Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package uriparser for openSUSE:Factory checked in at 2024-05-13 17:58:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/uriparser (Old) and /work/SRC/openSUSE:Factory/.uriparser.new.1880 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "uriparser" Mon May 13 17:58:27 2024 rev:12 rq:1173614 version:0.9.8 Changes: -------- --- /work/SRC/openSUSE:Factory/uriparser/uriparser.changes 2022-10-18 12:46:04.997871732 +0200 +++ /work/SRC/openSUSE:Factory/.uriparser.new.1880/uriparser.changes 2024-05-13 17:59:04.544072761 +0200 @@ -1,0 +2,29 @@ +Mon May 6 07:38:07 UTC 2024 - Gus Kenion <gus.ken...@suse.com> + +- update to 0.9.8 (bsc#1223887, bsc#1223888): + * Fixed: [CVE-2024-34402] + Protect against integer overflow in ComposeQueryEngine + (GitHub #183, GitHub #185) + * Fixed: [CVE-2024-34403] + Protect against integer overflow in ComposeQueryMallocExMm + (GitHub #183, GitHub #186) + * Changed: Require CMake >=3.5.0 (GitHub #172) Added: CMake + option URIPARSER_SHARED_LIBS=(ON|OFF) to control, + whether to produce a shared or static library for uriparser + and that alone, falls back to standard BUILD_SHARED_LIBS if + available, else defaults to "ON" (GitHub #169, GitHub #170) + * Improved: Document that scheme-based normalization a la + section 6.2.3 of RFC 3986 is a responsibility of the + application using uriparser (GitHub #173, GitHub #174) + * Improved: Document supported code points for functions + uriEscape(Ex)W + (GitHub #171, GitHub #175) + * Infrastructure: Update Clang from 15 to 18 (GitHub #161, GitHub + #187) Infrastructure: Adapt to breaking changes in Clang + packaging (GitHub #160) Infrastructure: Get sanitizer CFLAGS + and LDFLAGS back in sync (GitHub #161) Infrastructure: Pin + GitHub Actions to specific commits for security (GitHub #165) + * Soname: 1:31:0 â see https://verbump.de/ for what these numbers + do + +------------------------------------------------------------------- Old: ---- uriparser-0.9.7.tar.xz New: ---- uriparser-0.9.8.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ uriparser.spec ++++++ --- /var/tmp/diff_new_pack.IV7jUl/_old 2024-05-13 17:59:05.116093632 +0200 +++ /var/tmp/diff_new_pack.IV7jUl/_new 2024-05-13 17:59:05.120093778 +0200 @@ -1,7 +1,7 @@ # # spec file for package uriparser # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ %define so_ver 1 Name: uriparser -Version: 0.9.7 +Version: 0.9.8 Release: 0 Summary: A strictly RFC 3986 compliant URI parsing library License: BSD-3-Clause AND LGPL-2.1-or-later ++++++ uriparser-0.9.7.tar.xz -> uriparser-0.9.8.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uriparser-0.9.7/.github/workflows/build-and-test.yml new/uriparser-0.9.8/.github/workflows/build-and-test.yml --- old/uriparser-0.9.7/.github/workflows/build-and-test.yml 2022-10-05 16:36:09.000000000 +0200 +++ new/uriparser-0.9.8/.github/workflows/build-and-test.yml 2024-05-05 17:47:44.000000000 +0200 @@ -17,14 +17,14 @@ include: - name: Native Linux cmake_args: >- - -DCMAKE_C_COMPILER=clang-15 - -DCMAKE_CXX_COMPILER=clang++-15 + -DCMAKE_C_COMPILER=clang-18 + -DCMAKE_CXX_COMPILER=clang++-18 cflags: >- -fsanitize=address,undefined,leak -fno-sanitize-recover=all -fno-omit-frame-pointer ldflags: >- - -fsanitize=address + -fsanitize=address,undefined,leak - name: MingGW on Linux cmake_args: >- -DCMAKE_C_COMPILER=i686-w64-mingw32-gcc @@ -34,7 +34,7 @@ -DMINGW=ON runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3.0.2 + - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4 - name: Add Clang/LLVM repositories (Non-MinGW) if: "${{ ! contains(matrix.cmake_args, 'mingw') }}" @@ -42,7 +42,7 @@ set -x source /etc/os-release wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add - - sudo add-apt-repository "deb http://apt.llvm.org/${UBUNTU_CODENAME}/ llvm-toolchain-${UBUNTU_CODENAME}-15 main" + sudo add-apt-repository "deb http://apt.llvm.org/${UBUNTU_CODENAME}/ llvm-toolchain-${UBUNTU_CODENAME}-18 main" - name: Install build dependencies run: |- @@ -86,8 +86,8 @@ if: "${{ ! contains(matrix.cmake_args, 'mingw') }}" run: |- sudo apt-get install --yes --no-install-recommends -V \ - clang-15 \ - llvm-15 + clang-18 \ + libclang-rt-18-dev - name: Build, test and install run: |- @@ -104,7 +104,7 @@ cd googletest-release-${GTEST_VERSION}/ # Silence warning "Compatibility with CMake < 2.8.12 will be removed" - find -name CMakeLists.txt -print -exec sed 's/cmake_minimum_required.*/cmake_minimum_required(VERSION 3.0.2)/' -i {} \; + find -name CMakeLists.txt -print -exec sed 's/cmake_minimum_required.*/cmake_minimum_required(VERSION 3.5.0)/' -i {} \; cmake \ -DBUILD_SHARED_LIBS=ON \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uriparser-0.9.7/CMakeLists.txt new/uriparser-0.9.8/CMakeLists.txt --- old/uriparser-0.9.7/CMakeLists.txt 2022-10-05 16:36:09.000000000 +0200 +++ new/uriparser-0.9.8/CMakeLists.txt 2024-05-05 17:47:44.000000000 +0200 @@ -34,18 +34,18 @@ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED # OF THE POSSIBILITY OF SUCH DAMAGE. # -cmake_minimum_required(VERSION 3.3) +cmake_minimum_required(VERSION 3.5.0) project(uriparser VERSION - 0.9.7 + 0.9.8 LANGUAGES C ) # See https://verbump.de/ for what these numbers do set(URIPARSER_SO_CURRENT 1) -set(URIPARSER_SO_REVISION 30) +set(URIPARSER_SO_REVISION 31) set(URIPARSER_SO_AGE 0) include(CheckCCompilerFlag) @@ -58,7 +58,12 @@ # # Configuration # -option(BUILD_SHARED_LIBS "Build shared libraries (rather than static ones)" ON) +if(DEFINED BUILD_SHARED_LIBS) + set(_URIPARSER_SHARED_LIBS_DEFAULT ${BUILD_SHARED_LIBS}) +else() + set(_URIPARSER_SHARED_LIBS_DEFAULT ON) +endif() +option(URIPARSER_SHARED_LIBS "Build shared libraries (rather than static ones)" ${_URIPARSER_SHARED_LIBS_DEFAULT}) option(URIPARSER_BUILD_DOCS "Build API documentation (requires Doxygen, Graphviz, and (optional) Qt's qhelpgenerator)" ON) option(URIPARSER_BUILD_TESTS "Build test suite (requires GTest >=1.8.0)" ON) option(URIPARSER_BUILD_TOOLS "Build tools (e.g. CLI \"uriparse\")" ON) @@ -83,6 +88,12 @@ enable_language(CXX) endif() +if(URIPARSER_SHARED_LIBS) + set(_URIPARSER_STATIC_OR_SHARED SHARED) +else() + set(_URIPARSER_STATIC_OR_SHARED STATIC) +endif() + macro(uriparser_apply_msvc_runtime_to ref) string(REGEX REPLACE "/M[DT]d?" ${URIPARSER_MSVC_RUNTIME} ${ref} "${${ref}}") endmacro() @@ -151,6 +162,7 @@ ) add_library(uriparser + ${_URIPARSER_STATIC_OR_SHARED} ${API_HEADER_FILES} ${LIBRARY_CODE_FILES} ) @@ -175,7 +187,7 @@ ) target_compile_definitions(uriparser PRIVATE URI_LIBRARY_BUILD) -if (NOT BUILD_SHARED_LIBS) +if (NOT