Update to 0.6.2.2 for fix CVE-2023-37464

(cherry picked from commit 83c7a24e99e1c046968e154618368328445095a6)
2023-07-24 11:38:22 +08:00 · 2023-07-24 11:38:22 +08:00 · 43dde1608f
commit 43dde1608f
parent 4c1c68e65d
4 changed files with 7 additions and 79 deletions
--- a/cjose-0.6.1.tar.gz
+++ b/cjose-0.6.1.tar.gz
--- a/cjose-0.6.2.2.tar.gz
+++ b/cjose-0.6.2.2.tar.gz
--- a/cjose.spec
+++ b/cjose.spec
@ -1,11 +1,10 @@
 Name:                cjose
-Version:             0.6.1
-Release:             3
+Version:             0.6.2.2
+Release:             1
 Summary:             C library implementing the Javascript Object Signing and Encryption (JOSE)
 License:             MIT
-URL:                 https://github.com/cisco/cjose
-Source0:             https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
-Patch1:              concatkdf.patch
+URL:                 https://github.com/OpenIDC/cjose
+Source0:             https://github.com/OpenIDC/cjose/releases/download/v%{version}/%{name}-%{version}.tar.gz
 BuildRequires:       gcc doxygen libtcnative-1-0 jansson-devel check-devel openssl-devel
 %description
 Implementation of JOSE for C/C++
@ -48,5 +47,8 @@ make check || (cat test/test-suite.log; exit 1)
 %{_libdir}/pkgconfig/cjose.pc

 %changelog
+* Mon Jul 24 2023 yaoxin <yao_xin001@hoperun.com> - 0.6.2.2-1
+- Update to 0.6.2.2 for fix CVE-2023-37464
+
 * Sat Jul 18 2020 yanan li <liyanan032@huawei.com> - 0.6.1-3
 - Package init
--- a/concatkdf.patch
+++ b/concatkdf.patch
@ -1,74 +0,0 @@
-commit 0238eb8f3612515f4374381b593dd79116169330
-Author: John Dennis <jdennis@redhat.com>
-Date:   Thu Aug 2 16:21:33 2018 -0400
-
-    fix concatkdf failures on big endian architectures
-    
-    Several of the elements used to compute the digest in ECDH-ES key
-    agreement computation are represented in binary form as a 32-bit
-    integer length followed by that number of octets.  the length
-    field. The 32-bit length integer is represented in big endian
-    format (the 8 most significant bits are in the first octet.).
-    
-    The conversion to a 4 byte big endian integer was being computed
-    in a manner that only worked on little endian architectures. The
-    function htonl() returns a 32-bit integer whose octet sequence given
-    the address of the integer is big endian. There is no need for any
-    further manipulation.
-    
-    The existing code used bit shifting on a 32-bit value. In C bit
-    shifting is endian agnostic for multi-octet values, a right shift
-    moves most significant bits toward least significant bits. The result
-    of a bit shift of a multi-octet value on either big or little
-    archictures will always be the same provided you "view" it as the same
-    data type (e.g. 32-bit integer). But indexing the octets of that
-    mulit-octet value will be different depending on endianness, hence the
-    assembled octets differed depending on endianness.
-    
-    Issue: #77
-    Signed-off-by: John Dennis <jdennis@redhat.com>
-
-diff --git a/src/concatkdf.c b/src/concatkdf.c
-index ec064ab..59b845a 100644
--- a/src/concatkdf.c
-+++ b/src/concatkdf.c
-@@ -29,15 +29,9 @@
- ////////////////////////////////////////////////////////////////////////////////
- static uint8_t *_apply_uint32(const uint32_t value, uint8_t *buffer)
- {
-    const uint32_t formatted = htonl(value);
-    const uint8_t data[4] = {
-        (formatted >> 0) & 0xff,
-        (formatted >> 8) & 0xff,
-        (formatted >> 16) & 0xff,
-        (formatted >> 24) & 0xff
-    };
-    memcpy(buffer, data, 4);
-+    const uint32_t big_endian_int32 = htonl(value);
- 
-+    memcpy(buffer, &big_endian_int32, 4);
-     return buffer + 4;
- }
- 
-diff --git a/test/check_concatkdf.c b/test/check_concatkdf.c
-index e4325fc..41d0f1c 100644
--- a/test/check_concatkdf.c
-+++ b/test/check_concatkdf.c
-@@ -60,14 +60,9 @@ _create_otherinfo_header_finish:
- 
- static bool _cmp_uint32(uint8_t **actual, uint32_t expected)
- {
-    uint32_t value = htonl(expected);
-    uint8_t expectedData[] = {
-        (value >> 0) & 0xff,
-        (value >> 8) & 0xff,
-        (value >> 16) & 0xff,
-        (value >> 24) & 0xff
-    };
-    bool result = (0 == memcmp(*actual, expectedData, 4));
-+    uint32_t big_endian_int32 = htonl(expected);
-+
-+    bool result = (0 == memcmp(*actual, &big_endian_int32, 4));
-     (*actual) += 4;
-     return result;
- }