From 0492ad4c56dcba19745e9c3228a24fa647ec008b6d50c8c7494a91d262951383 Mon Sep 17 00:00:00 2001 From: c unix Date: Wed, 4 Sep 2024 16:04:54 +0000 Subject: [PATCH] - bsc#1229959 - RUSTSEC-2024-0006 - rust-shlex: Multiple issues involving quote API OBS-URL: https://build.opensuse.org/package/show/security/rage-encryption?expand=0&rev=33 --- .gitattributes | 23 +++++ .gitignore | 1 + _service | 24 +++++ _servicedata | 4 + rage-0.10.0+0.tar.gz | 3 + rage-encryption.changes | 220 ++++++++++++++++++++++++++++++++++++++++ rage-encryption.spec | 156 ++++++++++++++++++++++++++++ vendor.tar.zst | 3 + 8 files changed, 434 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 rage-0.10.0+0.tar.gz create mode 100644 rage-encryption.changes create mode 100644 rage-encryption.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..00e6015 --- /dev/null +++ b/_service @@ -0,0 +1,24 @@ + + + https://github.com/str4d/rage.git + @PARENT_TAG@+@TAG_OFFSET@ + git + v0.10.0 + * + v(\d+\.\d+\.\d+) + \1 + enable + william.brown@suse.com + + + + *.tar + gz + + + + rage + zst + true + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..1d7487e --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/str4d/rage.git + 5c82b234c6ad3a537b80e8671ae59875464dd53f \ No newline at end of file diff --git a/rage-0.10.0+0.tar.gz b/rage-0.10.0+0.tar.gz new file mode 100644 index 0000000..ce22cfa --- /dev/null +++ b/rage-0.10.0+0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a1eb1f73868b31bbb20e074b384f4b710572c98ebc1e31ad8fb3b35fdc234fd +size 1646541 diff --git a/rage-encryption.changes b/rage-encryption.changes new file mode 100644 index 0000000..9692672 --- /dev/null +++ b/rage-encryption.changes @@ -0,0 +1,220 @@ +------------------------------------------------------------------- +Wed Sep 4 01:43:07 UTC 2024 - William Brown + +- bsc#1229959 - RUSTSEC-2024-0006 - rust-shlex: Multiple issues involving quote API + +------------------------------------------------------------------- +Mon Apr 22 12:15:24 UTC 2024 - Joshua Smith + +- Enable tests +- Install all language manpages +- Fix -keygen installing to -mount +- Switch from obsoleted practices to modern ones: + * %setup is now %autosetup + * cargo_config is now part of vendor file + * disabledrun is now manualrun +- Update to version 0.10.0+0: + Added: + * Russian translation + * rage-keygen -y IDENTITY_FILE to convert identity files to + recipients. + Changed: + * MSRV is now 1.65.0. + * Migrated from gumdrop to clap for argument parsing. + * -R/--recipients-file and -i/--identity now support "read-once" + files, like those used by process substitution (-i + <(other_binary get-age-identity)) and named pipes. + * The filename - (hyphen) is now treated as an explicit request + to read from standard input when used with -R/--recipients-file + or -i/--identity. It must only occur once across the + -R/--recipients-file and -i/--identity flags, and the input + file. It cannot be used if the input file is omitted. + Fixed: + * OpenSSH private keys passed to -i/--identity that contain + invalid public keys are no longer ignored when encrypting, and + instead cause an error. + * Weak ssh-rsa public keys that are smaller than 2048 bits are + now rejected. + * rage-keygen no longer overwrites existing key files with the + -o/--output flag. This was its behaviour prior to 0.6.0, but + was unintentionally changed when rage was modified to overwrite + existing files. Key file overwriting can still be achieved by + omitting -o/--output and instead piping stdout to the file. + * rage-keygen now prints fatal errors directly instead of them + being hidden behind the RUST_LOG=error environment variable. It + also now sets its return code appropriately instead of always + returning 0. + +------------------------------------------------------------------- +Tue