* Version 1.34 (2018-03-31)
** libidn: Fix integer overflow in combine_hangul()
Found by fuzzing.
** libidn: Fix integer overflow in punycode decoder
Found by fuzzing, fix for the fix reported by Christian Weisgerber
** libidn: Fix performance issue in idna_to_unicode_internal()
Found by fuzzing.
** libidn: Fix performance issue in stringprep functions.
Found by fuzzing.
** libidn: Fix NULL pointer dereference in g_utf8_normalize()
Found by fuzzing.
** libidn: Fix NULL pointer dereference in stringprep_ucs4_nfkc_normalize()
Found by fuzzing.
** libidn: Increase performance of stringprep functions
Found by fuzzing.
** testing: Add OSS-fuzz integration and regression testing
** build: Update gnulib files
** build: Modernize GTK-Doc build
** build: Fix parallel builds
** build: Add configure flag --disable-doc
** build: Add configure flag --enable-ubsan (enable UB Sanitizer)
** build: Add configure flag --enable-asan (enable Address Sanitizer)
** build: Fix compiler warnings
** build: Fix build for gcc-7
** i18n: Added Swedish translation.
Thanks to Josef Andersson.
** API and ABI is backwards compatible with the previous version.
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
* Version 1.33 (released 2016-07-20) [beta]
** libidn: Fix out-of-bounds stack read in idna_to_ascii_4i.
See tests/tst_toascii64oob.c for regression check (and the comment in
it how to use it). Reported by Hanno Böck <hanno@hboeck.de>.
** idn: Solve out-of-bounds-read when reading one zero byte as input.
Also replaced fgets with getline. Reported by Hanno Böck <hanno@hboeck.de>.
** libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8.
It was always documented to only accept UTF-8 data, but now it doesn't
crash when presented with such data. Reported by Hanno Böck.
** Dropped valgrind suppressions file, should no longer be needed.
** API and ABI is backwards compatible with the previous version.
Issues found with existing distfiles:
distfiles/eclipse-sourceBuild-srcIncluded-3.0.1.zip
distfiles/fortran-utils-1.1.tar.gz
distfiles/ivykis-0.39.tar.gz
distfiles/enum-1.11.tar.gz
distfiles/pvs-3.2-libraries.tgz
distfiles/pvs-3.2-linux.tgz
distfiles/pvs-3.2-solaris.tgz
distfiles/pvs-3.2-system.tgz
No changes made to these distinfo files.
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
* Version 1.32 (released 2015-08-01) [beta]
** libidn: Fix crash in idna_to_unicode_8z8z and idna_to_unicode_8zlz.
This problem was introduced in 1.31. Reported by Adam Sampson.
** API and ABI is backwards compatible with the previous version.
* Version 1.31 (released 2015-07-08) [bet
** libidn: stringprep_utf8_to_ucs4 now rejects invalid UTF-8. CVE-2015-2059
This function has always been documented to not validate that the
input UTF-8 string is actually valid UTF-8. Like the rest of the API,
when you call a function that works on UTF-8 data, you have to pass it
valid UTF-8 data. Application writers appear to have difficulties
using interfaces designed like that, as bugs triggered by invalid
UTF-8 has been identified in a number of projects (jabberd2, gnutls,
wget, and curl). While we could introduce a new API to perform UTF-8
validation, so that applications can easily implement the proper
checks, this appear error prone because there is a risk that the check
will be forgotten. Instead, we took the more radical approach of
modifying the documentation and the implementation of the API. The
intention is that all functions that accepts UTF-8 data should
validate it before use. This will solve the problem for applications,
without needing to change them. This change has the unfortunate
side-effect that Surrogate codes (see section 5.5 of RFC 3454) no
longer trigger the STRINGPREP_CONTAINS_PROHIBITED error code but
instead will trigger the newly introduced STRINGPREP_ICONV_ERROR error
code, as the gnulib/libunistring-based code that we use to test
UTF-8-compliance rejects Surrogate codes. We hope that this is an
acceptable cost to live with in order to improve application security.
We welcome feedback on this solution, and we are marking this release
as beta rather than stable to signal that we may reconsider this
approach if people disagree. Reported by several people including
Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos
Mavrogiannopoulos.
