Hello community, here is the log from the commit of package libnettle for openSUSE:Factory checked in at 2018-12-11 15:44:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libnettle (Old) and /work/SRC/openSUSE:Factory/.libnettle.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libnettle" Tue Dec 11 15:44:35 2018 rev:30 rq:655651 version:3.4.1~rc1 Changes: -------- --- /work/SRC/openSUSE:Factory/libnettle/libnettle.changes 2018-03-01 12:05:59.238020793 +0100 +++ /work/SRC/openSUSE:Factory/.libnettle.new.19453/libnettle.changes 2018-12-11 15:44:48.226406353 +0100 @@ -1,0 +2,60 @@ +Thu Dec 6 12:56:30 UTC 2018 - Jan Engelhardt <jeng...@inai.de> + +- Adjust SRPM group. + +------------------------------------------------------------------- +Tue Dec 4 13:43:17 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonza...@suse.com> + +- libnettle 3.4.1rc1: [bsc#1118086, CVE-2018-16869] + * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around + _pkcs1_sec_decrypt_variable. Improves side-channel silence of the + only caller, rsa_decrypt. + * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New + local helper functions, with their own itch functions. + (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to + use helpers, for clarity. + * rsa-decrypt-tr.c (rsa_decrypt_tr): Use NETTLE_OCTET_SIZE_TO_LIMB_SIZE. + * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to + mpz_sizeinbase, since that potentially leaks most significant bits + of private key parameters a and b. + * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use + _rsa_sec_compute_root. + * testsuite/rsa-sec-compute-root-test.c: Add more tests for new + side-channel silent functions. + * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn, + since that is required for one of the GMP calls in + _rsa_sec_compute_root. + * rsa-decrypt-tr.c: Switch to use side-channel silent functions. + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private + function. Variable size version for backwards compatibility. + * testsuite/rsa-sec-decrypt-test.c: Adds more tests. + * rsa-sec-decrypt.c (rsa_sec_decrypt): New function. + Fixed length side-channel silent version of rsa-decrypt. + * testsuite/rsa-encrypt-test.c: add tests for the new fucntion. + * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for _pkcs1_sec_decrypt. + * gmp-glue.c (mpn_get_base256): New function. + * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function. + Fixed length side-channel silent version of pkcs1-decrypt. + * cnd-memcpy.c (cnd_memcpy): New function. + * testsuite/cnd-memcpy-test.c: New test case. + * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses + _rsa_sec_compute_root, as well as side-channel silent RSA blinding. + (rsa_compute_root_tr) Rewritten as a wrapper around rsa_sec_compute_root_tr. + (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root) + (cnd_mpn_zero): New helper functions. + (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not + side-channel silent wrapper around rsa_compute_root_tr, and the + latter function left unchanged. + * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch) + (_rsa_sec_compute_root): New file, new private functions. + Side-channel silent version of rsa_compute_root. + * rsa-internal.h: New header file with declarations. + * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro. + * tools/pkcs1-conv.c (convert_file): Add missing break statements. + * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper) + (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast + between incompatible function types (which gcc-8 warns about). + Wrappers are expected to compile to a single jmp instruction. + * des-compat.c (des_compat_des3_decrypt): Change length argument type to size_t. + +------------------------------------------------------------------- Old: ---- nettle-3.4.tar.gz nettle-3.4.tar.gz.sig New: ---- nettle-3.4.1rc1.tar.gz nettle-3.4.1rc1.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libnettle.spec ++++++ --- /var/tmp/diff_new_pack.D2Gdyg/_old 2018-12-11 15:44:48.950405557 +0100 +++ /var/tmp/diff_new_pack.D2Gdyg/_new 2018-12-11 15:44:48.950405557 +0100 @@ -12,21 +12,23 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define soname 6 %define hogweed_soname 4 +%define realversion 3.4.1rc1 +%define shortversion 3.4.1 Name: libnettle -Version: 3.4 +Version: 3.4.1~rc1 Release: 0 Summary: Cryptographic Library -License: LGPL-2.1+ AND GPL-2.0+ -Group: System/Libraries -Url: http://www.lysator.liu.se/~nisse/nettle/ -Source0: https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz -Source1: https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz.sig +License: LGPL-2.1-or-later AND GPL-2.0-or-later +Group: Development/Libraries/C and C++ +URL: https://www.lysator.liu.se/~nisse/nettle/ +Source0: https://www.lysator.liu.se/~nisse/archive/nettle-%{realversion}.tar.gz +Source1: https://www.lysator.liu.se/~nisse/archive/nettle-%{realversion}.tar.gz.sig Source2: %{name}.keyring Source3: baselibs.conf # PATCH-FIX-UPSTREAM respect cflags while building @@ -35,6 +37,7 @@ BuildRequires: m4 BuildRequires: makeinfo BuildRequires: pkgconfig + Requires(post): %{install_info_prereq} %description @@ -44,7 +47,7 @@ %package -n libnettle%{soname} Summary: Cryptographic Library -License: LGPL-2.1+ +License: LGPL-2.1-or-later Group: System/Libraries %description -n libnettle%{soname} @@ -54,7 +57,7 @@ %package -n libhogweed%{hogweed_soname} Summary: Cryptographic Library for Public Key Algorithms -License: LGPL-2.1+ +License: LGPL-2.1-or-later Group: System/Libraries %description -n libhogweed%{hogweed_soname} @@ -66,7 +69,7 @@ %package -n libnettle-devel Summary: Cryptographic Library -License: LGPL-2.1+ +License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: gmp-devel @@ -80,7 +83,7 @@ %package -n nettle Summary: Cryptographic Tools -License: LGPL-2.1+ AND GPL-2.0+ +License: LGPL-2.1-or-later AND GPL-2.0-or-later Group: Productivity/Security %description -n nettle @@ -92,7 +95,7 @@ operations using the nettle library. %prep -%setup -q -n nettle-%{version} +%setup -q -n nettle-%{shortversion} %patch0 -p1 %build @@ -132,12 +135,13 @@ %{_includedir}/nettle %{_libdir}/libnettle.so %{_libdir}/libhogweed.so -%{_infodir}/nettle.info%{ext_info} +%{_infodir}/nettle.info%{?ext_info} %{_libdir}/pkgconfig/hogweed.pc %{_libdir}/pkgconfig/nettle.pc %files -n nettle -%doc AUTHORS ChangeLog COPYING* NEWS README TODO +%license COPYING* +%doc AUTHORS ChangeLog NEWS README TODO %{_bindir}/nettle-lfib-stream %{_bindir}/nettle-pbkdf2 %{_bindir}/pkcs1-conv