From 4dc3da9db75257e84a3365a9e01473573f41dd66 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Niels=20M=C3=B6ller?= Date: Fri, 2 Jan 2026 16:48:55 +0100 Subject: [PATCH] ChangeLog and NEWS update for sexp parser fixes. --- ChangeLog | 5 +++++ NEWS | 7 +++++++ 2 files changed, 12 insertions(+) diff --git a/ChangeLog b/ChangeLog index 203d5f9f..0239f641 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2026-01-02 Niels Möller + + * sexp.c (sexp_iterator_exit_list): Rewrite to not recurse via + sexp_iterator_next. + 2025-12-17 Niels Möller * sexp.c (sexp_iterator_simple): Fix off-by-one error in length diff --git a/NEWS b/NEWS index 8b6d095a..b9bba8b9 100644 --- a/NEWS +++ b/NEWS @@ -130,6 +130,13 @@ NEWS for the Nettle 4.0 release Baryshkov years ago, but delayed, since it implies an ABI break. + Bug fixes: + + * Fix off-by-one bug in sexp parser, which could result in a + one byte overread on invalid input. Also fix excessive + recursion and stack usage for some inputs. Both problems + reported via oss-fuzz. + New features: * Support for SLH-DSA signatures (stateless hash-based digital -- 2.47.3