** libidn: Added STRINGPREP_ICONV_ERROR error code.
** libidn: Workaround valgrind/gcc/glibc issue.
Valgrind reported a 'Invalid read of size 4' that was caused by
optimized strlen implementation. Reported and patch by Alessandro
Ghedini <alessandro@ghedini.me>.
** build: Use LOG_COMPILER instead of TESTS_ENVIRONMENT to fix valgrind use.
Errors caught by valgrind did not always trigger 'make check' failures
before.
** i18n: Updated Danish translation.
Thanks to Joe Hansen.
** API and ABI is backwards compatible with the previous version.
for which there is no comment and which I don't understand.
New in 1.30:
* Version 1.30 (released 2015-03-02) [stable]
** libidn: The punycode.{c,h} files were re-imported from RFC 3492bis.
A comment explaining the origin and what was changed was added.
** Bump gettext to 0.19.3.
** Use LT_INIT instead of AC_LIBTOOL_WIN32_DLL.
** i18n: Added Hungarian translation. Updated some other languages.
Thanks to Balázs Úr.
** API and ABI is backwards compatible with the previous version.
* Version 1.29 (released 2014-08-10) [stable]
** libidn: Mark internal variable "g_utf8_skip" as static.
Reported by Thomas Dineen <tdineen@ix.netcom.com>.
** idn: Flush stdout to simplify for tools that buffer too heavily.
Tiny patch from Hugh Daschbach <hugh@ccss.com>.
** i18n: Added Brazilian Portuguese translation.
Thanks to Rafael Ferreira.
** Update gnulib files.
** API and ABI is backwards compatible with the previous version.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
* idn: Don't crash when string conversion from UTF-8 to locale fails.
* java: Fix build failures.
* java: TestIDNA -a and -u logic was reversed, now fixed.
* API and ABI is backwards compatible with the previous version.
* Version 1.27 (released 2013-06-05) [stable]
** Java library can be built using Maven. Speed improvements.
Thanks to several patches from Stefan Larsson. Testing indicate 70-90
times faster node/name/resource-prep.
** Update gnulib files and translations.
** API and ABI is backwards compatible with the previous version.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
* Version 1.26 (released 2012-12-11) [stable]
** libidn, idna_to_ascii: Propagate error on malloc failure.
Reported by Sarat Chandra Addepalli <s.addepalli@samsung.com>.
** libidn, tld_get_4: Fix out of bounds read access violation.
** i18n: Added Croatian translation. Updated Vietnamese translation.
Thanks to Tomislav Krznar and Trần Ngọc Quân.
** java: Permit usage by Apache projects.
Thanks to Oliver Hitz and Angus Turner.
** tests: Improve tld self-tests.
** API and ABI is backwards compatible with the previous version.
* Version 1.25 (released 2012-05-23) [stable]
** MSVC: Build fixes related to _GL_ATTRIBUTE_CONST and _GL_ATTRIBUTE_PURE.
Reported by Bartosz Brachaczek <b.brachaczek@gmail.com>.
** examples: Fix compiler warning about ignoring return value from fgets.
** tests: Ship with a valgrind suppressions file for the strlen issue.
See tests/libidn.supp and bottom of HACKING for discussion.
** Update gnulib files and translations.
** API and ABI is backwards compatible with the previous version.
* Libraries are re-licensed from LGPLv2+ to dual-GPLv2+|LGPLv3+.
* build: Fix parallel Windows builds.
* libidn: Fix potential infloop in pr29 code.
* libidn: Add 'const' keyword to 'stringprep_ucs4_nfkc_normalize' function.
* Sync glib NFKC code and improve copyright/license statements.
* Update gnulib files and translations.
* API and ABI is backwards compatible with the previous version.
* Version 1.23 (released 2011-11-25) [stable]
** stringprep.h: Now #include's sys/types.h instead of unistd.h for ssize_t.
Some systems (e.g., Mingw with MSVC 9) does not have unistd.h.
** idn-free.h: Protect prototypes with 'extern "C"' marker.
Reported by Bittner Ede <bittner.ede@euronetrt.hu>.
** doc: Update link to experimental TLD tables.
The new link is <https://github.com/gnuthor/tldchk>.
** Update gnulib files and translations.
** QA: Improved cyclo output. Update GTK-DOC files. Various bugfixes.
** API and ABI is backwards compatible with the previous version.
* Add -liconv as static library requirement in libidn.pc, for MinGW.
