Package: libcrypto++ / 5.6.4-8

Metadata

Package Version Patches format
libcrypto++ 5.6.4-8 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
Fix_potential_zeroizer_removal.patch | (download)

cast.cpp | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix potential zeroizer removal (issue 331)


Hurd compile fix.patch | (download)

config.h | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] fix compile under debian hurd (i386) debian hurd defines
 __MACH__, and it was picking up "#define CRYPTOPP_SECTION_INIT
 __attribute__((section (__DATA,__data)))" intended for Apple linkers


integer.diff | (download)

integer.cpp | 24 23 + 1 - 0 !
integer.h | 12 8 + 4 - 0 !
2 files changed, 31 insertions(+), 5 deletions(-)

---
CVE 2016 9939.patch | (download)

asn.cpp | 10 10 + 0 - 0 !
asn.h | 2 2 + 0 - 0 !
2 files changed, 12 insertions(+)

 [patch] fix possible dos in asn.1 decoders (cve-2016-9939)


Additional_ASN.1_validations.patch | (download)

asn.cpp | 11 6 + 5 - 0 !
asn.h | 32 21 + 11 - 0 !
2 files changed, 27 insertions(+), 16 deletions(-)

 [patch] add additional validations based on x.690 rules

The library was a tad bit fast and loose with respect to parsing some of the ASN.1 presented to it. It was kind of like we used Alternate Encoding Rules (AER), which was more relaxed than BER, CER or DER. This commit closes most of the gaps.

The changes are distantly related to Issue 346. Issue 346 caught a CVE bcause of the transient DoS. These fixes did not surface with negative effcts. Rather, the library was a bit too accomodating to the point it was not conforming

zinflate 564.diff | (download)

zinflate.cpp | 4 4 + 0 - 0 !
zinflate.h | 1 1 + 0 - 0 !
2 files changed, 5 insertions(+)

 add inflator::baddistanceerr exception
 The improved validation and excpetion clears the Address Sanitizer and
 Undefined Behavior Sanitizer findings