URIPARSER_SHARED_LIBS) target_compile_definitions(uriparser PUBLIC URI_STATIC_BUILD) endif() if(NOT URIPARSER_BUILD_CHAR) @@ -464,7 +476,7 @@ message(STATUS "") message(STATUS "Configuration") message(STATUS " Build type ............. ${CMAKE_BUILD_TYPE}") -message(STATUS " Shared libraries ....... ${BUILD_SHARED_LIBS}") +message(STATUS " Shared libraries ....... ${URIPARSER_SHARED_LIBS}") message(STATUS " Compiler flags") message(STATUS " C .................... ${CMAKE_C_FLAGS}") message(STATUS " C++ .................. ${CMAKE_CXX_FLAGS}") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uriparser-0.9.7/ChangeLog new/uriparser-0.9.8/ChangeLog --- old/uriparser-0.9.7/ChangeLog 2022-10-05 16:36:09.000000000 +0200 +++ new/uriparser-0.9.8/ChangeLog 2024-05-05 17:47:44.000000000 +0200 @@ -2,6 +2,33 @@ https://github.com/uriparser/uriparser/labels/help%20wanted If you can help, please get in touch. Thanks! +2024-05-05 -- 0.9.8 + +>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * Fixed: [CVE-2024-34402] + Protect against integer overflow in ComposeQueryEngine + (GitHub #183, GitHub #185) + * Fixed: [CVE-2024-34403] + Protect against integer overflow in ComposeQueryMallocExMm + (GitHub #183, GitHub #186) +>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> + * Changed: Require CMake >=3.5.0 (GitHub #172) + * Added: CMake option URIPARSER_SHARED_LIBS=(ON|OFF) to control, + whether to produce a shared or static library for uriparser + and that alone, falls back to standard BUILD_SHARED_LIBS + if available, else defaults to "ON" (GitHub #169, GitHub #170) + * Improved: Document that scheme-based normalization a la + section 6.2.3 of RFC 3986 is a responsibility of the application + using uriparser (GitHub #173, GitHub #174) + * Improved: Document supported code points for functions uriEscape(Ex)W + (GitHub #171, GitHub #175) + * Infrastructure: Update Clang from 15 to 18 (GitHub #161, GitHub #187) + * Infrastructure: Adapt to breaking changes in Clang packaging (GitHub #160) + * Infrastructure: Get sanitizer CFLAGS and LDFLAGS back in sync (GitHub #161) + * Infrastructure: Pin GitHub Actions to specific commits for security + (GitHub #165) + * Soname: 1:31:0 â see https://verbump.de/ for what these numbers do + 2022-10-05 -- 0.9.7 * Fixed: Multiple issues with IPv6 and IPvFuture literal parsing diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uriparser-0.9.7/README.md new/uriparser-0.9.8/README.md --- old/uriparser-0.9.7/README.md 2022-10-05 16:36:09.000000000 +0200 +++ new/uriparser-0.9.8/README.md 2024-05-05 17:47:44.000000000 +0200 @@ -20,7 +20,7 @@ # Example use from an existing CMake project ```cmake -cmake_minimum_required(VERSION 3.3) +cmake_minimum_required(VERSION 3.5.0) project(hello VERSION 1.0.0) @@ -49,9 +49,6 @@ ## Available CMake options (and defaults) ```console # rm -f CMakeCache.txt ; cmake -LH . | grep -B1 ':.