* Fix memory leak in idna_to_ascii_4z when idna_to_ascii_4i fails.
* Ran clang-analyze on the code. Fixed some dead assignments/initializations.
* Really distribute win32/libidn4win.mk.
* API and ABI is backwards compatible with the previous version.
* Version 1.21 (released 2011-04-24) [stable]
** build/gettext: Demand gettext >= 0.18.1 in order to get newer M4 files.
The old M4 files associated with 0.17 caused problems on Solaris,
hopefully now fixed. Reported by Dagobert Michelsen <dam@opencsw.org>
in <http://thread.gmane.org/gmane.comp.lib.gnulib.bugs/25522>.
** build: Improve MinGW cross-compile makefile, see win32/libidn4win.mk.
** build: Visual Studio files fixed to define LIBIDN_BUILDING.
Tiny patch from Waqas Hussain <waqas20@gmail.com>.
** API and ABI is backwards compatible with the previous version.
* Version 1.20 (released 2011-03-01) [?]
** libidn: Fix bug in ToUnicode to compare 'xn--' case-insensitively.
The problem is typically noticed when an upper ACE case string is
converted to Unicode. Before, this would return the input rather than
converting the ACE form to Unicode. Reported by Stepan Golosunov
<stepan@golosunov.pp.ru> in <http://bugs.debian.org/610617>.
** tests: Added self-test tst_idna3 to catch any regression of problem above.
** idn: Only print copyright and license blurb when used interactively.
Reported by "Andrew O. Shadoura" <bugzilla@tut.by> and Roman Mamedov
<rm@romanrm.ru> in <http://bugs.debian.org/615947> and
<http://bugs.debian.org/615949> respectively.
** Update gnulib files and translations.
** API and ABI is backwards compatible with the previous version.
* Version 1.19 (released 2010-05-22) [stable]
** doc: Typo fixes. Added PDF version of API reference manual.
See doc/reference/libidn.pdf.
** build: Update gnulib files.
** build: Use valgrind -q to reduce verbosity.
** API and ABI is backwards compatible with the previous version.
* Version 1.18 (released 2010-02-15) [stable]
** libidn: Put forgotten symbols under old namespace.
Reverts one unnecessary change introduced in 1.17. Suggested by Marco
d'Itri <md@linux.it>.
* Version 1.17 (released 2010-02-05)
** Fix symbol export problem for a few variables.
Applications (that use these rarely used variables) built against
versions before 1.13 did not work with libidn versions 1.13 to 1.16.
Symbol versioning was introduced in version 1.13 but by accident some
symbols that were visible before that release were not exported, and
the consequence was that those symbols were not available in version
1.13 to 1.16. This release fixes the problem, so the symbols are
visible again, making this release backwards compatible with all
earlier releases.
The affected symbols are the following variables:
stringprep_iscsi_prohibit, stringprep_rfc3454_A_1,
stringprep_rfc3454_B_1, stringprep_rfc3454_B_2,
stringprep_rfc3454_B_3, stringprep_rfc3454_C_1_1,
stringprep_rfc3454_C_1_2, stringprep_rfc3454_C_2_1,
stringprep_rfc3454_C_2_2, stringprep_rfc3454_C_3,
stringprep_rfc3454_C_4, stringprep_rfc3454_C_5,
stringprep_rfc3454_C_6, stringprep_rfc3454_C_7,
stringprep_rfc3454_C_8, stringprep_rfc3454_C_9,
stringprep_rfc3454_D_1, stringprep_rfc3454_D_2,
stringprep_saslprep_space_map.
Thanks to Marco d'Itri <md@linux.it> for reporting
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561291> that led to
discovering this problem.
** Really fix the link error of self-tests on MinGW.
** API and ABI is backwards compatible with the previous version.
** java: Add a Maven pom.xml project file.
Contributed by Guus der Kinderen <guus.der.kinderen@gmail.com>.
** Fix a link error on MinGW.
** API and ABI is backwards compatible with the previous version.
* Version 1.15 (released 2009-06-08)
** libidn: Use c_strcasecmp instead of strcasecmp.
For portability to NetWare CLIB. The specification requires a ASCII
comparison, so it is also more appropriate to use c_strcasecmp.
