Up to [cvs.NetBSD.org] / pkgsrc / devel / libidn
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: pkgsrc-2015Q2
Revision 1.59.4.1 / (download) - annotate - [select for diffs], Mon Aug 24 18:45:09 2015 UTC (8 years, 7 months ago) by tron
Branch: pkgsrc-2015Q2
Changes since 1.59: +4 -4
lines
Diff to previous 1.59 (colored) next main 1.60 (colored)
Pullup ticket #4795 - requested by he devel/libidn: security update Revisions pulled up: - devel/libidn/Makefile 1.93-1.94 - devel/libidn/distinfo 1.60-1.61 --- Module Name: pkgsrc Committed By: wiz Date: Thu Jul 9 14:02:04 UTC 2015 Modified Files: pkgsrc/devel/libidn: Makefile distinfo Log Message: Update to 1.31: * Version 1.31 (released 2015-07-08) [bet ** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059 This function has always been documented to not validate that the input UTF-8 string is actually valid UTF-8. Like the rest of the API, when you call a function that works on UTF-8 data, you have to pass it valid UTF-8 data. Application writers appear to have difficulties using interfaces designed like that, as bugs triggered by invalid UTF-8 has been identified in a number of projects (jabberd2, gnutls, wget, and curl). While we could introduce a new API to perform UTF-8 validation, so that applications can easily implement the proper checks, this appear error prone because there is a risk that the check will be forgotten. Instead, we took the more radical approach of modifying the documentation and the implementation of the API. The intention is that all functions that accepts UTF-8 data should validate it before use. This will solve the problem for applications, without needing to change them. This change has the unfortunate side-effect that Surrogate codes (see section 5.5 of RFC 3454) no longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error code, as the gnulib/libunistring-based code that we use to test UTF-8-compliance rejects Surrogate codes. We hope that this is an acceptable cost to live with in order to improve application security. We welcome feedback on this solution, and we are marking this release as beta rather than stable to signal that we may reconsider this approach if people disagree. Reported by several people including Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos. ** libidn: Added STRINGPREP_ICONV_ERROR error code. ** libidn: Workaround valgrind/gcc/glibc issue. Valgrind reported a 'Invalid read of size 4' that was caused by optimized strlen implementation. Reported and patch by Alessandro Ghedini <alessandro@ghedini.me>. ** build: Use LOG_COMPILER instead of TESTS_ENVIRONMENT to fix valgrind use. Errors caught by valgrind did not always trigger 'make check' failures before. ** i18n: Updated Danish translation. Thanks to Joe Hansen. ** API and ABI is backwards compatible with the previous version. --- Module Name: pkgsrc Committed By: wiz Date: Thu Aug 6 07:54:57 UTC 2015 Modified Files: pkgsrc/devel/libidn: Makefile distinfo Log Message: Update to 1.32: * Version 1.32 (released 2015-08-01) [beta] ** libidn: Fix crash in idna_to_unicode_8z8z and idna_to_unicode_8zlz. This problem was introduced in 1.31. Reported by Adam Sampson. ** API and ABI is backwards compatible with the previous version.
Revision 1.59 / (download) - annotate - [select for diffs], Thu Mar 5 21:05:14 2015 UTC (9 years, 1 month ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base,
pkgsrc-2015Q1-base,
pkgsrc-2015Q1
Branch point for: pkgsrc-2015Q2
Changes since 1.58: +5 -6
lines
Diff to previous 1.58 (colored)
Update to 1.30. Add comment to one patch, and remove another patch for which there is no comment and which I don't understand. New in 1.30: * Version 1.30 (released 2015-03-02) [stable] ** libidn: The punycode.{c,h} files were re-imported from RFC 3492bis. A comment explaining the origin and what was changed was added. ** Bump gettext to 0.19.3. ** Use LT_INIT instead of AC_LIBTOOL_WIN32_DLL. ** i18n: Added Hungarian translation. Updated some other languages. Thanks to Balázs r. ** API and ABI is backwards compatible with the previous version.