*=' | sed 's,--,,' -// Build shared libraries (rather than static ones) -BUILD_SHARED_LIBS:BOOL=ON - // Choose the type of build, options are: None Debug Release RelWithDebInfo MinSizeRel ... CMAKE_BUILD_TYPE:STRING= @@ -82,6 +79,9 @@ // Use of specific runtime library (/MT /MTd /MD /MDd) with MSVC URIPARSER_MSVC_RUNTIME:STRING= +// Build shared libraries (rather than static ones) +URIPARSER_SHARED_LIBS:BOOL=ON + // Treat all compiler warnings as errors URIPARSER_WARNINGS_AS_ERRORS:BOOL=OFF ``` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uriparser-0.9.7/THANKS new/uriparser-0.9.8/THANKS --- old/uriparser-0.9.7/THANKS 2022-10-05 16:36:09.000000000 +0200 +++ new/uriparser-0.9.8/THANKS 2024-05-05 17:47:44.000000000 +0200 @@ -67,7 +67,8 @@ SpaceIm Valentin Haenel Vitaly Lipatov -Yang Yu Wouter Beek +Yan Li +Yang Yu Zachary Lund Zane van Iperen diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uriparser-0.9.7/cmake/test_find_package/CMakeLists.txt new/uriparser-0.9.8/cmake/test_find_package/CMakeLists.txt --- old/uriparser-0.9.7/cmake/test_find_package/CMakeLists.txt 2022-10-05 16:36:09.000000000 +0200 +++ new/uriparser-0.9.8/cmake/test_find_package/CMakeLists.txt 2024-05-05 17:47:44.000000000 +0200 @@ -34,7 +34,7 @@ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED # OF THE POSSIBILITY OF SUCH DAMAGE. # -cmake_minimum_required(VERSION 3.0) +cmake_minimum_required(VERSION 3.5.0) project(test-find-package VERSION 1.0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uriparser-0.9.7/include/uriparser/Uri.h new/uriparser-0.9.8/include/uriparser/Uri.h --- old/uriparser-0.9.7/include/uriparser/Uri.h 2022-10-05 16:36:09.000000000 +0200 +++ new/uriparser-0.9.8/include/uriparser/Uri.h 2024-05-05 17:47:44.000000000 +0200 @@ -1,4 +1,4 @@ -/* 4bf720e0ca97527a28e4c30f1c35b36a0b5f2697265c5ddc81080eaab4344ef2 (0.9.7+) +/* e8e2c75d033ddfe256fe87c3fd5a330a6f2c9cbb376ebd83a1b3263e804c766a (0.9.8+) * * uriparser - RFC 3986 URI parsing library * @@ -352,10 +352,19 @@ /** * Percent-encodes all unreserved characters from the input string and * writes the encoded version to the output string. - * Be sure to allocate <b>3 times</b> the space of the input buffer for + * + * NOTE: Be sure to allocate <b>3 times</b> the space of the input buffer for * the output buffer for <c>normalizeBreaks == URI_FALSE</c> and <b>6 times</b> * the space for <c>normalizeBreaks == URI_TRUE</c> - * (since e.g. "\x0d" becomes "%0D%0A" in that case) + * (since e.g. "\x0d" becomes "%0D%0A" in that case). + * + * NOTE: The implementation treats (both <c>char</c> and) <c>wchar_t</c> units + * as code point integers, which works well for code points <c>U+0001</c> to <c>U+00ff</c> + * in host-native endianness but nothing more; + * in particular, using <c>uriEscapeExW</c> with arbitrary Unicode input will + * not produce healthy results. + * Passing UTF-8 input to <c>uriEscapeExA</c> may be useful in some scenarios. + * Keep in mind that uriparser is about %URI (RFC 3986) not %IRI (RFC 3987). * * @param inFirst <b>IN</b>: Pointer to first character of the input text * @param inAfterLast <b>IN</b>: Pointer after the last character of the input text @@ -377,10 +386,19 @@ /** * Percent-encodes all unreserved characters from the input string and * writes the encoded version to the output string. - * Be sure to allocate <b>3 times</b> the space of the input buffer for + * + * NOTE: Be sure to allocate <b>3 times</b> the space of the input buffer for * the output buffer for <c>normalizeBreaks == URI_FALSE</c> and <b>6 times</b> * the space for <c>normalizeBreaks == URI_TRUE</c> - * (since e.g. "\x0d" becomes "%0D%0A" in that case) + * (since e.g. "\x0d" becomes "%0D%0A" in that case). + * + * NOTE: The implementation