From 036bc4ce34510b37bf335e02f099dace70dd997660220b23217f009cb262381d Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Sat, 11 Apr 2015 19:08:10 +0000 Subject: [PATCH] Accepting request 295423 from security:privacy 1 OBS-URL: https://build.opensuse.org/request/show/295423 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=100 --- ...legacy-keys-while-searching-keyrings.patch | 76 ------------- gnupg-2.0.18-files-are-digests.patch | 34 +++--- gnupg-2.1.2.tar.bz2 | 3 - gnupg-2.1.2.tar.bz2.sig | Bin 287 -> 0 bytes gnupg-2.1.3.tar.bz2 | 3 + gnupg-2.1.3.tar.bz2.sig | Bin 0 -> 287 bytes gnupg-add_legacy_FIPS_mode_option.patch | 22 ++-- gpg2.changes | 30 +++++ gpg2.spec | 6 +- ...t-name-verification-when-using-pools.patch | 104 ------------------ 10 files changed, 62 insertions(+), 216 deletions(-) delete mode 100644 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch delete mode 100644 gnupg-2.1.2.tar.bz2 delete mode 100644 gnupg-2.1.2.tar.bz2.sig create mode 100644 gnupg-2.1.3.tar.bz2 create mode 100644 gnupg-2.1.3.tar.bz2.sig delete mode 100644 hkps-fix-host-name-verification-when-using-pools.patch diff --git a/0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch b/0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch deleted file mode 100644 index 64b768e..0000000 --- a/0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch +++ /dev/null @@ -1,76 +0,0 @@ -From a8116aacd91b7e775762a62c268fab6cc3c77438 Mon Sep 17 00:00:00 2001 -From: Werner Koch -Date: Mon, 23 Feb 2015 16:37:57 +0100 -Subject: [PATCH] gpg: Skip legacy keys while searching keyrings. - -* g10/getkey.c (search_modes_are_fingerprint): New. -(lookup): Skip over legacy keys. --- - -GnuPG-bug-id: 1847 -Signed-off-by: Werner Koch ---- - g10/getkey.c | 39 +++++++++++++++++++++++++++++++++++++-- - 1 file changed, 37 insertions(+), 2 deletions(-) - -diff --git a/g10/getkey.c b/g10/getkey.c -index 76ee493..116753c 100644 ---- a/g10/getkey.c -+++ b/g10/getkey.c -@@ -2525,6 +2525,29 @@ found: - } - - -+/* Return true if all the search modes are fingerprints. */ -+static int -+search_modes_are_fingerprint (getkey_ctx_t ctx) -+{ -+ size_t n, found; -+ -+ for (n=found=0; n < ctx->nitems; n++) -+ { -+ switch (ctx->items[n].mode) -+ { -+ case KEYDB_SEARCH_MODE_FPR16: -+ case KEYDB_SEARCH_MODE_FPR20: -+ case KEYDB_SEARCH_MODE_FPR: -+ found++; -+ break; -+ default: -+ break; -+ } -+ } -+ return found && found == ctx->nitems; -+} -+ -+ - /* The main function to lookup a key. On success the found keyblock - is stored at RET_KEYBLOCK and also in CTX. If WANT_SECRET is true - a corresponding secret key is required. */ -@@ -2534,9 +2557,21 @@ lookup (getkey_ctx_t ctx, kbnode_t *ret_keyblock, int want_secret) - int rc; - int no_suitable_key = 0; - -- rc = 0; -- while (!(rc = keydb_search (ctx->kr_handle, ctx->items, ctx->nitems, NULL))) -+ for (;;) - { -+ rc = keydb_search (ctx->kr_handle, ctx->items, ctx->nitems, NULL); -+ /* Skip over all legacy keys but only if they are not requested -+ by fingerprints. -+ Fixme: The lower level keydb code should actually do that but -+ then it would be harder to report the number of skipped -+ legacy keys during import. */ -+ if (gpg_err_code (rc) == GPG_ERR_LEGACY_KEY -+ && !