Reported by Guenter Knauf <gk@gknw.de>.
** java: Fix some Java compiler warnings.
** doc: Improved sections for the info manual.
We now follow the advice given by the texinfo manual on which
directory categories to use. In particular, libidn moved from the
'GNU Libraries' section to the 'Software libraries' and 'Invoking idn'
moved from 'GNU utilities' to 'Localization'.
** New configure parameters to set packaging specific information.
The parameters are --with-packager, --with-packager-version, and
--with-packager-bug-reports. See
<http://article.gmane.org/gmane.comp.lib.gnulib.bugs/17791> for more
details.
** API and ABI is backwards compatible with the previous version.
Building with texinfo 4.1 causes build errors mentioning unknown commands
"copying" (according to texinfo NEWS file introduced in texinfo 4.2) and
"ordf" (NEWS tells us texinfo 4.7) before killing the build.
* Version 1.14 (released 2009-04-03)
** libidn: Install a libidn-*.def file when building under MinGW.
The file is useful if you develop programs in Visual Studio that links
to libidn.
** tests/tst_toutf8: Don't crash if stringprep_utf8_to_locale returns NULL.
Reported by Dagobert Michelsen <dam@opencsw.org> in
<http://thread.gmane.org/gmane.comp.gnu.libidn.general/192>.
** API and ABI is backwards compatible with the previous version.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
* Version 1.13 (released 2009-03-06)
** libidn: Use a LD version script on platforms where it is supported.
Currently only GNU LD and the Solaris linker supports it. This helps
Debian package tools to produce better dependencies. Before we used
Libtool -export-symbols-regex that created an anonymous version tag.
Libidn uses -export-symbols-regex if the system does not support LD
version scripts, but that only affect symbol visibility.
** libidn: Compiled with -fvisibility=hidden by default if supported.
Currently only GCC supports it for ELF targets. This hides internal
symbols and has other advantages, see
<http://gcc.gnu.org/wiki/Visibility>.
** libidn: Compiled with warning flags only when GCC is used.
This avoids the problem that some flags confuse non-GCC compilers, for
example -fdiagnostics-show-option. Reported by
jens.rehsack@bayerbbs.com.
** doc: The idn_free function is now documented.
Suggested by "Sisyphus" <sisyphus1@optusnet.com.au>.
** API and ABI is backwards compatible with the previous version.
* Version 1.12 (released 2009-01-23)
** idn: New parameter --no-tld to deprecate the old parameter --tld.
The new parameter --no-tld disable TLD checking of the input string.
The --tld parameter was broken; it behaved opposite to its documented
behaviour. To avoid confusion over what --tld means, we decided to
deprecate it. Now --tld is not printed in the idn --help output, but
will continue to work as before.
** doc: Modernize doxygen configuration.
** doc: Change license on the manual to GFDLv1.3+.
** doc: Improve JavaDoc output.
** Update gnulib files and translations.
** Build with more warnings.
* Version 1.11 (released 2008-10-28)
** libidn: New WARN_CFLAGS configure variable.
It is used internally to add -Werror and other warnings flags, to
catch coding mistakes before releases.
** Win32: Perl is no longer required to build Libidn in Visual Studio.
** Win32: Functions in idna.h are also exported.
Reported by Adam Strzelecki <adam.strzelecki@java.pl>.
** doc: Included cyclomatic code complexity charts of the library code.
See doc/cyclo/.
** tests: Add more self-tests to get more self-test code coverage.
** tests: New 'make coverage' command to generate code coverage reports.
The output is created in doc/coverage/. Requires the LCOV tools. See
http://www.gnu.org/software/libidn/coverage/ for a pre-generated copy.
** Clarify copyright and license for gdoc, man pages, and C# port.
** Update gnulib files and translations.
** API and ABI is backwards compatible with the previous version.
* Version 1.10 (released 2008-08-27)
** idn: accept -n as short form for --nfkc.
Before '-k' was used as the short form, but all documentation has said
'-n'. We now accept both short forms, and -n remains the documented
short form. Reported by John McGowan <jmcgowan@inch.com> in
<http://lists.gnu.org/archive/html/help-libidn/2008-08/msg00000.html>.
** Fix compiler warnings.
** Update gnulib files.
** Update translations.
** API and ABI is backwards compatible with the previous version.
