Accepting request 620425 from home:deadpoint:branches:security

- v1.18.2
  - Fix Side Channel Based ECDSA Key Extraction (CVE-2018-12437) (PR #408)
  - Fix potential stack overflow when DER flexi-decoding (CVE-2018-0739) (PR #373)
  - Fix two-key 3DES (PR #390)
  - Fix accelerated CTR mode (PR #359)
  - Fix Fortuna PRNG (PR #363)
  - Fix compilation on platforms where cc doesn't point to gcc (PR #382)
  - Fix using the wrong environment variable LT instead of LIBTOOL (PR #392)
  - Fix build on platforms where the compiler provides __WCHAR_MAX__ but wchar.h is not available (PR #390)
  - Fix & re-factor crypt_list_all_sizes() and crypt_list_all_constants() (PR #414)
  - Minor fixes (PR's #350 #351 #375 #377 #378 #379)
` 
- Added libtommath-devl build requirement
- Added baselibs.conf
- v1.18.1
  - Fix wrong SHA3 blocksizes, thanks to Claus Fischer for reporting this via Mail (PR #329)
  - Fix NULL-pointer dereference in `ccm_memory()` with LTC_CLEAN_STACK enabled (PR #327)
  - Fix `ccm_process()` being unable to process input buffers longer than 256 bytes (PR #326)
  - Fix the `register_all_{ciphers,hashes,prngs}()` return values (PR #316)
  - Fix some typos, warnings and duplicate prototypes in code & doc (PR's #310 #320 #321 #335)
  - Fix possible undefined behavior with LTC_PTHREAD (PR #337)
  - Fix some DER bugs (PR #339)
  - Fix CTR-mode when accelerator is used (OP-TEE/optee_os #2086)
  - Fix installation procedure (Issue #340) 
- udpate to version 1.18.0
- removed up upstream patches

OBS-URL: https://build.opensuse.org/request/show/620425
OBS-URL: https://build.opensuse.org/package/show/security/libtomcrypt?expand=0&rev=12

baselibs.conf

@@ -0,0 +1 @@
+libtomcrypt1

crypt-1.17.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e33b47d77a495091c8703175a25c8228aff043140b2554c08a3c3cd71f79d116
-size 1599215

crypt-1.17.tar.bz2.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.4 (GNU/Linux)
-
-iD8DBQBGRdNFsP+tEsHHY0ARAjirAJ97qw0H+q4JIvLielG2F7787o2ZGgCfW7jb
-Fa28B7W8juDRggQPH+gdoZY=
-=NyyO
------END PGP SIGNATURE-----

libtomcrypt-makefile.shared.patch

@@ -1,28 +0,0 @@
-diff -Naurh makefile.shared libtomcrypt-1.17/makefile.shared
---- makefile.shared	2009-05-04 09:24:31.000000000 -0300
-+++ libtomcrypt-1.17/makefile.shared	2009-05-04 09:25:06.000000000 -0300
-@@ -244,7 +244,7 @@
- library: $(LIBNAME)
- 
- testprof/$(LIBTEST):
--	cd testprof ; CFLAGS="$(CFLAGS)" GROUP=$(GROUP) USER=$(USER) VERSION=$(VERSION) LIBPATH=$(LIBPATH) LIBTEST=$(LIBTEST) LIBTEST_S=$(LIBTEST_S) make -f makefile.shared
-+	cd testprof ; CFLAGS="$(CFLAGS)" VERSION=$(VERSION) LIBPATH=$(LIBPATH) LIBTEST=$(LIBTEST) LIBTEST_S=$(LIBTEST_S) make -f makefile.shared
- 
- objs: $(OBJECTS)
- 
-@@ -252,11 +252,11 @@
- 	libtool --silent --mode=link gcc $(CFLAGS) `find . -type f | grep "[.]lo" | grep "src/" | xargs` $(EXTRALIBS) -o $(LIBNAME) -rpath $(LIBPATH) -version-info $(VERSION)
- 
- install: $(LIBNAME)
--	install -d -g $(GROUP) -o $(USER) $(DESTDIR)$(LIBPATH)
--	cd testprof ; CFLAGS="$(CFLAGS)" GROUP=$(GROUP) USER=$(USER) VERSION=$(VERSION) LIBPATH=$(LIBPATH) LIBTEST=$(LIBTEST) LIBTEST_S=$(LIBTEST_S) DESTDIR=$(DESTDIR) make -f makefile.shared install
-+	install -d $(DESTDIR)$(LIBPATH)
-+	cd testprof ; CFLAGS="$(CFLAGS)" VERSION=$(VERSION) LIBPATH=$(LIBPATH) LIBTEST=$(LIBTEST) LIBTEST_S=$(LIBTEST_S) DESTDIR=$(DESTDIR) make -f makefile.shared install
- 	libtool --silent --mode=install install -c libtomcrypt.la $(DESTDIR)$(LIBPATH)/libtomcrypt.la
--	install -d -g $(GROUP) -o $(USER) $(DESTDIR)$(INCPATH)
--	install -g $(GROUP) -o $(USER) $(HEADERS) $(DESTDIR)$(INCPATH)
-+	install -d $(DESTDIR)$(INCPATH)
-+	install $(HEADERS) $(DESTDIR)$(INCPATH)
- 
- #This rule makes the hash program included with libtomcrypt
- hashsum: library