(ctx->nitems && ctx->items->mode == KEYDB_SEARCH_MODE_FIRST) -+ && !search_modes_are_fingerprint (ctx)) -+ continue; -+ if (rc) -+ break; -+ - /* If we are searching for the first key we have to make sure - that the next iteration does not do an implicit reset. - This can be triggered by an empty key ring. */ --- -2.1.4 - diff --git a/gnupg-2.0.18-files-are-digests.patch b/gnupg-2.0.18-files-are-digests.patch index 5b69f43..63fd170 100644 --- a/gnupg-2.0.18-files-are-digests.patch +++ b/gnupg-2.0.18-files-are-digests.patch @@ -1,14 +1,14 @@ --- g10/gpg.c | 4 +++ g10/options.h | 1 - g10/sign.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++----- - 3 files changed, 66 insertions(+), 5 deletions(-) + g10/sign.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------ + 3 files changed, 67 insertions(+), 6 deletions(-) -Index: gnupg-2.1.2/g10/gpg.c +Index: gnupg-2.1.3/g10/gpg.c =================================================================== ---- gnupg-2.1.2.orig/g10/gpg.c -+++ gnupg-2.1.2/g10/gpg.c -@@ -349,6 +349,7 @@ enum cmd_and_opt_values +--- gnupg-2.1.3.orig/g10/gpg.c 2015-04-06 14:03:32.000000000 +0200 ++++ gnupg-2.1.3/g10/gpg.c 2015-04-11 20:45:24.000000000 +0200 +@@ -352,6 +352,7 @@ enum cmd_and_opt_values oTTYtype, oLCctype, oLCmessages, @@ -16,7 +16,7 @@ Index: gnupg-2.1.2/g10/gpg.c oXauthority, oGroup, oUnGroup, -@@ -730,6 +731,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -738,6 +739,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_s (oPersonalCompressPreferences, "personal-compress-preferences", "@"), ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"), @@ -24,7 +24,7 @@ Index: gnupg-2.1.2/g10/gpg.c /* Aliases. I constantly mistype these, and assume other people do as well. */ -@@ -2127,6 +2129,7 @@ main (int argc, char **argv) +@@ -2148,6 +2150,7 @@ main (int argc, char **argv) opt.def_cert_expire = "0"; set_homedir (default_homedir ()); opt.passphrase_repeat = 1; @@ -32,7 +32,7 @@ Index: gnupg-2.1.2/g10/gpg.c opt.emit_version = 1; /* Limit to the major number. */ /* Check whether we have a config file on the command line. */ -@@ -2632,6 +2635,7 @@ main (int argc, char **argv) +@@ -2661,6 +2664,7 @@ main (int argc, char **argv) opt.verify_options&=~VERIFY_SHOW_PHOTOS; break; case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; @@ -40,11 +40,11 @@ Index: gnupg-2.1.2/g10/gpg.c case oForceMDC: opt.force_mdc = 1; break; case oNoForceMDC: opt.force_mdc = 0; break; -Index: gnupg-2.1.2/g10/options.h +Index: gnupg-2.1.3/g10/options.h =================================================================== ---- gnupg-2.1.2.orig/g10/options.h -+++ gnupg-2.1.2/g10/options.h -@@ -192,6 +192,7 @@ struct +--- gnupg-2.1.3.orig/g10/options.h 2015-04-06 13:41:53.000000000 +0200 ++++ gnupg-2.1.3/g10/options.h 2015-04-11 20:45:24.000000000 +0200 +@@ -194,6 +194,7 @@ struct int no_auto_check_trustdb; int preserve_permissions; int no_homedir_creation; @@ -52,10 +52,10 @@ Index: gnupg-2.1.2/g10/options.h struct groupitem *grouplist; int mangle_dos_filenames; int enable_progress_filter; -Index: gnupg-2.1.2/g10/sign.c +Index: gnupg-2.1.3/g10/sign.c =================================================================== ---- gnupg-2.1.2.orig/g10/sign.c -+++ gnupg-2.1.2/g10/sign.c +--- gnupg-2.1.3.orig/g10/sign.c 2015-04-05 19:43:32.000000000 +0200 ++++ gnupg-2.1.3/g10/sign.c 2015-04-11 20:45:24.000000000 +0200 @@ -41,7 +41,7 @@ #include "pkglue.h" #include "sysutils.h" @@ -134,7 +134,7 @@ Index: gnupg-2.1.2/g10/sign.c if( multifile ) { @@ -1035,6 +1052,45 @@ sign_file (ctrl_t ctrl, strlist_t filena if( opt.verbose ) - putc( '\n', stderr ); + log_printf ("\n"); } + else if (opt.files_are_digests) { + byte *mdb, ts[5]; diff --git a/gnupg-2.1.2.tar.bz2 b/gnupg-2.1.2.tar.bz2 deleted file mode 100644 index 605451b..0000000 --- a/gnupg-2.1.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:404f5a43d591dfe41f0ffb204b49a1533b67d77bc1fd68febd7e447575616792 -size 4832996 diff --git a/gnupg-2.1.2.tar.bz2.sig b/gnupg-2.1.2.tar.bz2.sig deleted file mode 100644 index 849d6acd43977539d4e3bd4759a62cf64fee0c7dbcd984562d401f9ce6c4bc6b..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 287 zcmV+)0pR|L0UQJX0SEvF1p-vtqZ9xN2@oWkInqxh8DM7$CZAeg5jgN}#E8>3jpP4NZE4!{V93K_=)d3c@s#st9z9^nPcPIvny1v>t*f7BRr zK^E4{#LUH8hdLNy-3nlIHXFxFvx58Ho}S)?Suh4U3r6D+ZLQujo{u=W6iw4?#hq6B zXIt?rQhovM#(r31v8isUOKF8Afn_4YlVjgb&VCmBp`V39SN3MUm5z41g;TJYKrB0i lJ{|NAC-j~*O@>I#;~Z8gr|2pmf)i}tS=o6x2~Ur`{ZYR+fz1E_ diff --git a/gnupg-2.1.3.tar.bz2 b/gnupg-2.1.3.tar.bz2 new file mode 100644 index 0000000..ca422b2 --- /dev/null +++ b/gnupg-2.1.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:213e7fb0d74bb4e53a2d3153f309ddc077528f2cfffa2af85f2a20cc7875c8ed +size 4875813 diff --git a/gnupg-2.1.3.tar.bz2.sig b/gnupg-2.1.3.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..fd0cecb069157d07f41b4995c26fa58fb36ce65a7fd459c335dbb7525642ac78 GIT binary patch literal 287 zcmV+)0pR|L0UQJX0SEvF1p-wm1XchF2@oWkInqxh09yr_OuXoZ1XiN@*kI^5!aQRB5Cb`~2W*#*x^KUo)m zn@2cpci~@o%%2K0LsP8xoSjZdN?c>&-erqRKQ~Ictav+HO9;^6>@kU_XT0MP9QTQi!AFC zOP{PL6ho+P&Vo0;>0NW)A1X5&2wH>bhLtRZA!W7l72h=3&jEio_a|gqqHo|;A*~!$ lc68t?ot!5Y?88GNZWDX;wXg5+h&oeIt$@^)LDv`{>o_jXf`tG8 literal 0 HcmV?d00001 diff --git a/gnupg-add_legacy_FIPS_mode_option.patch b/gnupg-add_legacy_FIPS_mode_option.patch index 80c29ff..4968364 100644 --- a/gnupg-add_legacy_FIPS_mode_option.patch +++ b/gnupg-add_legacy_FIPS_mode_option.patch @@ -3,11 +3,11 @@ g10/gpg.c | 9 +++++++++ 2 files changed, 27 insertions(+) -Index: gnupg-2.1.1/doc/gpg.texi +Index: gnupg-2.1.3/doc/gpg.texi =================================================================== ---- gnupg-2.1.1.orig/doc/gpg.texi -+++ gnupg-2.1.1/doc/gpg.texi -@@ -1842,6 +1842,24 @@ implies, this option is for experts only +--- gnupg-2.1.3.orig/doc/gpg.texi 2015-04-11 20:48:01.000000000 +0200 ++++ gnupg-2.1.3/doc/gpg.texi 2015-04-11 20:48:22.000000000 +0200 +@@ -1857,6 +1857,24 @@ implies, this option is for experts only understand the implications of what it allows you to do, leave this off. @option{--no-expert} disables this option. @@ -32,19 +32,19 @@ Index: gnupg-2.1.1/doc/gpg.texi @end table -Index: gnupg-2.1.1/g10/gpg.c +Index: gnupg-2.1.3/g10/gpg.c =================================================================== ---- gnupg-2.1.1.orig/g10/gpg.c -+++ gnupg-2.1.1/g10/gpg.c -@@ -381,6 +381,7 @@ enum