Accepting request 1324905 from utilities

- Add recutils-fix_empty_password_vuln.patch
  (fixes bsc#1255767 CVE-2025-65409)

OBS-URL: https://build.opensuse.org/request/show/1324905
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gnu-recutils?expand=0&rev=3

gnu-recutils.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Dec 31 13:18:12 UTC 2025 - Luigi Baldoni <aloisio@gmx.com>
+
+- Add recutils-fix_empty_password_vuln.patch
+  (fixes bsc#1255767 CVE-2025-65409)
+
 -------------------------------------------------------------------
 Fri Nov 15 18:19:34 UTC 2024 - Luigi Baldoni <aloisio@gmx.com>
 

gnu-recutils.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package gnu-recutils
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,6 +28,9 @@ URL:            https://www.gnu.org/software/recutils
 Source0:        https://ftp.gnu.org/gnu/recutils/recutils-%{version}.tar.gz
 Source1:        https://ftp.gnu.org/gnu/recutils/recutils-%{version}.tar.gz.sig
 Source2:        https://savannah.gnu.org/people/viewgpg.php?user_id=829#/%{name}.keyring
+# PATCH-FIX-UPSTREAM recutils-fix_empty_password_vuln.patch
+Patch0:         recutils-fix_empty_password_vuln.patch
+BuildRequires:  help2man
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(bash)
 BuildRequires:  pkgconfig(check)
@@ -101,7 +104,7 @@ databases.
 %lang_package
 
 %prep
-%setup -q -n recutils-%{version}
+%autosetup -p1 -n recutils-%{version}
 
 %build
 export CFLAGS="%{optflags} -Wno-implicit-function-declaration -Wno-incompatible-pointer-types"

recutils-fix_empty_password_vuln.patch

@@ -0,0 +1,57 @@
+From: Jose E. Marchesi <jemarch@gnu.org>
+Subject: [SECURITY][CWE-369] GNU Recutils 1.9: empty password triggers divide-by-zero (SIGFPE) in recfix / rec-crypt
+Date: Thu, 30 Oct 2025 17:17:49 +0100
+References: bsc#1255767 CVE-2025-65409 CWE-369
+
+---
+ src/rec-crypt.c | 14 ++++++++++++++
+ utils/recfix.c  |  3 +++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/src/rec-crypt.c b/src/rec-crypt.c
+index 5c88716..1ae7882 100644
+--- a/src/rec-crypt.c
++++ b/src/rec-crypt.c
+@@ -102,6 +102,13 @@ rec_encrypt (char   *in,
+ 
+   /* Set the key of the cypher.  */
+   password_size = strlen (password);
++
++  if (password_size <= 0)
++    {
++      gcry_cipher_close (handler);
++      return false;
++    }
++
+   for (i = 0; i < AESV2_KEYSIZE; i++)
+     key[i] = password[i % password_size];
+ 
+@@ -177,6 +184,13 @@ rec_decrypt (char   *in,
+ 
+   /* Set the key of the cypher.  */
+   password_size = strlen (password);
++
++  if (password_size<=0)
++    {
++      gcry_cipher_close (handler);
++      return false;
++    }
++
+   for (i = 0; i < AESV2_KEYSIZE; i++)
+     key[i] = password[i % password_size];
+ 
+diff --git a/utils/recfix.c b/utils/recfix.c
+index f9afef2..d286047 100644
+--- a/utils/recfix.c
++++ b/utils/recfix.c
+@@ -190,6 +190,9 @@ recfix_parse_args (int argc,
+           if (recfix_password != NULL)
+             recutl_fatal (_("please specify just one password.\n"));
+ 
++          if (optarg == NULL || optarg[0] == '\0')
++            recutl_fatal (_("password must not be empty.\n"));
++
+           recfix_password = xstrdup (optarg);
+           break;
+ #endif /* REC_CRYPT_SUPPORT */
+--