From 85f4a903cfacac21a0bcafcb5a3ffb8055c78c1f Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Wed, 26 Jul 2023 22:17:03 +0200 Subject: [PATCH] Rebase to vesrion 0.6.2.2 --- .gitignore | 1 + ...ne-OPENSSL_API_COMPAT-to-0x10101000L.patch | 53 ------------- cjose.spec | 17 ++--- concatkdf.patch | 74 ------------------- sources | 2 +- 5 files changed, 9 insertions(+), 138 deletions(-) delete mode 100644 0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch delete mode 100644 concatkdf.patch diff --git a/.gitignore b/.gitignore index 261c4d8..c6a5297 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /cjose-0.5.1.tar.gz /cjose-0.6.1.tar.gz +/cjose-0.6.2.2.tar.gz diff --git a/0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch b/0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch deleted file mode 100644 index 5a6278d..0000000 --- a/0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch +++ /dev/null @@ -1,53 +0,0 @@ -From b339a18aa06c78d64ac33d891d400eac7b86fff3 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Mon, 17 May 2021 13:30:24 +0200 -Subject: [PATCH] Define OPENSSL_API_COMPAT to 0x10101000L - ---- - src/jwe.c | 2 ++ - src/jwk.c | 2 ++ - src/jws.c | 2 ++ - 3 files changed, 6 insertions(+) - -diff --git a/src/jwe.c b/src/jwe.c -index 822d408..d6f3149 100644 ---- a/src/jwe.c -+++ b/src/jwe.c -@@ -5,6 +5,8 @@ - * Copyright (c) 2014-2016 Cisco Systems, Inc. All Rights Reserved. - */ - -+#define OPENSSL_API_COMPAT 0x10101000L -+ - #include - #include - #include -diff --git a/src/jwk.c b/src/jwk.c -index 860f0e7..87408e9 100644 ---- a/src/jwk.c -+++ b/src/jwk.c -@@ -5,6 +5,8 @@ - * Copyright (c) 2014-2016 Cisco Systems, Inc. All Rights Reserved. - */ - -+#define OPENSSL_API_COMPAT 0x10101000L -+ - #include "include/jwk_int.h" - #include "include/util_int.h" - -diff --git a/src/jws.c b/src/jws.c -index 4e03554..9d682a0 100644 ---- a/src/jws.c -+++ b/src/jws.c -@@ -5,6 +5,8 @@ - * Copyright (c) 2014-2016 Cisco Systems, Inc. All Rights Reserved. - */ - -+#define OPENSSL_API_COMPAT 0x10101000L -+ - #include - #include - #include --- -2.31.1 - diff --git a/cjose.spec b/cjose.spec index cab9ffe..9621e30 100644 --- a/cjose.spec +++ b/cjose.spec @@ -1,17 +1,11 @@ Name: cjose -Version: 0.6.1 -Release: 14%{?dist} +Version: 0.6.2.2 +Release: 1%{?dist} Summary: C library implementing the Javascript Object Signing and Encryption (JOSE) License: MIT -URL: https://github.com/cisco/cjose -Source0: https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version}.tar.gz - -Patch1: concatkdf.patch - -# Patch taken from CentOS Stream: -# https://gitlab.com/redhat/centos-stream/rpms/cjose/-/blob/c9s/0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch -Patch2: 0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch +URL: https://github.com/OpenIDC/cjose +Source0: https://github.com/OpenIDC/cjose/releases/download/v%{version}/cjose-%{version}.tar.gz BuildRequires: gcc BuildRequires: doxygen @@ -67,6 +61,9 @@ make check || (cat test/test-suite.log; exit 1) %changelog +* Wed Jul 26 2023 Tomas Halman - 0.6.2.2-1 +- Rebase to version 0.6.2.2. Solves CVE-2023-37464. + * Wed Jul 19 2023 Fedora Release Engineering - 0.6.1-14 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild diff --git a/concatkdf.patch b/concatkdf.patch deleted file mode 100644 index abeccaf..0000000 --- a/concatkdf.patch +++ /dev/null @@ -1,74 +0,0 @@ -commit 0238eb8f3612515f4374381b593dd79116169330 -Author: John Dennis -Date: Thu Aug 2 16:21:33 2018 -0400 - - fix concatkdf failures on big endian architectures - - Several of the elements used to compute the digest in ECDH-ES key - agreement computation are represented in binary form as a 32-bit - integer length followed by that number of octets. the length - field. The 32-bit length integer is represented in big endian - format (the 8 most significant bits are in the first octet.). - - The conversion to a 4 byte big endian integer was being computed - in a manner that only worked on little endian architectures. The - function htonl() returns a 32-bit integer whose octet sequence given - the address of the integer is big endian. There is no need for any - further manipulation. - - The existing code used bit shifting on a 32-bit value. In C bit - shifting is endian agnostic for multi-octet values, a right shift - moves most significant bits toward least significant bits. The result - of a bit shift of a multi-octet value on either big or little - archictures will always be the same provided you "view" it as the same - data type (e.g. 32-bit integer). But indexing the octets of that - mulit-octet value will be different depending on endianness, hence the - assembled octets differed depending on endianness. - - Issue: #77 - Signed-off-by: John Dennis - -diff --git a/src/concatkdf.c b/src/concatkdf.c -index ec064ab..59b845a 100644 ---- a/src/concatkdf.c -+++ b/src/concatkdf.c -@@ -29,15 +29,9 @@ - //////////////////////////////////////////////////////////////////////////////// - static uint8_t *_apply_uint32(const uint32_t value, uint8_t *buffer) - { -- const uint32_t formatted = htonl(value); -- const uint8_t data[4] = { -- (formatted >> 0) & 0xff, -- (formatted >> 8) & 0xff, -- (formatted >> 16) & 0xff, -- (formatted >> 24) & 0xff -- }; -- memcpy(buffer, data, 4); -+ const uint32_t big_endian_int32 = htonl(value); - -+ memcpy(buffer, &big_endian_int32, 4); - return buffer + 4; - } - -diff --git a/test/check_concatkdf.c b/test/check_concatkdf.c -index e4325fc..41d0f1c 100644 ---- a/test/check_concatkdf.c -+++ b/test/check_concatkdf.c -@@ -60,14 +60,9 @@ _create_otherinfo_header_finish: - - static bool _cmp_uint32(uint8_t **actual, uint32_t expected) - { -- uint32_t value = htonl(expected); -- uint8_t expectedData[] = { -- (value >> 0) & 0xff, -- (value >> 8) & 0xff, -- (value >> 16) & 0xff, -- (value >> 24) & 0xff -- }; -- bool result = (0 == memcmp(*actual, expectedData, 4)); -+ uint32_t big_endian_int32 = htonl(expected); -+ -+ bool result = (0 == memcmp(*actual, &big_endian_int32, 4)); - (*actual) += 4; - return result; - } diff --git a/sources b/sources index 8ea2476..aba9fa0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cjose-0.6.1.tar.gz) = 7ae67a6d19591b3d19b888270ec0ca17df399bea117e42686fc1de39b3741ed9a8816f96d33d090687c49c3123cdc95430a781835a525a02d22561ebf5aaa653 +SHA512 (cjose-0.6.2.2.tar.gz) = 71a087709816f0aac060a7c5f037068e981366b1809f6ee32e39eaded02ad8be061b0e2fa5093515a8acec10c7f4aca232281004426221b4b7e5edbd203eb49c