cmd_and_opt_values - oAllowWeakDigestAlgos, +--- gnupg-2.1.3.orig/g10/gpg.c 2015-04-11 20:48:01.000000000 +0200 ++++ gnupg-2.1.3/g10/gpg.c 2015-04-11 20:48:48.000000000 +0200 +@@ -385,6 +385,7 @@ enum cmd_and_opt_values oFakedSystemTime, oNoAutostart, + oPrintPKARecords, + oSetLegacyFips, oNoop }; -@@ -769,6 +770,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -777,6 +778,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"), ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"), @@ -52,7 +52,7 @@ Index: gnupg-2.1.1/g10/gpg.c /* These two are aliases to help users of the PGP command line product use gpg with minimal pain. Many commands are common -@@ -3134,6 +3136,13 @@ main (int argc, char **argv) +@@ -3170,6 +3172,13 @@ main (int argc, char **argv) case oNoAutostart: opt.autostart = 0; break; diff --git a/gpg2.changes b/gpg2.changes index 8b9a6bb..8d5186f 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Sat Apr 11 18:59:42 UTC 2015 - astieger@suse.com + +- update to 2.1.3: + * gpg: LDAP keyservers are now supported by 2.1. + * gpg: New option --with-icao-spelling. + * gpg: New option --print-pka-records. Changed the PKA method to + use CERT records and hashed names. + * gpg: New command --list-gcrypt-config. New parameter "curve" + for --list-config. + * gpg: Print a NEWSIG status line like gpgsm always did. + * gpg: Print MPI values with --list-packets and --verbose. + * gpg: Write correct MPI lengths with ECC keys. + * gpg: Skip legacy PGP-2 keys while searching. + (drop 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch + now upstream) + * gpg: Improved searching for mail addresses when using a keybox. + * gpgsm: Changed default algos to AES-128 and SHA-256. + * gpgtar: Fixed extracting files with sizes of a multiple of 512. + * dirmngr: Fixed SNI handling for hkps pools. + (drop hkps-fix-host-name-verification-when-using-pools.patch + now upstream) + * dirmngr: extra-certs and trusted-certs are now always loaded + from the sysconfig dir instead of the homedir. + * Fixed possible problems due to compiler optimization, two minor + regressions, and other bugs. +- refreshed for context changes: + * gnupg-2.0.18-files-are-digests.patch + * gnupg-add_legacy_FIPS_mode_option.patch + ------------------------------------------------------------------- Mon Mar 23 11:48:24 UTC 2015 - idonmez@suse.com diff --git a/gpg2.spec b/gpg2.spec index 52e35c0..e152ad8 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -17,7 +17,7 @@ Name: gpg2 -Version: 2.1.2 +Version: 2.1.3 Release: 0 Summary: GnuPG 2 License: GPL-3.0+ @@ -33,8 +33,6 @@ Patch6: gnupg-dont-fail-with-seahorse-agent.patch Patch8: gnupg-set_umask_before_open_outfile.patch Patch9: gnupg-detect_FIPS_mode.patch Patch11: gnupg-add_legacy_FIPS_mode_option.patch -Patch15: 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch -Patch16: hkps-fix-host-name-verification-when-using-pools.patch BuildRequires: expect BuildRequires: fdupes BuildRequires: gnutls-devel >= 3.0 @@ -82,8 +80,6 @@ gpg-agent, and a keybox library. %patch8 -p1 %patch9 -p1 %patch11 -p1 -%patch15 -p1 -%patch16 -p1 %build # build PIEs (position independent executables) for address space randomisation: diff --git