Sep 26 03:59:43 UTC 2023 - William Brown + +- bsc#1215657 - chosen ciphertext attack possible against aes-gcm + * update vendor.tar.zst to contain aes-gcm >= 0.10.3 + +------------------------------------------------------------------- +Tue Sep 26 01:06:56 UTC 2023 - william.brown@suse.com + +- Update to version 0.9.2+0: + * CI: Ensure `apt` repository is up-to-date before installing build deps + * CI: Build Linux releases using `ubuntu-20.04` runner + * CI: Remove most uses of `actions-rs` actions + +------------------------------------------------------------------- +Tue Jun 13 00:35:46 UTC 2023 - william.brown@suse.com + +- Update to version 0.9.2+0: + * v0.9.2 + * Fix changelog bugs and add missing entry + * Document `PINENTRY_PROGRAM` environment variable + * age: Add `Decryptor::new_async_buffered` + * age: `impl AsyncBufRead for ArmoredReader` + * Pre-initialize vectors when the capacity is known, or use arrays + * Use `PINENTRY_PROGRAM` as environment variable for `pinentry` + * Document why `impl AsyncWrite for StreamWriter` doesn't loop indefinitely + * cargo update + * cargo vet prune + * Migrate to `cargo-vet 0.7` + * build(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.1 + * Correct spelling in documentation + * build(deps): bump codecov/codecov-action from 3.1.1 to 3.1.4 + * StreamWriter AsyncWrite: fix usage with futures::io::copy() + * rage: Use `Decryptor::new_buffered` + * age: Add `Decryptor::new_buffered` + * age: `impl BufRead for ArmoredReader` + * Update Homebrew formula to v0.9.1 + * feat/pinentry: Use env var to define pinentry binary + +------------------------------------------------------------------- +Tue Apr 11 11:13:29 UTC 2023 - Jan Engelhardt + +- As per https://en.opensuse.org/openSUSE:Package_description_guidelines + mention distinctive characteristics that offset this solution + from e.g. gpg. + +------------------------------------------------------------------- +Sun Mar 26 07:04:54 UTC 2023 - Soc Virnyl Estela + +- Update to version 0.9.1+0: + * ssh: Fix parsing of OpenSSH private key format + * ssh: Support `aes256-gcm@openssh.com` ciphers for encrypted keys + * ssh: Add `aes256-gcm@openssh.com` cipher to test cases + * ssh: Extract common key material derivation logic for encrypted keys + * ssh: Use associated constants for key and IV sizes + * ssh: Add test cases for encrypted keys +- Add shell completions for fish and zsh. + +------------------------------------------------------------------- +Fri Jan 13 03:23:28 UTC 2023 - William Brown + +- bsc#1207039 - CVE-2023-22895 - update bzip2 crate +- Update of vendored dependencies + +------------------------------------------------------------------- +Thu Jan 05 03:20:27 UTC 2023 - william.brown@suse.com + +- Update of vendored dependencies + +------------------------------------------------------------------- +Mon Nov 21 15:00:46 UTC 2022 - Dominique Leuenberger + +- Do not have the main package recommend the bash-completion + sub-package, but rather have the subpackage supplement the + combination of tage-encryption and bash-completion. + +------------------------------------------------------------------- +Mon Oct 31 02:20:35 UTC 2022 - william.brown@suse.com + +- Update to version 0.9.0+0: + * v0.9.0 + * use pkcs1 crate to parse RSAPrivateKey ASN.1 object + * qa: Add workflow that runs `cargo vet --locked` + * qa: Import `cargo vet` audits from Firefox and zcashd + * qa: Add `crypto-reviewed` criteria or `cargo vet` + * qa: `cargo vet init` + +------------------------------------------------------------------- +Tue Aug 09 03:56:26 UTC 2022 - william.brown@suse.com + +- Set minimum rust requirement to 1.59 +- Update to version 0.8.1+0: + * v0.8.1 + * Revert updates to `dashmap` and `indexmap` + * cargo update + * age: Add