commit cc35fad1e9e514a282e6df8d6b4b80f236bc2f30 Author: zyppe <210hcl@gmail.com> Date: Tue Feb 20 17:36:21 2024 +0800 Initialize for libksba diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f5c9990 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +libksba-1.3.5.tar.bz2 diff --git a/.libksba.metadata b/.libksba.metadata new file mode 100644 index 0000000..9087cfc --- /dev/null +++ b/.libksba.metadata @@ -0,0 +1 @@ +0e3122d820fc6ddd7252cc59dc4b5a225dc90bc78db72f5dabf43ca237c5fc72 libksba-1.3.5.tar.bz2 diff --git a/libksba-1.3.5.tar.bz2.sig b/libksba-1.3.5.tar.bz2.sig new file mode 100644 index 0000000..48c29d5 Binary files /dev/null and b/libksba-1.3.5.tar.bz2.sig differ diff --git a/libksba-CVE-2022-3515.patch b/libksba-CVE-2022-3515.patch new file mode 100644 index 0000000..e02ca54 --- /dev/null +++ b/libksba-CVE-2022-3515.patch @@ -0,0 +1,36 @@ +From 4b7d9cd4a018898d7714ce06f3faf2626c14582b Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Wed, 5 Oct 2022 14:19:06 +0200 +Subject: [PATCH 1/3] Detect a possible overflow directly in the TLV parser. + +* src/ber-help.c (_ksba_ber_read_tl): Check for overflow of a commonly +used sum. +-- + +It is quite common to have checks like + + if (ti.nhdr + ti.length >= DIM(tmpbuf)) + return gpg_error (GPG_ERR_TOO_LARGE); + +This patch detects possible integer overflows immmediately when +creating the TI object. + +Reported-by: ZDI-CAN-18927, ZDI-CAN-18928, ZDI-CAN-18929 + +Index: libksba-1.3.5/src/ber-help.c +=================================================================== +--- libksba-1.3.5.orig/src/ber-help.c ++++ libksba-1.3.5/src/ber-help.c +@@ -181,6 +181,12 @@ _ksba_ber_read_tl (ksba_reader_t reader, + ti->length = len; + } + ++ if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) ++ { ++ ti->err_string = "header+length would overflow"; ++ return gpg_error (GPG_ERR_EOVERFLOW); ++ } ++ + /* Without this kludge some example certs can't be parsed */ + if (ti->class == CLASS_UNIVERSAL && !ti->tag) + ti->length = 0; diff --git a/libksba-CVE-2022-47629.patch b/libksba-CVE-2022-47629.patch new file mode 100644 index 0000000..ed145fc --- /dev/null +++ b/libksba-CVE-2022-47629.patch @@ -0,0 +1,65 @@ +From f61a5ea4e0f6a80fd4b28ef0174bee77793cf070 Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Tue, 22 Nov 2022 16:36:46 +0100 +Subject: [PATCH] Fix an integer overflow in the CRL signature parser. + +* src/crl.c (parse_signature): N+N2 now checked for overflow. + +* src/ocsp.c (parse_response_extensions): Do not accept too large +values. +(parse_single_extensions): Ditto. +-- + +The second patch is an extra safegourd not related to the reported +bug. + +GnuPG-bug-id: 6284 +Reported-by: Joseph Surin, elttam +--- + src/crl.c | 2 +- + src/ocsp.c | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +Index: libksba-1.3.5/src/crl.c +=================================================================== +--- libksba-1.3.5.orig/src/crl.c ++++ libksba-1.3.5/src/crl.c +@@ -1434,7 +1434,7 @@ parse_signature (ksba_crl_t crl) + && !ti.is_constructed) ) + return gpg_error (GPG_ERR_INV_CRL_OBJ); + n2 = ti.nhdr + ti.length; +- if (n + n2 >= DIM(tmpbuf)) ++ if (n + n2 >= DIM(tmpbuf) || (n + n2) < n) + return gpg_error (GPG_ERR_TOO_LARGE); + memcpy (tmpbuf+n, ti.buf, ti.nhdr); + err = read_buffer (crl->reader, tmpbuf+n+ti.nhdr, ti.length); +Index: libksba-1.3.5/src/ocsp.c +=================================================================== +--- libksba-1.3.5.orig/src/ocsp.c ++++ libksba-1.3.5/src/ocsp.c +@@ -912,6 +912,12 @@ parse_response_extensions (ksba_ocsp_t o + else + ocsp->good_nonce = 1; + } ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { +@@ -979,6 +985,12 @@ parse_single_extensions (struct ocsp_req + err = parse_octet_string (&data, &datalen, &ti); + if (err) + goto leave; ++ if (ti.length > (1<<24)) ++ { ++ /* Bail out on much too large objects. */ ++ err = gpg_error (GPG_ERR_BAD_BER); ++ goto leave; ++ } + ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length); + if (!ex) + { diff --git a/libksba.changes b/libksba.changes new file mode 100644 index 0000000..b4a7d2c --- /dev/null +++ b/libksba.changes @@ -0,0 +1,165 @@ +* Tue Jan 3 2023 pmonreal@suse.com +- Security fix: [bsc#1206579, CVE-2022-47629] + * Integer overflow in the CRL signature parser. + * Add libksba-CVE-2022-47629.patch +* Mon Oct 17 2022 pmonreal@suse.com +- Security fix: [bsc#1204357, CVE-2022-3515] + * Detect a possible overflow directly in the TLV parser. + * Add libksba-CVE-2022-3515.patch +* Thu Feb 22 2018 fvogt@suse.com +- Use %%license (boo#1082318) +* Mon Aug 22 2016 astieger@suse.com +- libksba 1.3.5: + * Limit the allowed size of complex ASN.1 objects (e.g. + certificates) to 16MiB. + * Avoid read access to unitialized memory. + * Improve detection of invalid RDNs. + * Encode the OCSP nonce value as an octet string as described by + RFC-6960. +* Tue May 10 2016 astieger@suse.com +- libksba 1.3.4: + * Fixed two OOB read access bugs which could be used to force a DoS. + boo#979261 CVE-2016-4574, CVE-2016-4579 + * Fixed a crash due to faulty curve OID lookup code. + * Synced the list of supported curves with those of Libgcrypt. + * New configure option --enable-build-timestamp; a build timestamp is + not anymore used by default. +* Fri Apr 10 2015 astieger@suse.com +- libksba 1.3.3: + * Fixed an integer overflow in the DN decoder. + * Now returns an error instead of terminating the process for + certain bad BER encodings. + * Improved the parsing of utf-8 strings in DNs. + * Allow building with newer versions of Bison. +* Thu Mar 19 2015 astieger@suse.com +- remove libtool requirement +* Wed Nov 26 2014 andreas.stieger@gmx.de +- libksba 1.3.2 [boo#907074] [CVE-2014-9087] + This version contains a security update which fixes a buffer + overflow in OID to string conversion code that can be triggered + by a specially crafted S/MIME message or ECC based OpenPGP data. + Users of GnuPG 2.x should install this version and restart the + dirmgr process. + * Fixed a buffer overflow in ksba_oid_to_str. +- verify source signature +* Sun Sep 21 2014 andreas.stieger@gmx.de +- libksba 1.3.1: + * Fixed memory leak in CRL parsing + * Build fixes for ppc64el +* Tue Nov 27 2012 meissner@suse.com +- Use URL for source +* Mon Oct 1 2012 andreas.stieger@gmx.de +- update to libksba 1.3.0 + - change license from GPLv2 to LGPLv3/GPLv2 + - minor bug fixes +- implement shared library packaging policy +- remove nld-build.diff which was added 2004 before package was in + the openSUSE OBS, was never used or applied cleanly since r1 +* Sat Nov 19 2011 coolo@suse.com +- add libtool as buildrequire to avoid implicit dependency +* Fri Jul 29 2011 puzel@novell.com +- update to libksba-1.2.0 + - New functions to allow the creation of X.509 certificates. + - Interface changes relative to the 1.1.0 release: + ksba_certreq_set_serial NEW + ksba_certreq_set_issuer NEW + ksba_certreq_set_validity NEW + ksba_certreq_set_siginfo NEW +* Fri Dec 3 2010 puzel@novell.com +- update to libksba-1.1.0 + * New functions to fix a leak in dirmngr. + * Interface changes relative to the 1.0.0 release: + ksba_reader_set_release_notify NEW + ksba_writer_set_release_notify NEW +- clean up specfile +* Sun Oct 31 2010 jengelh@medozas.de +- Use %%_smp_mflags +* Tue Aug 17 2010 puzel@novell.com +- update to libksba-1.0.8 + * Fixed a CMS parsing bug exhibited by Lotus Notes. +* Thu Jul 9 2009 puzel@novell.com +- update to libksba-1.0.7 + * Detect overflow while parsing OIDs. Map BER encoded OIDs to well + known names. + * Allow mixed case names in DNs. +* Wed Jun 24 2009 puzel@suse.cz +- update to libksba-1.0.6 + * Support SHA-{384,512} based signature generation. + * The RSA algorithmIdentifier ASN.1 sequence is now emitted with an + explicit NULL parameter. Despite the interop testing we did in the + past, some software still requires this and thus we better follow + the best current practise. +* Tue Apr 7 2009 crrodriguez@suse.de +- remove static libraries and "la" files +- fix buildrequires and -devel package dependencies +* Mon Jan 12 2009 puzel@suse.cz +- update to 1.0.5 (bugfix release) + - minor bugfixes +* Thu Sep 25 2008 puzel@suse.cz +- update to 1.0.4 + * autoconf fixes +- correctly install/uninstall info files +- use %%makeinstall and %%configure macros +* Thu Jun 26 2008 puzel@suse.cz +- update to 1.0.3 + * bugfix release (autoconf fixes) + * removed libksba-texi.patch +* Thu Jan 10 2008 bk@suse.de +- Add missing initialsation, fixes gpgsm crash in GPG's make