Respect PICFLAG to fix pinentry-qt5 build on sparc64 and friends
The build system wrongfully assumes that -fpic is enough, thereby
overriding our -fPIE defaults and resulting in relocation overflow.
ok ajacoutot@ (co-maintainer)
rpki-client: stop aligning variables in cert_parse_extensions()
While it looks a bit tidier if the variables are aligned with a tab in
the declarations, this is also a source of churn, so give up on this in
this function.
rpki-client: const for ext and OID in cert_parse_extensions()
This is the last step of sprinkling const for OpenSSL 4. Move the extension
retrieved via X509_get_ext() to a const. The extension is first passed to
the simple X509_EXTENSION_get_object() getter and in the extension parsers
to X509V3_EXT_d2i(). The OID is passed to the const correct OBJ_obj2nid()
and OBJ_obj2text().
discussed with claudio
rpki-client: cast extension passed to X509_EXTENSION_get_object()
Again this is currently a noop which is needed since this simple getter
isn't const correct in OpenSSL < 4 and LibreSSL and because OpenSSL 4
fixed this.
discussed with claudio
rpki-client: const correct cert extension handlers
The only reason the extension passed in wasn't const was X509V3_EXT_d2i(),
for which we now cast away const.
discussed with claudio
rpki-client: cast extension passed to X509V3_EXT_d2i()
This function has never modified the extensions. It only uses the extension's
object (OID) to retrieve the X509_EXT_METHOD and then calls the appropriate
d2i handler on the extension's value. OpenSSL 4 correctly added a const
qualifier to this function.
The cast is a noop right now, but once we switch the extension handlers'
signatures to take a const, this will generate a warning due to passing a
const pointer to a non-const function for OpensSL < 4 and LibreSSL.
Annotate the cast for our future selves.
discussed with claudio
rpki-client: rename certificate_policies() into cert_policies()
This is slightly more consistent with the remainder of the file.
All other extension handlers except those for ipAddrBlocks and
autonomousSysIds, which start with sbgp_ for historical reasons,
have a cert_ prefix.
discussed with claudio
MFC: Update to freeciv21 3.1.1, contains a security fix. Release notes
and more info:
https://github.com/longturn/freeciv21/releases/tag/v3.1.1https://github.com/longturn/freeciv21/security/advisories/GHSA-f76g-6w3f-f6r3
From the security advisory, fixes the following issue:
"Freeciv21 crashes with a stack overflow when receiving specially-crafted
packets. A remote attacker can use this to take down any public server. A
malicious server can use this to crash the game on the player's machine.
Authentication is not needed and, by default, logs do not contain any
useful information."
rpki-client: cast away const for X509_get_X509_PUBKEY()
In cert_check_spki() the pubkey is a libcrypto-internal pointer hanging
off cert->x509, which is then passed to the very const-incorrect getter
X509_PUBKEY_get0_param(): that's a piece of art which hands back pointers
to things deeper down in the x509 - some of them const, some non-const.
OpenSSL 3 made its X509_PUBKEY argument const, but their X509_ALGOR **
still isn't. I don't believe they thought about this in #11894 as they
had a more important _cmp() vs _eq() bikeshed to sort out.
discussed with claudio
Update to freeciv21, contains a security fix. Release notes and more
info:
https://github.com/longturn/freeciv21/releases/tag/v3.1.1https://github.com/longturn/freeciv21/security/advisories/GHSA-f76g-6w3f-f6r3
From the security advisory, fixes the following issue:
"Freeciv21 crashes with a stack overflow when receiving specially-crafted
packets. A remote attacker can use this to take down any public server. A
malicious server can use this to crash the game on the player's machine.
Authentication is not needed and, by default, logs do not contain any
useful information."
rpki-client: make the X509_NAME *xissuer const
X509_get_issuer_name() isn't const correct in LibreSSL and OpenSSL < 4
and it returns a modifiable X509_NAME *. The xissuer is only passed to
X509_NAME_oneline() which takes a const X509_NAME, so it can be const.
discussed with claudio
Fix leap year detection.
Found and initial diff from Alvar Penning, shorter diff from me (I
guess it's a matter of taste).
ok jca@, who would do it the same way.
If a fd satisfies both POLLIN and POLLOUT in the same cycle, but the
POLLIN resulted in a file close, the POLLOUT runs incorrectly which
matters in the TLS context which attempts to read after free.
from James J. Lippard
ok millert
backout to rspamd 3.14.3 for now, I'm hitting some fairly heavy FD leak
on the milter socket on my postfix+rspamd setup (noticed when it hit 4k
FDs and bumped into limits) and not in a good position to attempt debug
atm.
Prevent integer overflow in regex repetition count
Limit the repetition count to 255 like POSIX does. Also avoid a
crash when the repetition is the first atom parsed.
From Renaud Allard.