Accepting request 898784 from home:polslinux:branches:security:tls

- GNU Nettle 3.7.3:
  * Fix crash for zero input to rsa_sec_decrypt and
    rsa_decrypt_tr. Potential denial of service vector.
  * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
    failure for out of range inputs, instead of either crashing,
    or silently reducing input modulo n. Potential denial of
    service vector.
  * Ensure that rsa_decrypt returns failure for out of range
    inputs, instead of silently reducing input modulo n.
  * Ensure that rsa_sec_decrypt returns failure if the message
    size is too large for the given key. Unlike the other bugs,
    this would typically be triggered by invalid local
    configuration, rather than by processing untrusted remote
    data.

OBS-URL: https://build.opensuse.org/request/show/898784
OBS-URL: https://build.opensuse.org/package/show/security:tls/libnettle?expand=0&rev=21

libnettle.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Wed Jun  9 10:57:22 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
+
+- GNU Nettle 3.7.3:
+  * Fix crash for zero input to rsa_sec_decrypt and
+    rsa_decrypt_tr. Potential denial of service vector.
+  * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return
+    failure for out of range inputs, instead of either crashing,
+    or silently reducing input modulo n. Potential denial of
+    service vector.
+  * Ensure that rsa_decrypt returns failure for out of range
+    inputs, instead of silently reducing input modulo n.
+  * Ensure that rsa_sec_decrypt returns failure if the message
+    size is too large for the given key. Unlike the other bugs,
+    this would typically be triggered by invalid local
+    configuration, rather than by processing untrusted remote
+    data.
+
 -------------------------------------------------------------------
 Sun Mar 21 10:17:35 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
 

libnettle.spec

@@ -19,14 +19,14 @@
 %define soname 8
 %define hogweed_soname 6
 Name:           libnettle
-Version:        3.7.2
+Version:        3.7.3
 Release:        0
 Summary:        Cryptographic Library
-License:        LGPL-2.1-or-later AND GPL-2.0-or-later
+License:        GPL-2.0-or-later AND LGPL-2.1-or-later
 Group:          Development/Libraries/C and C++
 URL:            https://www.lysator.liu.se/~nisse/nettle/
-Source0:        https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz
-Source1:        https://www.lysator.liu.se/~nisse/archive/nettle-%{version}.tar.gz.sig
+Source0:        https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz
+Source1:        https://ftp.gnu.org/gnu/nettle/nettle-%{version}.tar.gz.sig
 Source2:        %{name}.keyring
 Source3:        baselibs.conf
 Source4:        %{name}-rpmlintrc
@@ -79,7 +79,7 @@ Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space.
 
 %package -n nettle
 Summary:        Cryptographic Tools
-License:        LGPL-2.1-or-later AND GPL-2.0-or-later
+License:        GPL-2.0-or-later AND LGPL-2.1-or-later
 Group:          Productivity/Security
 
 %description -n nettle

nettle-3.7.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162
-size 2382309

nettle-3.7.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:661f5eb03f048a3b924c3a8ad2515d4068e40f67e774e8a26827658007e3bcf0
+size 2383985