libtomcrypt.changes

@@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Mon Jul  2 23:47:09 UTC 2018 - darin@darins.net
+
+- v1.18.2
+  - Fix Side Channel Based ECDSA Key Extraction (CVE-2018-12437) (PR #408)
+  - Fix potential stack overflow when DER flexi-decoding (CVE-2018-0739) (PR #373)
+  - Fix two-key 3DES (PR #390)
+  - Fix accelerated CTR mode (PR #359)
+  - Fix Fortuna PRNG (PR #363)
+  - Fix compilation on platforms where cc doesn't point to gcc (PR #382)
+  - Fix using the wrong environment variable LT instead of LIBTOOL (PR #392)
+  - Fix build on platforms where the compiler provides __WCHAR_MAX__ but wchar.h is not available (PR #390)
+  - Fix & re-factor crypt_list_all_sizes() and crypt_list_all_constants() (PR #414)
+  - Minor fixes (PR's #350 #351 #375 #377 #378 #379)
+` 
+- Added libtommath-devl build requirement
+- Added baselibs.conf
+
+-------------------------------------------------------------------
+Fri Jun 22 11:47:21 UTC 2018 - darin@darins.net
+
+- v1.18.1
+  - Fix wrong SHA3 blocksizes, thanks to Claus Fischer for reporting this via Mail (PR #329)
+  - Fix NULL-pointer dereference in `ccm_memory()` with LTC_CLEAN_STACK enabled (PR #327)
+  - Fix `ccm_process()` being unable to process input buffers longer than 256 bytes (PR #326)
+  - Fix the `register_all_{ciphers,hashes,prngs}()` return values (PR #316)
+  - Fix some typos, warnings and duplicate prototypes in code & doc (PR's #310 #320 #321 #335)
+  - Fix possible undefined behavior with LTC_PTHREAD (PR #337)
+  - Fix some DER bugs (PR #339)
+  - Fix CTR-mode when accelerator is used (OP-TEE/optee_os #2086)
+  - Fix installation procedure (Issue #340) 
+
+-------------------------------------------------------------------
+Wed Jul 12 17:15:54 UTC 2017 - darin@darins.net
+
+- udpate to version 1.18.0
+- removed up upstream patches
+ 
+
 -------------------------------------------------------------------
 Mon May 29 13:08:06 UTC 2017 - bwiedemann@suse.com
 

libtomcrypt.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libtomcrypt
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 # Copyright (c) 2009 Exata T.I., Maringa, PR, Brasil.
 #
 # All modifications and additions to the file contributed by third parties
@@ -17,25 +17,22 @@
 #
 
 
-%define         soname libtomcrypt0
+%define         soname libtomcrypt1
 Name:           libtomcrypt
-Version:        1.17
+Version:        1.18.2
 Release:        0
 Summary:        Cryptographic Toolkit Written in Portable C
 License:        SUSE-Public-Domain
 Group:          System/Libraries
 Url:            http://libtom.org
-Source0:        https://github.com/libtom/libtomcrypt/releases/download/%{version}/crypt-%{version}.tar.bz2
-Source1:        https://github.com/libtom/libtomcrypt/releases/download/%{version}/crypt-%{version}.tar.bz2.asc
-Source2:        %{name}.keyring
+Source0:        https://github.com/libtom/libtomcrypt/archive/v%{version}.tar.gz
+#Source2:        %{name}.keyring
 Source3:        %{name}.changes
-# PATCH-FIX-UPSTREAM libtomcrypt-makefile.shared.patch
-Patch0:         %{name}-makefile.shared.patch
-# PATCH-FIX-UPSTREAM https://github.com/libtom/libtomcrypt/pull/222
-Patch1:         reproducible.patch
+Source4:        baselibs.conf
+BuildRequires:  libtommath-devel
 BuildRequires:  libtool
+BuildRequires:  pkgconfig
 BuildRequires:  texlive-latex
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
 LibTomCrypt is a fairly comprehensive, modular and portable cryptographic
@@ -43,7 +40,6 @@ toolkit that provides developers with a vast array of well known published
 block ciphers, one-way hash functions, chaining modes, pseudo-random number
 generators, public key cryptography and a plethora of other routines.
 
-
 %package -n %{soname}
 Summary:        Libraries for %{name}
 Group:          System/Libraries
@@ -69,7 +65,6 @@ numbergenerators, public key cryptography and a plethora of other routines.
 
