From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH v2] libxcrypt: Update to version 4.4.26 Date: Mon, 27 Sep 2021 09:16:32 +0000 Message-ID: <2f7e58e0-aa05-eaac-c53a-325c5e338674@ipfire.org> In-Reply-To: <20210926103700.2988-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1641882906540721138==" List-Id: --===============1641882906540721138== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Peter M=C3=BCller > - v2 version is to extend from 4.4.25 to 4.4.26 > - Update from 4.4.23 to 4.4.26 > - Update of rootfile not required > - Changelog > Version 4.4.26 > * Fix compilation on systems with GCC >=3D 10, that do not support > declarations with __attribute__((symver)). > Version 4.4.25 > * Add support for Python 3.11 in the configure script. > * Stricter checking of invalid salt characters (issue #135). > Hashed passphrases are always entirely printable ASCII, and do > not contain any whitespace or the characters ':', ';', '*', '!', > or '\'. (These characters are used as delimiters and special > markers in the passwd(5) and shadow(5) files.) > Version 4.4.24 > * Add hash group for Debian in lib/hashes.conf. > Debian has switched to use the yescrypt hashing algorithm as > the default for new user passwords, so we should add a group > for this distribution. > * Overhaul the badsalt test. > Test patterns are now mostly generated rather than manually coded > into a big table. Not reading past the end of the =E2=80=9Csetting= =E2=80=9D part > of the string is tested more thoroughly (this would have caught the > sunmd5 $$ bug if it had been available at the time). > Test logs are tidier. > * Add =E2=80=98test-programs=E2=80=99 utility target to Makefile. > It is sometimes useful to compile all the test programs but not run > them. Add a Makefile target that does this. > * Fix incorrect bcrypt-related ifdeffage in test/badsalt.c. > The four variants of bcrypt are independently configurable, but the > badsalt tests for them were all being toggled by INCLUDE_bcrypt, > which is only the macro for the $2b$ variant. > * Fix bigcrypt-related test cases in test/badsalt.c. > The test spec was only correct when both or neither of bigcrypt and > descrypt were enabled. > * Detect ASan in configure and disable incompatible tests. > ASan=E2=80=99s =E2=80=9Cinterceptors=E2=80=9D for crypt and crypt_r = have a semantic conflict > with libxcrypt, requiring a few tests to be disabled for builds with > -fsanitize-address. See commentary in test/crypt-badargs.c for an > explanation of the conflict, and the commentary in > build-aux/zw_detect_asan.m4 for why a configure test is required. > * Fix several issues found by Covscan in the testsuite. These include: > - CWE-170: String not null terminated (STRING_NULL) > - CWE-188: Reliance on integer endianness (INCOMPATIBLE_CAST) > - CWE-190: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN) > - CWE-569: Wrong sizeof argument (SIZEOF_MISMATCH) > - CWE-573: Missing varargs init or cleanup (VARARGS) > - CWE-687: Argument cannot be negative (NEGATIVE_RETURNS) >=20 > Signed-off-by: Adolf Belka > --- > lfs/libxcrypt | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) >=20 > diff --git a/lfs/libxcrypt b/lfs/libxcrypt > index 16ebb1dc5..770b4249e 100644 > --- a/lfs/libxcrypt > +++ b/lfs/libxcrypt > @@ -24,10 +24,10 @@ > =20 > include Config > =20 > -VER =3D 4.4.23 > +VER =3D 4.4.26 > =20 > THISAPP =3D libxcrypt-$(VER) > -DL_FILE =3D $(THISAPP).tar.gz > +DL_FILE =3D $(THISAPP).tar.xz > DL_FROM =3D $(URL_IPFIRE) > DIR_APP =3D $(DIR_SRC)/$(THISAPP) > =20 > @@ -47,7 +47,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_MD5 =3D 405116b5cc90b72216afccc54025afbc > +$(DL_FILE)_MD5 =3D 34954869627f62f9992808b6cff0d0a9 > =20 > install : $(TARGET) > =20 >=20 --===============1641882906540721138==--