passphrase to scrypt_work_factor_23 testkit test file + * age: Reject invalid or non-canonical X25519 recipient stanzas + * age: Require "contributory" behaviour for X25519 recipient stanzas + * age: Add testkit test files from reference impl + * Update Homebrew formula to v0.8.0 + +------------------------------------------------------------------- +Tue May 03 00:27:46 UTC 2022 - william.brown@suse.com + +- Update to version 0.8.0+0: + * v0.8.0 + * age: Allow ciphertexts that encrypt the empty plaintext + * Update Italian translation + * Don't allow -i/--identity with passphrase-encrypted files + * age: Require the last STREAM chunk to be non-empty + * age: Return correct response encoding for `confirm` command + * age: Base64-decode metadata arguments to "confirm" message + * age: Extract "confirm" command handling into a helper function + +------------------------------------------------------------------- +Tue Apr 5 05:38:22 UTC 2022 - William Brown + +- Automatic update of vendored dependencies + +------------------------------------------------------------------- +Mon Mar 14 22:53:25 UTC 2022 - william.brown@suse.com + +- Update to resolve bsc#1196972 CVE-2022-24713 - Regex DOS + +------------------------------------------------------------------- +Mon Mar 14 12:00:00 UTC 2022 - cunix@mail.de + +- switched to vendored_licenses_packager as build dependency +- define macro "rust_tier1_arches" if undefined + +------------------------------------------------------------------- +Tue Feb 15 03:58:13 UTC 2022 - William Brown + +- Add specific lock file path to _service for cargo audit to prevent + confusion with the lock files in the fuzz folders. + +------------------------------------------------------------------- +Mon Jan 31 12:00:00 UTC 2022 - cunix@mail.de + +- Update to version 0.7.1 + * Fixed a bug where non-canonical recipient stanza bodies in an age + file header would cause rage to crash instead of being rejected + * vendor.tar.xz updated from source code Cargo.lock file + +- Added: + * binary rage-mount + * bash-completion for rage, rage-keygen and rage-mount + * manual pages for rage, rage-keygen and rage-mount + * Licenses files + * Licenses files of vendored crates extracted + with script "vendored_licenses_packager.sh" + * README and CHANGELOG files + * possibility to build without cargo-packaging for "older" distros + +------------------------------------------------------------------- +Fri Nov 19 01:08:01 UTC 2021 - william.brown@suse.com + +- Update to version 0.7.0~git0.c93b914: + * v0.7.0 + * cargo update fuzz* + * Update lockfiles for fuzzers + * rage: Pin clap to 3.0.0-beta.2 + * CI: Add bitrot check to ensure examples and benchmarks still compile + * console 0.15 + * age: Re-export `secrecy` crate + * age-core: Improve crate documentation + * age-core: Re-export `secrecy` crate + * age-core: Add `plugin::Error` enum + +------------------------------------------------------------------- +Tue Nov 16 02:26:14 UTC 2021 - William Brown + +- Initial commit of rage diff --git a/rage-encryption.spec b/rage-encryption.spec new file mode 100644 index 0000000..f45a3a6 --- /dev/null +++ b/rage-encryption.spec @@ -0,0 +1,156 @@ +# +# spec file for package rage-encryption +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%{?!rust_tier1_arches:%global rust_tier1_arches x86_64 aarch64} + +Name: rage-encryption +# This will be set by osc services, that will run after this. +Version: 0.10.0+0 +Release: 0 +Summary: X25519-based, simple, modern, and secure file encryption tool +# If you know the license, put it's SPDX string here. +# Alternately, you can use cargo lock2rpmprovides to help generate this. +License: (0BSD OR MIT OR Apache-2.0) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND Apache-2.0 AND BSD-3-Clause AND CDDL-1.0 