github paolostivanin/OTPClient v5.0.0-rc1
on GitHub

pre-release5 hours ago

Changes since beta3

First release candidate for 5.0.0 — RC hardening sweep across the shared crypto/import/export code, the search provider, the CLI counter path, and the GUI clipboard/dispose path. No new user-facing features; the focus is correctness, leak/crash fixes, and tightening attack surface.

Critical

  • db-common: validate file size before subtraction; truncated or tampered files no longer wrap into a huge gsize and trip a g_malloc abort.
  • db-common: free in_memory_dumped_data on every encrypt error path; previously leaked the plaintext database in secure memory on failure.
  • authpro / twofas: NULL-check g_file_replace; out_stream and out_gfile are now freed on every path (was crashing on disk-full / read-only / no-perms).
  • aegis: NULL-check every gcry_malloc / gcry_calloc_secure before use.

Security / correctness

  • common / db-common / aegis / authpro / twofas: sweep json_object_setjson_object_set_new for freshly-allocated literals; closes the systemic refcount leak where set bumped the temporary's refcount with no local handle left to decref.
  • db-common: gcry_cipher_checktag now catches every failure, not just GPG_ERR_CHECKSUM (was returning unverified plaintext on others).
  • common: HOTP dedupe is now collision-aware via json_equal; the 32-bit jenkins+truncate hash no longer silently drops distinct tokens on import when two entries collide.
  • common: json_object_get_hash drops the 256-byte truncation; explicit bzero before free since the hashed material includes the secret.
  • common: bytes_to_hexstr NULL guard.
  • db-common: explicit_bzero on derived keys before gcry_free.
  • search-provider: refuse every method (Match, Run, ActivateResult, GetInitialResultSet, GetSubsearchResultSet) when keyword is empty, blocking arbitrary local D-Bus clients from enumerating accounts.
  • qrcode-parser: cap PNG width/height at 4096 px; validate row layout.
  • parse-uri: cap HOTP counter at 2^48.
  • secret-schema: surface async store/clear failures via desktop notification when caller passes GApplication as user_data.
  • aegis: export plaintext now lives in secure heap (gcry_calloc_secure).
  • gui/otpclient-window: NULL-check display in clipboard timer and CSS provider remove; actively clear clipboard on dispose.
  • cli/get-data: HOTP counter increment is now transactional (rolled back if update_db fails) so a failed save no longer desyncs the counter.
  • common/settings-import-export: cap import JSON at 1 MiB.

Cleanup

  • common/file-size: returns -1 for every error (was 0 for missing); callers audited and updated where the new semantic mattered.
  • common/aegis: refactor export to a single function-scope cleanup label.
  • db-common: load_db's bail-on-error path no longer logs CRITICAL on legitimate failures (g_return_if_fail misuse).
  • gsettings-common.h: document caller-owns-returned-value contract.
  • README + schema: correct HOTP counter wording, document that keyword= empty disables the search provider entirely.

sha256: 1d8844701ee8cd010b3921b02977b24f047ea2bc82631c6daed2cc674f3b9fad

Check out latest releases or
releases around paolostivanin/OTPClient v5.0.0-rc1

Don't miss a new OTPClient release

NewReleases is sending notifications on new releases.

Get notifications