 This package contains headers and other development files.
 
-
 %package examples
 Summary:        Example Files for LibTomCrypt
 Group:          Development/Libraries/Other
@@ -84,43 +79,37 @@ numbergenerators, public key cryptography and a plethora of other routines.
 This package contains example *.c files showing how to use TomCrypt library.
 
 %prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
+%setup -q -n %{name}-%{version}
 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{SOURCE3}")"
 DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
 TIME="\"$(date -d "${modified}" "+%%R")\""
 find .  -name '*.[ch]' | xargs sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g"
 
 %build
-export CFLAGS="%{optflags}"
-make %{?_smp_mflags} LIBPATH=%{_libdir} -f makefile.shared
+export CFLAGS="%{optflags} -DLTM_DESC -DUSE_LTM"
+make %{?_smp_mflags} LIBPATH=%{_libdir} EXTRALIBS="-ltommath" -f makefile.shared
 
 %install
-make DESTDIR=%{buildroot} LIBPATH=%{_libdir} NODOCS=0 -f makefile.shared install
+make DESTDIR=%{buildroot} LIBPATH=%{_libdir} NODOCS=0 PREFIX=%{_prefix} -f makefile.shared install
 # Remove static libraries (It's upstream bug in makefile.shared I think.)
 rm %{buildroot}%{_libdir}/*.a
 find %{buildroot} -type f -name "*.la" -delete -print
 
+%check
+
 %post -n %{soname} -p /sbin/ldconfig
 %postun -n %{soname} -p /sbin/ldconfig
 
 %files -n %{soname}
-%defattr(-,root,root)
-%{_libdir}/libtomcrypt.so.0
-%{_libdir}/libtomcrypt.so.0.0.117
-%{_libdir}/libtomcrypt_prof.so.0
-%{_libdir}/libtomcrypt_prof.so.0.0.117
-%doc LICENSE README TODO doc/crypt.pdf
+%{_libdir}/libtomcrypt.so.*
+%doc LICENSE README.md 
 
 %files devel
-%defattr(-,root,root)
 %attr(0644,root,root) %{_includedir}/tomcrypt*.h
 %{_libdir}/libtomcrypt.so
-%{_libdir}/libtomcrypt_prof.so
+%{_libdir}/pkgconfig/libtomcrypt.pc
 
 %files examples
-%defattr(-,root,root)
 %doc demos
 
 %changelog

reproducible.patch

@@ -1,36 +0,0 @@
-https://github.com/libtom/libtomcrypt/pull/222
-sort input files
-
-when building packages (e.g. for openSUSE Linux)
-(random) filesystem order of input files
-influences ordering of functions in the output,
-thus without the patch, builds (in disposable VMs) would differ.
-
-See https://reproducible-builds.org/ for why this matters.
-
-Index: libtomcrypt-1.17/makefile.shared
-===================================================================
---- libtomcrypt-1.17.orig/makefile.shared
-+++ libtomcrypt-1.17/makefile.shared
-@@ -249,7 +249,7 @@ testprof/$(LIBTEST):
- objs: $(OBJECTS)
- 
- $(LIBNAME): $(OBJECTS) testprof/$(LIBTEST)
--	libtool --silent --mode=link gcc $(CFLAGS) `find . -type f | grep "[.]lo" | grep "src/" | xargs` $(EXTRALIBS) -o $(LIBNAME) -rpath $(LIBPATH) -version-info $(VERSION)
-+	libtool --silent --mode=link gcc $(CFLAGS) `find . -type f | grep "[.]lo" | grep "src/" | sort | xargs` $(EXTRALIBS) -o $(LIBNAME) -rpath $(LIBPATH) -version-info $(VERSION)
- 
- install: $(LIBNAME)
- 	install -d $(DESTDIR)$(LIBPATH)
-Index: libtomcrypt-1.17/testprof/makefile.shared
-===================================================================
---- libtomcrypt-1.17.orig/testprof/makefile.shared
-+++ libtomcrypt-1.17/testprof/makefile.shared
-@@ -18,7 +18,7 @@ endif
- default: $(LIBTEST)
- 
- $(LIBTEST): $(OBJECTS)
--	libtool --silent --mode=link gcc $(CFLAGS) `find . -type f | grep "[.]lo" |  xargs` -o $@ -rpath $(LIBPATH) -version-info $(VERSION)
-+	libtool --silent --mode=link gcc $(CFLAGS) `find . -type f | grep "[.]lo" | sort | xargs` -o $@ -rpath $(LIBPATH) -version-info $(VERSION)
- 
- install: $(LIBTEST)
- 	libtool --silent --mode=install install -c $(LIBTEST) $(DESTDIR)$(LIBPATH)/$(LIBTEST)

v1.18.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d870fad1e31cb787c85161a8894abb9d7283c2a654a9d3d4c6d45a1eba59952c
+size 2304218