pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/textproc/cjose
Module Name: pkgsrc
Committed By: markd
Date: Sat Jun 13 10:02:34 UTC 2026
Modified Files:
pkgsrc/textproc/cjose: Makefile distinfo
Added Files:
pkgsrc/textproc/cjose/patches: patch-configure
Removed Files:
pkgsrc/textproc/cjose/patches: patch-concatkdf.c
Log Message:
cjose: update to 0.6.2.6
0.6.2.6
* **Security fix**: AES-CBC-HMAC JWE encryption used an all-zero content-encryption key.
`_cjose_jwe_set_cek_aes_cbc` inverted the "random" flag and zero-filled the CEK instead
of generating it from `RAND_bytes`. Every JWE produced with an AES-CBC-HMAC `enc`
(A128CBC-HS256 / A192CBC-HS384 / A256CBC-HS512) combined with a non-`dir` key-management
`alg` (A128/192/256KW, RSA-OAEP, RSA1_5) was encrypted and authenticated under an
all-zero key, breaking confidentiality and integrity for those ciphertexts. The `dir`
algorithm and all AES-GCM `enc` values were not affected. Adds a regression test.
* Additional hardening from a security audit of `jwe.c` / `jwk.c` / `jws.c`:
* Fix EVP_CIPHER_CTX leak in AES-CBC content encryption on authentication-tag failure
* Avoid NULL dereference of the optional `cjose_err` in ECDH-ES key decryption
* Use a constant-time comparison for the multi-recipient CEK consistency check
* Cleanse private key material (RSA/EC/oct) on JWK import and export, and fix a leak of
the base64url buffer in EC private-key export
* Check the ephemeral-key allocation in ECDH key derivation
* Use integer arithmetic (instead of floating-point) for the base64url length check on
imported JWK fields
* Harden JWS EC signature reconstruction against allocation failures (NULL checks on
ECDSA_SIG_new and BN_new)
* Enforce the RFC 7518 minimum HMAC key length (key >= hash size) for JWS sign/verify
0.6.2.5
* Fix heap buffer overflow in AES key unwrap by validating the encrypted_key length before
AES_unwrap_key
* Fix functions that rely on nonportable malloc behaviour
* Merge fixes from cisco/cjose
* Check ECDH secret allocation result
* Check base64 decode length bounds
* Guard JWK retain count overflow
* Enforce JOSE IV lengths
* Check JOSE algorithms against key types
* Validate critical JOSE headers
* Cleanse sensitive buffers before release
* Guard JWE buffer length calculations
* Use OpenSSL constant-time comparisons
* Validate EC inputs before key agreement
* Fix JWS import allocation handling
0.6.2.4
* fix memory leak in ECDH-ES JWE encryption/decryption
* fix rsa_q = NULL initialization in _RSA_private_fields
* fix memory allocation check (typo) in jwk.c
* fix gcc10 errors for -Werror=ignored-qualifiers and remove unused includes
* re-generate automake/autoconf files with automake v1.17 and libtool v2.5.4
0.6.2.3
* disable RSA PKCS 1.5 by default
* avoid using empty prototypes; support Clang 15 and XCode 14.3
* build shared library on Cygwin by adding -no-undefined to LDFLAGS
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 pkgsrc/textproc/cjose/Makefile \
pkgsrc/textproc/cjose/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/textproc/cjose/patches/patch-concatkdf.c
cvs rdiff -u -r0 -r1.1 pkgsrc/textproc/cjose/patches/patch-configure
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/textproc/cjose/Makefile
diff -u pkgsrc/textproc/cjose/Makefile:1.6 pkgsrc/textproc/cjose/Makefile:1.7
--- pkgsrc/textproc/cjose/Makefile:1.6 Tue Oct 24 22:11:17 2023
+++ pkgsrc/textproc/cjose/Makefile Sat Jun 13 10:02:33 2026
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.6 2023/10/24 22:11:17 wiz Exp $
+# $NetBSD: Makefile,v 1.7 2026/06/13 10:02:33 markd Exp $
-DISTNAME= cjose-0.6.2.2
-PKGREVISION= 1
+DISTNAME= cjose-0.6.2.6
CATEGORIES= textproc
MASTER_SITES= ${MASTER_SITE_GITHUB:=OpenIDC/}
GITHUB_TAG= v${PKGVERSION_NOREV}
Index: pkgsrc/textproc/cjose/distinfo
diff -u pkgsrc/textproc/cjose/distinfo:1.6 pkgsrc/textproc/cjose/distinfo:1.7
--- pkgsrc/textproc/cjose/distinfo:1.6 Sun Nov 12 16:50:10 2023
+++ pkgsrc/textproc/cjose/distinfo Sat Jun 13 10:02:33 2026
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.6 2023/11/12 16:50:10 rillig Exp $
+$NetBSD: distinfo,v 1.7 2026/06/13 10:02:33 markd Exp $
-BLAKE2s (cjose-0.6.2.2.tar.gz) = 08f6e34b02ffe9dace8413c131db10a9e074900c684d2c44f8216beb532c30f5
-SHA512 (cjose-0.6.2.2.tar.gz) = 71a087709816f0aac060a7c5f037068e981366b1809f6ee32e39eaded02ad8be061b0e2fa5093515a8acec10c7f4aca232281004426221b4b7e5edbd203eb49c
-Size (cjose-0.6.2.2.tar.gz) = 498461 bytes
-SHA1 (patch-concatkdf.c) = 730001ddc2c0020f560fd8235b076cc262856edb
+BLAKE2s (cjose-0.6.2.6.tar.gz) = a9c838fe02dc5a988358e20fdfec9b96017e5445c57c2322f1db1eb421ef8518
+SHA512 (cjose-0.6.2.6.tar.gz) = 83815c685e1080d34bb36fb932184c97f581d6636e2c34d0f8aea44e6d01e0544b1ec9b2b94e5beafab13999c08ff146076fd27ea3cfc79413891c81251c5ea6
+Size (cjose-0.6.2.6.tar.gz) = 518324 bytes
+SHA1 (patch-configure) = 012bf495c18c743d005443f0a8a1fe8385ce714a
Added files:
Index: pkgsrc/textproc/cjose/patches/patch-configure
diff -u /dev/null pkgsrc/textproc/cjose/patches/patch-configure:1.1
--- /dev/null Sat Jun 13 10:02:34 2026
+++ pkgsrc/textproc/cjose/patches/patch-configure Sat Jun 13 10:02:33 2026
@@ -0,0 +1,15 @@
+$NetBSD: patch-configure,v 1.1 2026/06/13 10:02:33 markd Exp $
+
+test ... == ...
+
+--- configure.orig 2026-06-02 13:25:04.000000000 +0000
++++ configure
+@@ -17082,7 +17082,7 @@ fi
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $rsapkcs1_5" >&5
+ printf "%s\n" "$rsapkcs1_5" >&6; }
+
+-if test "x$rsapkcs1_5" == xyes ; then
++if test "x$rsapkcs1_5" = xyes ; then
+ printf "%s\n" "#define HAVE_RSA_PKCS1_PADDING 1" >>confdefs.h
+
+ fi
Home |
Main Index |
Thread Index |
Old Index