AND MIT +# Select a group from this link: +# https://en.opensuse.org/openSUSE:Package_group_guidelines +Group: Productivity/Security +URL: https://github.com/str4d/rage +Source0: rage-%{version}.tar.gz +Source1: vendor.tar.zst +%if %{suse_version} > 1500 +BuildRequires: cargo-packaging +%endif +# Requires >1.59 for thread::available_parallelism +BuildRequires: cargo >= 1.59 +BuildRequires: libzstd-devel +BuildRequires: vendored_licenses_packager +# for feature mount +BuildRequires: fuse-devel +Recommends: pinentry +BuildRequires: zstd +Conflicts: rage +ExclusiveArch: %{rust_tier1_arches} + +%description +Rage is a simple, modern, and secure file encryption tool, using the +age format. It features small explicit keys, no config options, and +UNIX-style composability. + +Keys are based on X25519 which are similar to the ones used by SSH. +rage-encryption can also use ssh-ed25519 and ssh-rsa keys as +alternatives to age1 keys. + +%package bash-completion +Summary: Bash completion for %{name} +Group: Productivity/Security +BuildArch: noarch +Requires: %{name} +Requires: bash-completion +Supplements: (%{name} and bash-completion) +Conflicts: rage + +%description bash-completion +Bash command line completion support for %{name} + +%package fish-completion +Summary: Fish Completion for %{name} +Group: Productivity/Security +Supplements: (%{name} and fish) +Requires: fish +BuildArch: noarch + +%description fish-completion +Fish command-line completion support for %{name}. + +%package zsh-completion +Summary: Zsh Completion for %{name} +Group: Productivity/Security +Supplements: (%{name} and zsh) +Requires: zsh +BuildArch: noarch + +%description zsh-completion +Zsh command-line completion support for %{name}. + +%prep +%autosetup -a 1 -n rage-%{version} +%vendored_licenses_packager_prep + +%build +%define build_args --manifest-path rage/Cargo.toml --features "mount" --release %{?_smp_mflags} + +%if %{suse_version} > 1500 +%{cargo_build} --features "mount" +%else +cargo build %{build_args} +%endif + +%check +%if %{suse_version} > 1500 +%{cargo_test} --features "mount" +%else +cargo test %{build_args} +%endif + +%install +pushd target/release + +# Install each part of the tool and their respective completions. +for i in "" -keygen -mount; do + install -D -m 0755 rage$i %{buildroot}%{_bindir}/rage$i + install -D -p -m 644 completions/rage$i.bash %{buildroot}%{_datadir}/bash-completion/completions/rage$i + install -D -p -m 644 completions/_rage$i %{buildroot}%{_datadir}/zsh/site-functions/_rage$i + install -D -p -m 644 completions/rage$i.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/rage$i.fish +done + +pushd manpages +mv es_AR es # es_AR doesn't seem to be a correct manpage locale +find . -name "*.1.gz" -exec install -Dpm644 {} %{buildroot}%{_mandir}/{} \; +popd +popd + +%vendored_licenses_packager_install +%find_lang rage{,-keygen,-mount} rage.lang --with-man --all-name + +%files -f rage.lang +%{_bindir}/rage +%{_bindir}/rage-keygen +%{_bindir}/rage-mount +%doc README.md rage/CHANGELOG.md +# accept duplicates here +%license LICENSE-APACHE LICENSE-MIT +%vendored_licenses_packager_files +%{_mandir}/man1/rage*.1%{?ext_man} + +%files bash-completion +%license LICENSE-APACHE LICENSE-MIT +%{_datadir}/bash-completion/completions/rage* + +%files fish-completion +%license LICENSE-APACHE LICENSE-MIT +%dir %{_datadir}/fish +%dir %{_datadir}/fish/vendor_completions.d +%{_datadir}/fish/vendor_completions.d/rage*.fish + +%files zsh-completion +%license LICENSE-APACHE LICENSE-MIT +%dir %{_datadir}/zsh +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_rage* + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..9877a45 --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:01bbc54ef2aff3935b8ef8c0462be718bceefa4e1076aa47ea43aff0b3b0bcbb +size 28370756