifdef COTP_OLD_LIB
-#include <baseencode.h>
-#endif
#include <glib/gi18n.h>
#include "gcrypt.h"
#include "jansson.h"
+#include "common.h"
#include "../google-migration.pb-c.h"
gint32
@@ -17,13 +15,13 @@
if (getrlimit (RLIMIT_MEMLOCK, &r) == -1) {
// couldn't get memlock limit, so falling back to a default, low value
g_print ("[WARNING] your OS's memlock limit may be too low for you
(64000 bytes). Please have a look at %s\n", link);
- return 64000;
+ return LOW_MEMLOCK_VALUE;
} else {
- if (r.rlim_cur == -1 || r.rlim_cur > 4194304) {
- // memlock is either unlimited or bigger than needed
- return 4194304;
+ if (r.rlim_cur == -1 || r.rlim_cur > MEMLOCK_VALUE) {
+ // memlock is either unlimited or bigger than needed, so
defaulting to 'MEMLOCK_VALUE'
+ return MEMLOCK_VALUE;
} else {
- // memlock is less than 4 MB
+ // memlock is less than 'MEMLOCK_VALUE'
g_print ("[WARNING] your OS's memlock limit may be too low for you
(current value: %d bytes).\n"
"This may cause issues when importing third parties
databases or dealing with tens of tokens.\n"
"For information on how to increase the memlock value,
please have a look at %s\n", (gint32)r.rlim_cur, link);
@@ -36,8 +34,8 @@
gchar *
init_libs (gint32 max_file_size)
{
- if (!gcry_check_version ("1.6.0")) {
- return g_strdup ("The required version of GCrypt is 1.6.0 or
greater.");
+ if (!gcry_check_version ("1.8.0")) {
+ return g_strdup ("The required version of GCrypt is 1.8.0 or
greater.");
}
if (gcry_control (GCRYCTL_INIT_SECMEM, max_file_size, 0)) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/OTPClient-3.2.0/src/common/common.h
new/OTPClient-3.2.1/src/common/common.h
--- old/OTPClient-3.2.0/src/common/common.h 2023-10-25 09:29:16.000000000
+0200
+++ new/OTPClient-3.2.1/src/common/common.h 2023-11-03 08:25:56.000000000
+0100
@@ -12,6 +12,9 @@
#define g_memdupX g_memdup
#endif
+#define LOW_MEMLOCK_VALUE 65536 //64KB
+#define MEMLOCK_VALUE 67108864 //64MB
+
gint32 get_max_file_size_from_memlock (void);
gchar *init_libs (gint32 max_file_size);
