CVS commit: pkgsrc/security/nettle

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon Jun  7 18:57:58 UTC 2021

Modified Files:
        pkgsrc/security/nettle: Makefile distinfo

Log Message:
nettle: updated to 3.7.3

NEWS for the Nettle 3.7.3 release

This is bugfix release, fixing bugs that could make the RSA
decryption functions crash on invalid inputs.

Upgrading to the new version is strongly recommended. For
applications that want to support older versions of Nettle,
the bug can be worked around by adding a check that the RSA
ciphertext is in the range 0 < ciphertext < n, before
attempting to decrypt it.

Thanks to Paul Schaub and Justus Winter for reporting these
problems.

The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.4 and libhogweed.so.6.4, with sonames
libnettle.so.8 and libhogweed.so.6.

Bug fixes:

* Fix crash for zero input to rsa_sec_decrypt and
  rsa_decrypt_tr. Potential denial of service vector.

* Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
  failure for out of range inputs, instead of either crashing,
  or silently reducing input modulo n. Potential denial of
  service vector.

* Ensure that rsa_decrypt returns failure for out of range
  inputs, instead of silently reducing input modulo n.

* Ensure that rsa_sec_decrypt returns failure if the message
  size is too large for the given key. Unlike the other bugs,
  this would typically be triggered by invalid local
  configuration, rather than by processing untrusted remote
  data.


To generate a diff of this commit:
cvs rdiff -u -r1.26 -r1.27 pkgsrc/security/nettle/Makefile
cvs rdiff -u -r1.21 -r1.22 pkgsrc/security/nettle/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/nettle/Makefile
diff -u pkgsrc/security/nettle/Makefile:1.26 pkgsrc/security/nettle/Makefile:1.27
--- pkgsrc/security/nettle/Makefile:1.26        Sun Mar 21 20:03:09 2021
+++ pkgsrc/security/nettle/Makefile     Mon Jun  7 18:57:58 2021
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.26 2021/03/21 20:03:09 adam Exp $
+# $NetBSD: Makefile,v 1.27 2021/06/07 18:57:58 adam Exp $
 
-DISTNAME=      nettle-3.7.2
+DISTNAME=      nettle-3.7.3
 CATEGORIES=    devel security
 MASTER_SITES=  http://www.lysator.liu.se/~nisse/archive/
 MASTER_SITES+= ftp://ftp.lysator.liu.se/pub/security/lsh/

Index: pkgsrc/security/nettle/distinfo
diff -u pkgsrc/security/nettle/distinfo:1.21 pkgsrc/security/nettle/distinfo:1.22
--- pkgsrc/security/nettle/distinfo:1.21        Sun Mar 21 20:03:09 2021
+++ pkgsrc/security/nettle/distinfo     Mon Jun  7 18:57:58 2021
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.21 2021/03/21 20:03:09 adam Exp $
+$NetBSD: distinfo,v 1.22 2021/06/07 18:57:58 adam Exp $
 
-SHA1 (nettle-3.7.2.tar.gz) = d617fbcf8d301dfd887129c3883629d4d097c579
-RMD160 (nettle-3.7.2.tar.gz) = 78dced3b71dbcb531f0b0a27c8f9c858d1cbe47b
-SHA512 (nettle-3.7.2.tar.gz) = 5f6edcc24ff620885b24394b31e55b494418c35dd63e6ece222ddabc58e793c44a82155051cc5759896ed5f014a8efd547f0aef6736a131e41651c5cab7c7211
-Size (nettle-3.7.2.tar.gz) = 2382309 bytes
+SHA1 (nettle-3.7.3.tar.gz) = 9adfadd4ae4104c8aceb38bf16064d65d7edbcce
+RMD160 (nettle-3.7.3.tar.gz) = f5314ed30570326464cbc4c7af0d0984d80aee9a
+SHA512 (nettle-3.7.3.tar.gz) = 9901eba305421adff6d551ac7f478dff3f68a339d444c776724ab0b977fe6be792b1d2950c8705acbe76bd924fd6d898a65eded546777884be3b436d0e052437
+Size (nettle-3.7.3.tar.gz) = 2383985 bytes
 SHA1 (patch-Makefile.in) = ddc92dc4343df2723fbbfd1ef1afc01f1d576b09
 SHA1 (patch-aa) = 2332668b077a6e3a1add603c87f60167755554ec
 SHA1 (patch-config.make.in) = 708fb3cac9c44825e0d231541cbecade2239c850