a/hkps-fix-host-name-verification-when-using-pools.patch b/hkps-fix-host-name-verification-when-using-pools.patch deleted file mode 100644 index 8c59a16..0000000 --- a/hkps-fix-host-name-verification-when-using-pools.patch +++ /dev/null @@ -1,104 +0,0 @@ -From dc10d466bff53821f23d2cb4814c259d40c5d9c5 Mon Sep 17 00:00:00 2001 -From: Werner Koch -Date: Thu, 19 Mar 2015 15:37:05 +0100 -Subject: [PATCH] hkps: Fix host name verification when using pools. - -* common/http.c (send_request): Set the requested for SNI. -* dirmngr/ks-engine-hkp.c (map_host): Return the poolname and not -the selecting a host. --- - -GnuPG-bug-id: 1792 - -Thanks to davidw for figuring out the problem. - -Signed-off-by: Werner Koch ---- - common/http.c | 6 ++++-- - dirmngr/ks-engine-hkp.c | 25 ++++++++++++++++++------- - 2 files changed, 22 insertions(+), 9 deletions(-) - -diff --git a/common/http.c b/common/http.c -index 50c0692..12e3fcb 100644 ---- a/common/http.c -+++ b/common/http.c -@@ -1443,7 +1443,8 @@ send_request (http_t hd, const char *httphost, const char *auth, - } - - # if HTTP_USE_NTBTLS -- err = ntbtls_set_hostname (hd->session->tls_session, server); -+ err = ntbtls_set_hostname (hd->session->tls_session, -+ hd->session->servername); - if (err) - { - log_info ("ntbtls_set_hostname failed: %s\n", gpg_strerror (err)); -@@ -1452,7 +1453,8 @@ send_request (http_t hd, const char *httphost, const char *auth, - # elif HTTP_USE_GNUTLS - rc = gnutls_server_name_set (hd->session->tls_session, - GNUTLS_NAME_DNS, -- server, strlen (server)); -+ hd->session->servername, -+ strlen (hd->session->servername)); - if (rc < 0) - log_info ("gnutls_server_name_set failed: %s\n", gnutls_strerror (rc)); - # endif /*HTTP_USE_GNUTLS*/ -diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c -index ea607cb..0568094 100644 ---- a/dirmngr/ks-engine-hkp.c -+++ b/dirmngr/ks-engine-hkp.c -@@ -521,6 +521,14 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, - hi = hosttable[idx]; - if (hi->pool) - { -+ /* Deal with the pool name before selecting a host. */ -+ if (r_poolname && hi->cname) -+ { -+ *r_poolname = xtrystrdup (hi->cname); -+ if (!*r_poolname) -+ return gpg_error_from_syserror (); -+ } -+ - /* If the currently selected host is now marked dead, force a - re-selection . */ - if (force_reselect) -@@ -536,6 +544,11 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, - if (hi->poolidx == -1) - { - log_error ("no alive host found in pool '%s'\n", name); -+ if (r_poolname) -+ { -+ xfree (*r_poolname); -+ *r_poolname = NULL; -+ } - return gpg_error (GPG_ERR_NO_KEYSERVER); - } - } -@@ -548,6 +561,11 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, - if (hi->dead) - { - log_error ("host '%s' marked as dead\n", hi->name); -+ if (r_poolname) -+ { -+ xfree (*r_poolname); -+ *r_poolname = NULL; -+ } - return gpg_error (GPG_ERR_NO_KEYSERVER); - } - -@@ -564,13 +582,6 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect, - *r_httpflags |= HTTP_FLAG_IGNORE_IPv6; - } - -- if (r_poolname && hi->pool && hi->cname) -- { -- *r_poolname = xtrystrdup (hi->cname); -- if (!*r_poolname) -- return gpg_error_from_syserror (); -- } -- - *r_host = xtrystrdup (hi->name); - if (!*r_host) - { --- -2.1.4 -