Skip to content

v1.3.1

Compare
Choose a tag to compare
@fxamacker fxamacker released this 24 Nov 23:49
· 601 commits to master since this release
3677ff0

Release v1.3.1 (Nov 24, 2019)

Issue #46 resulted in filing an errata to RFC 7049 (CBOR) after the same mistake was found in both 7049 and Wikipedia. RFC 7049 author (cabo) confirmed within an hour directly in #46 which was super nice of him.

I'll let fuzzing continue for 1-10 days, due in part to issue #46 and initial valid fuzzing corpus. Maybe it'll generate fewer corpus files this time to reach a good stopping point.

Most users of v1.3.0 won't notice any practical difference from these bugfixes. They involve data validation rules and an obscure difference in sorting rule for canonical encoding.

Changes include:

  • Fix: Relax decoding restriction on CBOR int to Go float (commit 71ea0c5)
  • Fix: Separate CTAP2 and RFC 7049 canonical encoding (commit 7164aa3)
  • Fix: Reject indefinite-length byte/text string if chunks are indefinite-length (commit a4adae8)
  • Fix: Reject CBOR primitive 2-byte simple value < 32 (commit aa44241)

This release passed 877k+ executions (19 hours, and still running) of coverage-guided fuzzing using fxamacker/cbor-fuzz.

workers: 2, corpus: 403 (48s ago), crashers: 0, restarts: 1/10000, execs: 877930249 (12405/sec), cover: 1501, uptime: 19h39m