Accepting request 1198387 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1198387
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mbedtls-2?expand=0&rev=8

fix_calloc-transposed-args.patch

@@ -0,0 +1,59 @@
+From 990a88cd53d40ff42481a2c200b05f656507f326 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyich@gmail.com>
+Date: Thu, 25 Jan 2024 20:48:56 +0000
+Subject: [PATCH] tests: fix `calloc()` argument list (`gcc-14` fix)
+
+`gcc-14` added a new `-Wcalloc-transposed-args` warning recently. It
+detected minor infelicity in `calloc()` API usage in `mbedtls`:
+
+    In file included from /build/mbedtls/tests/include/test/ssl_helpers.h:19,
+                     from /build/mbedtls/tests/src/test_helpers/ssl_helpers.c:11:
+    /build/mbedtls/tests/src/test_helpers/ssl_helpers.c: In function 'mbedtls_test_init_handshake_options':
+    /build/mbedtls/tests/include/test/macros.h:128:46:
+      error: 'calloc' sizes specified with 'sizeof' in the earlier argument
+        and not in the later argument [-Werror=calloc-transposed-args]
+      128 |             (pointer) = mbedtls_calloc(sizeof(*(pointer)),  \
+          |                                              ^
+
+Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
+---
+ tests/include/test/macros.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tests/include/test/macros.h b/tests/include/test/macros.h
+index 894fc6727cc8..3c347e17e901 100644
+--- a/tests/include/test/macros.h
++++ b/tests/include/test/macros.h
+@@ -135,8 +135,8 @@
+     do {                                                    \
+         TEST_ASSERT((pointer) == NULL);                     \
+         if ((item_count) != 0) {                            \
+-            (pointer) = mbedtls_calloc(sizeof(*(pointer)),  \
+-                                       (item_count));       \
++            (pointer) = mbedtls_calloc((item_count),        \
++                                       sizeof(*(pointer))); \
+             TEST_ASSERT((pointer) != NULL);                 \
+         }                                                   \
+     } while (0)
+@@ -165,8 +165,8 @@
+ #define TEST_CALLOC_NONNULL(pointer, item_count)            \
+     do {                                                    \
+         TEST_ASSERT((pointer) == NULL);                     \
+-        (pointer) = mbedtls_calloc(sizeof(*(pointer)),      \
+-                                   (item_count));           \
++        (pointer) = mbedtls_calloc((item_count),            \
++                                   sizeof(*(pointer)));     \
+         if (((pointer) == NULL) && ((item_count) == 0)) {   \
+             (pointer) = mbedtls_calloc(1, 1);               \
+         }                                                   \
+@@ -185,8 +185,8 @@
+     do {                                                    \
+         TEST_ASSERT((pointer) == NULL);                     \
+         if ((item_count) != 0) {                            \
+-            (pointer) = mbedtls_calloc(sizeof(*(pointer)),  \
+-                                       (item_count));       \
++            (pointer) = mbedtls_calloc((item_count),        \
++                                       sizeof(*(pointer))); \
+             TEST_ASSUME((pointer) != NULL);                 \
+         }                                                   \
+     } while (0)

mbedtls-2.28.8.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4fef7de0d8d542510d726d643350acb3cdb9dc76ad45611b59c9aa08372b4213
-size 4039097

mbedtls-2.28.9.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e4dbcf86a4fb31506482888560f02b161e0ecfb82fee0643abcfc86abee5817e
+size 4075616

mbedtls-2.changes

@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Mon Sep  2 19:59:03 UTC 2024 - Jaime Marquínez Ferrándiz <jaime.marquinez.ferrandiz@fastmail.net>
+
+- Update to version 2.28.9:
+  Security
+  * Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does
+    not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when
+    MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
+    CVE-2024-45157
+  Bugfix
+  * Fix the build in some configurations when check_config.h is not included.
+    Fix gh#Mbed-TLS/mbedtls#9152.
+  * Fix issue of redefinition warning messages for _GNU_SOURCE in
+    entropy_poll.c and sha_256.c. There was a build warning during building for
+    linux platform.  Resolves gh#Mbed-TLS/mbedtls#9026
+  * Fix error handling when creating a key in a dynamic secure element
+    (feature enabled by MBEDTLS_PSA_CRYPTO_SE_C). In a low memory condition,
+    the creation could return PSA_SUCCESS but using or destroying the key would
+    not work. Fixes gh#Mbed-TLS/mbedtls#8537.
+  * Fix a memory leak that could occur when failing to process an RSA
+    key through some PSA functions due to low memory conditions.  Document and
+    enforce the limitation of mbedtls_psa_register_se_key()
+    to persistent keys. Resolves gh#Mbed-TLS/mbedtls#9253.
+- Add fix_calloc-transposed-args.patch
+
 -------------------------------------------------------------------
 Sun Mar 31 12:10:53 UTC 2024 - Jaime Marquínez Ferrándiz <jaime.marquinez.ferrandiz@fastmail.net>
 

mbedtls-2.spec

@@ -21,7 +21,7 @@
 %define lib_x509   libmbedx509-1
 %define _rname     mbedtls
 Name:           mbedtls-2
-Version:        2.28.8
+Version:        2.28.9
 Release:        0
 Summary:        Libraries for crypto and SSL/TLS protocols
 License:        Apache-2.0 OR GPL-2.0-or-later
@@ -29,6 +29,8 @@ Group:          Development/Libraries/C and C++
 URL:            https://tls.mbed.org
 Source:         https://github.com/ARMmbed/mbedtls/archive/v%{version}.tar.gz#/%{_rname}-%{version}.tar.gz
 Source99:       baselibs.conf
+# PATCH-FIX-UPSTREAM: https://github.com/Mbed-TLS/mbedtls/pull/9529
+Patch0:         fix_calloc-transposed-args.patch
 BuildRequires:  cmake
 BuildRequires:  ninja
 BuildRequires:  pkgconfig