check +* Mon Jul 30 2007 ltinkl@suse.cz +- update to 1.0.2 + * Support for SHA-2. + * Fixed a couple of memory leaks. + * Experimental support for ECDSA. + * Minor portability fixes. + * Switched to GPLv3. +* Tue Sep 12 2006 pnemec@suse.cz +- updated to 1.0.0 by diff from author + - change in api +* Mon Sep 11 2006 pnemec@suse.cz +- updated to 0.9.16 + Fixed a character set conversion bug in BMPStrings + Added new api functions, see readme. +* Fri Jun 23 2006 pnemec@suse.cz +- updated to 0.9.15 from CVS! + fixed security bug #177462 +* Thu May 25 2006 pnemec@suse.cz +- updated to version 0.9.14 + * Fixed broken OCSP requests. + * Ignore invalid bytes appended to a certificate. + * New functions to associate user data with a certificate object. +* Wed Jan 25 2006 mls@suse.de +- converted neededforbuild to BuildRequires +* Mon Sep 26 2005 mls@suse.de +- make devel package require base package +* Fri Aug 5 2005 postadal@suse.cz +- updated to version 0.9.12 +* Mon Jul 11 2005 postadal@suse.cz +- updated to version 0.9.11 +- removed obsoleted patch autoconf-fix.diff +* Wed Jan 12 2005 postadal@suse.cz +- update to version 0.9.10 +* Thu Sep 30 2004 postadal@suse.cz +- restored autoconf-fix.diff patch removed by last update [#36193, #46036] + (fixed autoconf issue - quoted definition of AM_PATH_KSBA) +* Wed Jul 28 2004 adrian@suse.de +- update to version 0.9.8 +* Wed Jul 14 2004 adrian@suse.de +- create -devel sub package +- prepare for nld +* Mon Jul 12 2004 adrian@suse.de +- update to version 0.9.7 +* Wed Mar 17 2004 postadal@suse.cz +- fixed autoconf issue (quoted definition of AM_PATH_KSBA) [#36193] +* Tue Feb 10 2004 postadal@suse.cz +- fixed code that broke strict aliasing +- bziped tarball +* Sun Jan 11 2004 adrian@suse.de +- add %%run_ldconfig +* Mon Jun 2 2003 mc@suse.de +- switch to version 0.4.7 + This fixes a problem mainly relevant to certificate request + creation (if you must use the ugly way of putting the email + address into the subject DN) +* Thu Feb 20 2003 mc@suse.de +- initial version diff --git a/libksba.keyring b/libksba.keyring new file mode 100644 index 0000000..df94d38 --- /dev/null +++ b/libksba.keyring @@ -0,0 +1,99 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQP6Q7JoyxtaG6/ckAKWHYrqFTQk3I +Ue8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8E9tYQqAOlpSA25bOb30cA2ADkrjg +jvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//IdShFFVQj+QHmXYBJggWyEIil8Bje7 +KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x8jpwh4V/yEODJKATY0Vj00793L8u +qA35ZiyczUvvJSLYvf7STO943GswkxdAfqxXbYifiK2gjE/7SAmB+2jFxsonUDOB +1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIhABEBAAG0Fldlcm5lciBLb2NoIChk +aXN0IHNpZymJAT4EEwECACgFAk0ti4ECGwMFCRDdnwIGCwkIBwMCBhUIAgkKCwQW +AgMBAh4BAheAAAoJECSbOdJPJeO2PlMIAJxPtFXf5yozPpFjRbSkSdjsk9eru05s +hKZOAKw3RUePTU80SRLPdg4AH+vkm1JMWFFpwvHlgfxqnE9rp13o7L/4UwNUwqH8 +5zCwu7SHz9cX3d4UUwzcP6qQP4BQEH9/xlpQS9eTK9b2RMyggqwd/J8mxjvoWzL8 +Klf/wl6jXHn/yP92xG9/YA86lNOL1N3/PhlZzLuJ6bdD9WzsEp/+kh3UDfjkIrOc +WkqwupB+d01R4bHPu9tvXy8Xut8Sok2zku2xVkEOsV2TXHbwuHO2AGC5pWDX6wgC +E4F5XeCB/0ovao2/bk22w1TxzP6PMxo6sLkmaF6D0frhM2bl4C/uSsqInAQQAQIA +BgUCTS2NBAAKCRBTtiDQHODGMEZPBACLmrMjpwmyVvI6X5N4NlWctXQWY+4ODx2i +O9CtUM/F96YiPFlmgwsJUzyXLwALYk+shh83TjQLfjexohzS1O07DCZUy7Lsb9R7 +HbYJ1Yf/QcEykbiAW465CZb1BAOMR2HUODBTaABaidfnhmUzJtayz7Y0KKRHAx+V +VS6kfnsFq5kBDQRUUF8HAQgAh1mo8r+kVWVTNsNlyurm2tdZKiQbdeVgpBgcDnqI +3fAV58C3nC8DVuK5qVGZPB/jbu42jc8BXGP1l6UP+515LQL5GpTtV0pRWUO02WOu +TLZBVQcq53vzbg1xVo31rWV96mqGAPs8lGUCm09fpuiVKQojO6/Ihkg7/bnzeSbc +X5Xk9eKLhyB7tnakuYJeRYm4bjs+YDApK8IFQyevYF8pjTcbLTSNJPW9WLCsozsy +11r4xdfRcTWjARVz5VzTnQ+Px8YtsnjQ3qwNJBpsqMLCdDN7YGhh/mlwPjgdq/UF +f5+bY6f3ew0vshBqInBQycBSmYyoX0Ye3sAS/OR4nu5ZaQARAQABtD5EYXZpZCBT +aGF3IChHbnVQRyBSZWxlYXNlIFNpZ25pbmcgS2V5KSA8ZHNoYXdAamFiYmVyd29j +a3kuY29tPokBPgQTAQIAKAUCVFBfBwIbAwUJCbp27gYLCQgHAwIGFQgCCQoLBBYC +AwECHgECF4AACgkQBDdvPuCFaVmIoQf+POxCWkCTicRVlq0kust/iwYO1egK9FWG +130e2Irnv2lAZZN/0S5ibjHCYFp9gfMgmtVTF5oWXjSDAy/kIykQBBcUVx4SCJbd +MtKSdsSIQMz6P4DxXumxQm79msOsbi5TsdtUwjqdrbu2sHloE7ck/hTXUCkX3zuq +txY7W23BCQxVVT5qUaFuAHkkQaaBgAb8gdgixmkIBfu9u8k3k9zUKm/PNfMjxClv +ORkP8gev+XyzNgcXM49h5YYlmDT+Ahv99nUM1wg8yJTjefBAY0fL982Scx30nDQO +3w7ihALUoj5+TXQjhs3sWPJ8u3pstr9XcfzEZC77/CZmRYNr8g5hBokBHAQQAQgA +BgUCVFOBbwAKCRAkmznSTyXjtmHeB/0X00v959Oyc0EsSLOlfC52qsEn5cU7vxFb ++KY9aKtG4+hApJxemkqpCgA5+xZwXp3SQOf0sYFwz5OsukIjRF0HgSEdjoMTH6b7 +lT0nCwKo8AMU0nJbopVIJikHOzk2gUqh1gxu5iml1RbSkmFhiGjYeqM+ONQynCeX +Gg3LLZCQ1eeoaX69bvbWQFDtTIn2HYvjZLjuGC6PGH/naZ7GchiiiK0bs4UOdJFX +HtITC/7DcgEiHMHOMT3XlwINTexZG0grl2LuWuyyhurJh5IO6geArPKUmR8SjJjV +azpwbutZhYjTzfUpPvKK8kCSan9Df5eeekDrKCU8x8aqLDVyoQcRmQENBFRQOyMB +CADmEHA30Xc6op/72ZcJdQMriVvnAyN22L3rEbTiACfvBajs6fpzme2uJlC5F1Hk +Ydx3DvdcLoIV6Ed6j95JViJaoE0EB8T1TNuQRL5xj7jAPOpVpyqErF3vReYdCDIr +umlEb8zCQvVTICsIYYAo3oxX/Z/M7ogZDDeOe1G57f/Y8YacZqKw0AqW+20dZn3W +7Lgpjl8EzX25AKBl3Hi/z+s/T7JCqxZPAlQq/KbHkYh81oIm+AX6/5o+vCynEEx/ +2OkdeoNeeHgujwL8axAwPoYKVV9COy+/NQcofZ6gvig1+S75RrkG4AdiL64C7OpX +1N2kX08KlAzI9+65lyUw8t0zABEBAAG0Mk5JSUJFIFl1dGFrYSAoR251UEcgUmVs +ZWFzZSBLZXkpIDxnbmlpYmVAZnNpai5vcmc+iQE8BBMBCAAmBQJUUDsjAhsDBQkD +wmcABQsHCAkDBBUICQoFFgIDAQACHgECF4AACgkQIHGwijO9PwZ1/wgA0LKal1wF +Za8FPUonc2GzwE9YhkZiJB8KA/a7T6//cW4N46/GswiqZJxN1RdKs1B+rp7EMMU3 +bhoXstLBcIYveljqh4lPBWCsTT2+/OpwAmgnzjgdTHcpnCMTEOdZktD5SKrTj2tV +aWXAlWK/UsEEanA3cvzofy44n7rm+Eoa7P1YGCHL++Ihsi66ElbehilTT/xxckHX +Uji1XDvoagEENEHk5j4Z2mhWtjnGclvuiBkS4XezezNMW/fPAypZX4bkURNbGd8j +tkb3Eqt+bv+ZQoSA+Ukv8APaAzj8lRSw+CYjDxpoM0jtmiPrk+u/Do46COVA/IX2 +2aYNT2Y2KoWJV4kBHAQQAQgABgUCVFOCHQAKCRAkmznSTyXjtoIhB/0ZE/ppI2Gc +qDxSwPKkRkkoMD8oXdKkPxjUF2jgP+bceHKiz1F78cx/eZltB4av8OujO1IwqH2C +0aVr46W3eSyIcpmmw6F9sjLcTfyZJfWJrvobb7WQSKvWw0eHFgNGR6Z+BA3ohjws +aCZtzzkH2gXI+EM7qaZozMw+eSkZ4qTE9B4/hkMZZpBO0oGy9PQzSlADGftyyuTt +oSUvepfs+EvYSddQ7skXWq0zePuOhng2Mppl690A+aTywyetbPvVeqjiAbI7NB5f +8Tw7dk0Febe9NHvbwzgiStMPmIKrTcthvgIClBkZvmkBFWAPxYPdHfLzAlpDGxJt +R31c0zNFBH68mQENBFRDqVIBCAC0k8eZKDmNqdmawOlJ/m62L2g8uXT/+/vAEGb1 +yaib09xI6tfGXzbqlDwrLIZcJsSIT/nt/ajJnIVbc3137va4XbwMzsDpAMH4mmiT +oqk+izEChGm2knzrLwhoflR8aGsKL35QoZT/erdjfgPeCRLvf25fHsN2Jb0WIMzC +56VkMeFoza+9HZ5hrkemmm+gPvIvhEUopxCyOS8mK5WjB4zzIdyDJfkqVpHvafNP +0N4LIsedKdyHcj/K3kY4Kejl99GW1z1snBgPamoN2/e52Pf6KTw2FjsSGZ72oalc +rkBR4wacUizGxKcRD2Y6Xa0g9mwToWdNBQCIII+uTzOzq1EDABEBAAG0IVdlcm5l +ciBLb2NoIChSZWxlYXNlIFNpZ25pbmcgS2V5KYkBPQQTAQgAJwUCVEOpUgIbAwUJ +C6oF9QULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCKhhscfv1g2aH7B/wIW6mV +mTmzW2xc1q1MUdssExQBhEeONrbWJ/HiGZP/MaabgQ/+wZuThTAwfGM5zFQBOvrB +OGURhINU6lYQlcOrVo+V8Z1mNQKFWaKxJaY5Ku1bB1OuX9FHLEiMibogHu5fjJIX +BE8XrnvueejyFQ5g/uX2xcGgCWlMe49sR3K+lEl3n93xTmSNhP52r0gTjMjbqKWK +UaIGJ5OcWSrvawdfqLXkxR8phq2AlHHEfxpcZsOp9mZirWYQ5jcgGgFP0LYXUw/R +nxFpOcrj45qufmyEL9QJKjBV5RaHJbqukefwUInPQtVUmINqQxztSh5QxQP2tsUP +IeEi5RAoCwLJam8ziQEcBBABCAAGBQJUU4JUAAoJECSbOdJPJeO2c+cH+wevKc8w +bkWSoGOJiYDglVMJa4x5utgHyXP4PyqelIQ7yibfQq3YyOU9RWRGxfvuofPXpx1E +u/XtCGgw03r4HZhauauYe27IDpA5P/Go7+WqufT6gMBoZf/1cD2ykQZpFyszEKHf +Y+BlzqPJcRaXy4+uQG3O+bh/R2eIGAJDao/AclJI+kfckeY5DzRTibPex+rGAkxZ +8qHtlCb0WeUbL3mgl9f3LlbPH77w1on6XqqIaQ+ODSS/3CUOIhNI3lrGO7mIqhSC +0n+rpqLHeVLpLkz0IFvsJOp9UOHDCA8oL0cQtJGP1pN7muKR9nCVtoNuN41JapoO +4ZaHe5Y0r5MIofSYjgRDt/rHAQQA0JkZeitcyQMqk2xGd/5mGoc4+YNwQo8OSmVw +IvY8UAI3tBorhF6ha9niaqZU4vdldTnXMU0j1oPckAhOgRPaOvaEZhYUTF0F/15p +iAF5dkZQ6dsmXVUkPNYMZTpkc2nA+IACBiOmygGBkLFuXvHRW1i6SNz28iRH/UZc +YLi/2iEAIIFWUJm0Jldlcm5lciBLb2NoIChkaXN0IHNpZykgPGRkOWpuQGdudS5v +cmc+iLwEEwECACYCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCTS2MtwUJClRO +YQAKCRBTtiDQHODGMPB4A/0U1DJR9LbkWuBs8Ko6KJoKLMVI6iYNJBhAtm3dxWeU +xA16eYDWW/b9Lk5KnjtSWuGOeqa7MCsXnkyHkO88KE9IcM3mFnhfFN2qagd/nRch +l9MPsdOgf/ug7j72Alv2V8s28R10HTjfwySe/omXWwK3qn8ou6N7ID+EwCV7i2e2 +u5kBogQ1oh4eEQQA/pdK4Oafa1uDN7Cr5nss4bNpg8YUSg01VVJ08KTCEdpCAPaU ++NzaP3KD2ow74WU2gzP70s9uSGQ2Vie4BLvOkaaBHba/3ivBrg3ILFrxbOfmKQg8 +Fhtncd/TBOwzfkkbxBNcVJuBPRtjZ3dlDbS4IPNsIIv2SuCIfQmA8qNGvWsAoIrJ +90b2fzERCZkKtfkoyYA8fnNrBADhJ8RmIrKiCnDk3Tzk04nu6O8fp3ptrmnO7jlu +vDfsEVsYRjyMbDnbnjCGu1PeFoP2HZ+H9lp4CaQbyjWh2JlvI9UOc72V16SFkV0r +8k0euNQXHhhzXWIkfz4gwSbBkN2nO5+6cIVeKnsdyFYkQyVs+Q86/PMfjo7utyrc +WLq1CAQAou3da1JR6+KJO4gUZVh2F1NoaVCEPAvlDhNV10/hwe5mS0kTjUJ1jMl5 +6mwAFvhFFF9saW+eAnrwIOHjopbdHrPBmTJlOnNMHVLJzFlqjihwRRZQyL8iNu2m +farn9Mr28ut5BQmp0CnNEJ6hl0Cs7l2xagWFtlEK2II144vK3fG0J1dlcm5lciBL +b2NoIChnbnVwZyBzaWcpIDxkZDlqbkBnbnUub3JnPohhBBMRAgAhAheABQkOFIf9 +BQJBvGheBgsJCAcDAgMVAgMDFgIBAh4BAAoJEGi3q4lXVI3NBJMAn01313ag0tgj +rGUZtDlKYbmNIeMeAJ0UpVsjxpylBcSjsPE8MAki7Hb2Rw== +=W3eM +-----END PGP PUBLIC KEY BLOCK----- diff --git a/libksba.spec b/libksba.spec new file mode 100644 index 0000000..585f27d --- /dev/null +++ b/libksba.spec @@ -0,0 +1,100 @@ +# +# spec file for package libksba +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +%define soname 8 +Name: libksba +Version: 1.3.5 +Release: 150000.4.6.1 +Summary: A X.509 Library +License: (LGPL-3.0+ or GPL-2.0+) and GPL-3.0+ and MIT +Group: Development/Libraries/C and C++ +Url: http://www.gnupg.org/aegypten/ +Source: ftp://ftp.gnupg.org/gcrypt/libksba/%{name}-%{version}.tar.bz2 +Source2: ftp://ftp.gnupg.org/gcrypt/libksba/%{name}-%{version}.tar.bz2.sig +Source3: libksba.keyring +Source4: libksba.changes +Patch0: libksba-CVE-2022-3515.patch +#PATCH-FIX-UPSTREAM bsc#1206579 CVE-2022-47629 integer overflow in the CRL signature parser +Patch1: libksba-CVE-2022-47629.patch +BuildRequires: libgpg-error-devel >= 1.8 +# FIXME: use proper Requires(pre/post/preun/...) +PreReq: %{install_info_prereq} +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +KSBA is a library to simplify the task of working with X.509 +certificates, CMS data, and related data. + +%package -n %{name}%{soname} +Summary: A X.509 Library +Group: Development/Libraries/C and C++ +Provides: %{name} = %{version} +Obsoletes: %{name} < %{version} + +%description -n %{name}%{soname} +KSBA is a library to simplify the task of working with X.509 +certificates, CMS data, and related data. + +%package devel +Summary: A X.509 Library +Group: Development/Libraries/C and C++ +Requires: libgpg-error-devel +Requires: libksba = %{version} +Provides: libksba:%{_includedir}/ksba.h + +%description devel +KSBA is a library to simplify the task of working with X.509 +certificates, CMS data, and related data. + +This package contains the needed files to compile and link against the +libksba. + +%prep +%setup -q -n libksba-%{version} +%patch0 -p1 +%patch1 -p1 + +%build +build_timestamp=$(date -u +%{Y}-%{m}-%{dT}%{H}:%{M}+0000 -r %{SOURCE4}) +%configure \ + --disable-static \ + --with-pic \ + --enable-build-timestamp="${build_timestamp}" + +make %{?_smp_mflags} + +%check +make %{?_smp_mflags} check + +%install +make %{?_smp_mflags} DESTDIR=%{buildroot} install +find %{buildroot} -type f -name "*.la" -delete -print + +%post -n %{name}%{soname} -p /sbin/ldconfig +%postun -n %{name}%{soname} -p /sbin/ldconfig + +%files -n %{name}%{soname} +%defattr(-,root,root) +%license COPYING +%doc README AUTHORS ChangeLog NEWS THANKS TODO +%{_libdir}/libksba*.so.* + +%post devel +%install_info --info-dir=%{_infodir} %{_infodir}/ksba.info.gz + +%postun devel +%install_info_delete --info-dir=%{_infodir} %{_infodir}/ksba.info.gz + +%files devel +%defattr(-,root,root) +%{_bindir}/* +%{_libdir}/libksba*.so +%{_includedir}/* +%{_infodir}/ksba* +%{_datadir}/aclocal/* + +%changelog