treats (both <c>char</c> and) <c>wchar_t</c> units + * as code point integers, which works well for code points <c>U+0001</c> to <c>U+00ff</c> + * in host-native endianness but nothing more; + * in particular, using <c>uriEscapeW</c> with arbitrary Unicode input will + * not produce healthy results. + * Passing UTF-8 input to <c>uriEscapeA</c> may be useful in some scenarios. + * Keep in mind that uriparser is about %URI (RFC 3986) not %IRI (RFC 3987). * * @param in <b>IN</b>: Text source * @param out <b>OUT</b>: Encoded text destination @@ -608,6 +626,10 @@ * Converts a %URI structure back to text as described in * <a href="http://tools.ietf.org/html/rfc3986#section-5.3">section 5.3 of RFC 3986</a>. * + * NOTE: Scheme-based normalization + * (<a href="http://tools.ietf.org/html/rfc3986#section-6.2.3">section 6.2.3 of RFC 3986</a>) + * is not applied and is considered a responsibility of the application using uriparser. + * * @param dest <b>OUT</b>: Output destination * @param uri <b>IN</b>: %URI to convert * @param maxChars <b>IN</b>: Maximum number of characters to copy <b>including</b> terminator diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uriparser-0.9.7/include/uriparser/UriBase.h new/uriparser-0.9.8/include/uriparser/UriBase.h --- old/uriparser-0.9.7/include/uriparser/UriBase.h 2022-10-05 16:36:09.000000000 +0200 +++ new/uriparser-0.9.8/include/uriparser/UriBase.h 2024-05-05 17:47:44.000000000 +0200 @@ -55,7 +55,7 @@ /* Version */ #define URI_VER_MAJOR 0 #define URI_VER_MINOR 9 -#define URI_VER_RELEASE 7 +#define URI_VER_RELEASE 8 #define URI_VER_SUFFIX_ANSI "" #define URI_VER_SUFFIX_UNICODE URI_ANSI_TO_UNICODE(URI_VER_SUFFIX_ANSI) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uriparser-0.9.7/src/UriQuery.c new/uriparser-0.9.8/src/UriQuery.c --- old/uriparser-0.9.7/src/UriQuery.c 2022-10-05 16:36:09.000000000 +0200 +++ new/uriparser-0.9.8/src/UriQuery.c 2024-05-05 17:47:44.000000000 +0200 @@ -70,6 +70,7 @@ #include <limits.h> +#include <stddef.h> /* size_t */ @@ -177,10 +178,13 @@ if (res != URI_SUCCESS) { return res; } + if (charsRequired == INT_MAX) { + return URI_ERROR_MALLOC; + } charsRequired++; /* Allocate space */ - queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR)); + queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR)); if (queryString == NULL) { return URI_ERROR_MALLOC; } @@ -218,16 +222,16 @@ const URI_CHAR * const key = queryList->key; const URI_CHAR * const value = queryList->value; const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3); - const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key); + const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key); int keyRequiredChars; - const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value); + const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value); int valueRequiredChars; - if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) { + if ((keyLen >= (size_t)INT_MAX / worstCase) || (valueLen >= (size_t)INT_MAX / worstCase)) { return URI_ERROR_OUTPUT_TOO_LARGE; } - keyRequiredChars = worstCase * keyLen; - valueRequiredChars = worstCase * valueLen; + keyRequiredChars = worstCase * (int)keyLen; + valueRequiredChars = worstCase * (int)valueLen; if (dest == NULL) { (*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL)