From 0febbaf009cb6adb38255274df3baa886cec0c86fc191140ddc37602038db21f Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Fri, 4 Dec 2015 15:26:14 +0000 Subject: [PATCH] Accepting request 347464 from security:privacy 2.1.10 OBS-URL: https://build.opensuse.org/request/show/347464 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=122 --- gnupg-2.0.18-files-are-digests.patch | 54 +++++++++++----------- gnupg-2.1.10.tar.bz2 | 3 ++ gnupg-2.1.10.tar.bz2.sig | Bin 0 -> 287 bytes gnupg-2.1.9.tar.bz2 | 3 -- gnupg-2.1.9.tar.bz2.sig | Bin 287 -> 0 bytes gnupg-add_legacy_FIPS_mode_option.patch | 26 +++++------ gnupg-set_umask_before_open_outfile.patch | 12 ++--- gpg2.changes | 44 ++++++++++++++++++ gpg2.spec | 7 ++- 9 files changed, 98 insertions(+), 51 deletions(-) create mode 100644 gnupg-2.1.10.tar.bz2 create mode 100644 gnupg-2.1.10.tar.bz2.sig delete mode 100644 gnupg-2.1.9.tar.bz2 delete mode 100644 gnupg-2.1.9.tar.bz2.sig diff --git a/gnupg-2.0.18-files-are-digests.patch b/gnupg-2.0.18-files-are-digests.patch index 63fd170..961e5a0 100644 --- a/gnupg-2.0.18-files-are-digests.patch +++ b/gnupg-2.0.18-files-are-digests.patch @@ -4,11 +4,11 @@ g10/sign.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 67 insertions(+), 6 deletions(-) -Index: gnupg-2.1.3/g10/gpg.c +Index: gnupg-2.1.10/g10/gpg.c =================================================================== ---- gnupg-2.1.3.orig/g10/gpg.c 2015-04-06 14:03:32.000000000 +0200 -+++ gnupg-2.1.3/g10/gpg.c 2015-04-11 20:45:24.000000000 +0200 -@@ -352,6 +352,7 @@ enum cmd_and_opt_values +--- gnupg-2.1.10.orig/g10/gpg.c 2015-12-04 14:25:25.749577555 +0100 ++++ gnupg-2.1.10/g10/gpg.c 2015-12-04 14:26:04.777192262 +0100 +@@ -355,6 +355,7 @@ enum cmd_and_opt_values oTTYtype, oLCctype, oLCmessages, @@ -16,23 +16,23 @@ Index: gnupg-2.1.3/g10/gpg.c oXauthority, oGroup, oUnGroup, -@@ -738,6 +739,7 @@ static ARGPARSE_OPTS opts[] = { - ARGPARSE_s_s (oPersonalCompressPreferences, - "personal-compress-preferences", "@"), - ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"), +@@ -757,6 +758,7 @@ static ARGPARSE_OPTS opts[] = { + ARGPARSE_s_s (oWeakDigest, "weak-digest","@"), + ARGPARSE_s_n (oUnwrap, "unwrap", "@"), + ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"), + ARGPARSE_s_n (oFilesAreDigests, "files-are-digests", "@"), /* Aliases. I constantly mistype these, and assume other people do as well. */ -@@ -2148,6 +2150,7 @@ main (int argc, char **argv) +@@ -2483,6 +2485,7 @@ main (int argc, char **argv) opt.def_cert_expire = "0"; set_homedir (default_homedir ()); opt.passphrase_repeat = 1; + opt.files_are_digests=0; opt.emit_version = 1; /* Limit to the major number. */ - - /* Check whether we have a config file on the command line. */ -@@ -2661,6 +2664,7 @@ main (int argc, char **argv) + opt.weak_digests = NULL; + additional_weak_digest("MD5"); +@@ -3022,6 +3025,7 @@ main (int argc, char **argv) opt.verify_options&=~VERIFY_SHOW_PHOTOS; break; case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; @@ -40,11 +40,11 @@ Index: gnupg-2.1.3/g10/gpg.c case oForceMDC: opt.force_mdc = 1; break; case oNoForceMDC: opt.force_mdc = 0; break; -Index: gnupg-2.1.3/g10/options.h +Index: gnupg-2.1.10/g10/options.h =================================================================== ---- gnupg-2.1.3.orig/g10/options.h 2015-04-06 13:41:53.000000000 +0200 -+++ gnupg-2.1.3/g10/options.h 2015-04-11 20:45:24.000000000 +0200 -@@ -194,6 +194,7 @@ struct +--- gnupg-2.1.10.orig/g10/options.h 2015-12-04 14:25:25.749577555 +0100 ++++ gnupg-2.1.10/g10/options.h 2015-12-04 14:25:28.472550675 +0100 +@@ -205,6 +205,7 @@ struct int no_auto_check_trustdb; int preserve_permissions; int no_homedir_creation; @@ -52,10 +52,10 @@ Index: gnupg-2.1.3/g10/options.h struct groupitem *grouplist; int mangle_dos_filenames; int enable_progress_filter; -Index: gnupg-2.1.3/g10/sign.c +Index: gnupg-2.1.10/g10/sign.c =================================================================== ---- gnupg-2.1.3.orig/g10/sign.c 2015-04-05 19:43:32.000000000 +0200 -+++ gnupg-2.1.3/g10/sign.c 2015-04-11 20:45:24.000000000 +0200 +--- gnupg-2.1.10.orig/g10/sign.c 2015-12-04 14:25:25.750577545 +0100 ++++ gnupg-2.1.10/g10/sign.c 2015-12-04 14:25:28.473550666 +0100 @@ -41,7 +41,7 @@ #include "pkglue.h" #include "sysutils.h" @@ -65,7 +65,7 @@ Index: gnupg-2.1.3/g10/sign.c #ifdef HAVE_DOSISH_SYSTEM #define LF "\r\n" -@@ -706,8 +706,12 @@ write_signature_packets (SK_LIST sk_list +@@ -681,8 +681,12 @@ write_signature_packets (SK_LIST sk_list mk_notation_policy_etc (sig, NULL, pk); } @@ -78,7 +78,7 @@ Index: gnupg-2.1.3/g10/sign.c rc = do_sign (pk, sig, md, hash_for (pk), cache_nonce); gcry_md_close (md); -@@ -765,6 +769,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -740,6 +744,8 @@ sign_file (ctrl_t ctrl, strlist_t filena SK_LIST sk_rover = NULL; int multifile = 0; u32 duration=0; @@ -87,7 +87,7 @@ Index: gnupg-2.1.3/g10/sign.c pfx = new_progress_context (); afx = new_armor_context (); -@@ -781,7 +787,16 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -756,7 +762,16 @@ sign_file (ctrl_t ctrl, strlist_t filena fname = NULL; if( fname && filenames->next && (!detached || encryptflag) ) @@ -105,7 +105,7 @@ Index: gnupg-2.1.3/g10/sign.c if(encryptflag==2 && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) -@@ -802,7 +817,7 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -777,7 +792,7 @@ sign_file (ctrl_t ctrl, strlist_t filena goto leave; /* prepare iobufs */ @@ -114,7 +114,7 @@ Index: gnupg-2.1.3/g10/sign.c inp = NULL; /* we do it later */ else { inp = iobuf_open(fname); -@@ -940,7 +955,7 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -915,7 +930,7 @@ sign_file (ctrl_t ctrl, strlist_t filena for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) gcry_md_enable (mfx.md, hash_for (sk_rover->pk)); @@ -123,7 +123,7 @@ Index: gnupg-2.1.3/g10/sign.c iobuf_push_filter( inp, md_filter, &mfx ); if( detached && !encryptflag) -@@ -995,6 +1010,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -970,6 +985,8 @@ sign_file (ctrl_t ctrl, strlist_t filena write_status_begin_signing (mfx.md); @@ -132,7 +132,7 @@ Index: gnupg-2.1.3/g10/sign.c /* Setup the inner packet. */ if( detached ) { if( multifile ) { -@@ -1035,6 +1052,45 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1010,6 +1027,45 @@ sign_file (ctrl_t ctrl, strlist_t filena if( opt.verbose ) log_printf ("\n"); } @@ -178,7 +178,7 @@ Index: gnupg-2.1.3/g10/sign.c else { /* read, so that the filter can calculate the digest */ while( iobuf_get(inp) != -1 ) -@@ -1052,8 +1108,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1027,8 +1083,8 @@ sign_file (ctrl_t ctrl, strlist_t filena /* write the signatures */ rc = write_signature_packets (sk_list, out, mfx.md, diff --git a/gnupg-2.1.10.tar.bz2 b/gnupg-2.1.10.tar.bz2 new file mode 100644 index 0000000..2e85c2a --- /dev/null +++ b/gnupg-2.1.10.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:93bd58d81771a4fa488566e5d2e13b1fd7afc86789401eb41731882abfd26cf9 +size 5173253 diff --git a/gnupg-2.1.10.tar.bz2.sig b/gnupg-2.1.10.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..2eeb7c0a3131bf44e772a48baa89cd218475e56bf4a4bce6ecb8c5f4d631d91e GIT binary patch literal 287 zcmV+)0pR|L0UQJX0SEvF1p-!KaD@O02@oWkInqxhK zjdFa=@BSmOM^RJdPpFtZ53=nN9KB^A-!Nbl+nR9?TE3M{YLlDoRg$V`Z`)EWRm6MG zTbLb$JmhNX<}LKS@gNIMS35xy7?ZB%+2@z87SI&)1bnv?Whd0qf#cc2T~rF zB`gTs@NdWcQ=g}1e6m4XHEouTpg|EG;-vk&oDZ7d9ukkV4K%s+&V;NIN0|SytsT(j lVHk67Ja=t;TMO4syF^KFdh!R?e`0c&lYXI7P{Co>*19cLi4gz* literal 0 HcmV?d00001 diff --git a/gnupg-2.1.9.tar.bz2 b/gnupg-2.1.9.tar.bz2 deleted file mode 100644 index b91f218..0000000 --- a/gnupg-2.1.9.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1cb7633a57190beb66f9249cb7446603229b273d4d89331b75c652fa4a29f7b6 -size 4925167 diff --git a/gnupg-2.1.9.tar.bz2.sig b/gnupg-2.1.9.tar.bz2.sig deleted file mode 100644 index 5f516cc90afbe6d4ef0684e44fa05560f8419e08fb62ba0cb0412795b22e5eb7..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 287 zcmV+)0pR|L0UQJX0SEvF1p-zV;6nfk2@oWkInqxhBN38n+fJ5e(&cwlgqVIwbS>Arq!He(@J2uz9bKN*Q4Ie-G+LMaf~@IWV|{rZa7 zSz<%W&+Mp_n|_@&KPO zr&p%?NgG7z&Pr*}V{R>3sCaKnfX+sic;Rz7MY74)Ik@xKN{EPcn5ZiGNjrF>&k%X{ l^7=NJovj=x5_=Yb4Cb2=D1k;bA3Ci#spquedvWB@US+G7gu4I$ diff --git a/gnupg-add_legacy_FIPS_mode_option.patch b/gnupg-add_legacy_FIPS_mode_option.patch index 1ce8325..968bc34 100644 --- a/gnupg-add_legacy_FIPS_mode_option.patch +++ b/gnupg-add_legacy_FIPS_mode_option.patch @@ -3,11 +3,11 @@ g10/gpg.c | 9 +++++++++ 2 files changed, 27 insertions(+) -Index: gnupg-2.1.9/doc/gpg.texi +Index: gnupg-2.1.10/doc/gpg.texi =================================================================== ---- gnupg-2.1.9.orig/doc/gpg.texi -+++ gnupg-2.1.9/doc/gpg.texi -@@ -1778,6 +1778,24 @@ implies, this option is for experts only +--- gnupg-2.1.10.orig/doc/gpg.texi 2015-12-04 14:28:28.840769433 +0100 ++++ gnupg-2.1.10/doc/gpg.texi 2015-12-04 14:28:33.784720588 +0100 +@@ -1875,6 +1875,24 @@ implies, this option is for experts only understand the implications of what it allows you to do, leave this off. @option{--no-expert} disables this option. @@ -32,19 +32,19 @@ Index: gnupg-2.1.9/doc/gpg.texi @end table -Index: gnupg-2.1.9/g10/gpg.c +Index: gnupg-2.1.10/g10/gpg.c =================================================================== ---- gnupg-2.1.9.orig/g10/gpg.c -+++ gnupg-2.1.9/g10/gpg.c -@@ -386,6 +386,7 @@ enum cmd_and_opt_values - oNoAutostart, - oPrintPKARecords, - oPrintDANERecords, +--- gnupg-2.1.10.orig/g10/gpg.c 2015-12-04 14:28:28.843769403 +0100 ++++ gnupg-2.1.10/g10/gpg.c 2015-12-04 14:29:04.084421214 +0100 +@@ -394,6 +394,7 @@ enum cmd_and_opt_values + oWeakDigest, + oUnwrap, + oOnlySignTextIDs, + oSetLegacyFips, oNoop }; -@@ -780,6 +781,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -796,6 +797,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"), ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"), @@ -52,7 +52,7 @@ Index: gnupg-2.1.9/g10/gpg.c /* These two are aliases to help users of the PGP command line product use gpg with minimal pain. Many commands are common -@@ -3188,6 +3190,13 @@ main (int argc, char **argv) +@@ -3556,6 +3558,13 @@ main (int argc, char **argv) case oNoAutostart: opt.autostart = 0; break; diff --git a/gnupg-set_umask_before_open_outfile.patch b/gnupg-set_umask_before_open_outfile.patch index 39eb8c2..b18e04b 100644 --- a/gnupg-set_umask_before_open_outfile.patch +++ b/gnupg-set_umask_before_open_outfile.patch @@ -1,7 +1,7 @@ -Index: gnupg-2.1.0/g10/plaintext.c +Index: gnupg-2.1.10/g10/plaintext.c =================================================================== ---- gnupg-2.1.0.orig/g10/plaintext.c 2014-11-07 11:35:18.100563974 +0100 -+++ gnupg-2.1.0/g10/plaintext.c 2014-11-07 16:51:59.919347340 +0100 +--- gnupg-2.1.10.orig/g10/plaintext.c 2015-11-30 17:39:52.000000000 +0100 ++++ gnupg-2.1.10/g10/plaintext.c 2015-12-04 14:26:56.876677813 +0100 @@ -25,6 +25,7 @@ #include #include @@ -18,9 +18,9 @@ Index: gnupg-2.1.0/g10/plaintext.c +#define GPG_SAFE_PERMS (S_IRUSR | S_IWUSR) +#define GPG_SAFE_UMASK (0777 & ~GPG_SAFE_PERMS) - /* Handle a plaintext packet. If MFX is not NULL, update the MDs - * Note: We should have used the filter stuff here, but we have to add -@@ -169,11 +173,15 @@ handle_plaintext (PKT_plaintext * pt, md + /* Get the output filename. On success, the actual filename that is + used is set in *FNAMEP and a filepointer is returned in *FP. +@@ -146,11 +150,15 @@ get_output_file (const byte *embedded_na log_error (_("error creating '%s': %s\n"), fname, gpg_strerror (err)); goto leave; } diff --git a/gpg2.changes b/gpg2.changes index 1448cfc..0400288 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,9 +1,53 @@ +------------------------------------------------------------------- +Fri Dec 4 13:35:40 UTC 2015 - astieger@suse.com + +- GnuPG 2.1.10 adds TOFU (Trust-On-First-USe) and anonymous key + retrival via Tor. + * gpg: New trust models "tofu" and "tofu+pgp". + * gpg: New command --tofu-policy. New options --tofu-default-policy + and --tofu-db-format. + * gpg: New option --weak-digest to specify hash algorithms which + should be considered weak. + * gpg: Allow the use of multiple --default-key options; take the last + available key. + * gpg: New option --encrypt-to-default-key. + * gpg: New option --unwrap to only strip the encryption layer. + * gpg: New option --only-sign-text-ids to exclude photo IDs from key + signing. + * gpg: Check for ambigious or non-matching key specification in the + config file or given to --encrypt-to. + * gpg: Show the used card reader with --card-status. + * gpg: Print export statistics and an EXPORTED status line. + * gpg: Allow selecting subkeys by keyid in --edit-key. + * gpg: Allow updating the expiration time of multiple subkeys at + once. + * dirmngr: New option --use-tor. For full support this requires + libassuan version 2.4.2 and a patched version of libadns + (e.g. adns-1.4-g10-7 as used by the standard Windows installer). + * dirmngr: New option --nameserver to specify the nameserver used in + Tor mode. + * dirmngr: Keyservers may again be specified by IP address. + * dirmngr: Fixed problems in resolving keyserver pools. + * dirmngr: Fixed handling of premature termination of TLS streams so + that large numbers of keys can be refreshed via hkps. + * gpg: Fixed a regression in --locate-key [since 2.1.9]. + * gpg: Fixed another bug for keyrings with legacy keys. + * gpgsm: Allow combinations of usage flags in --gen-key. + * Make tilde expansion work with most options. + * Many other cleanups and bug fixes. + ------------------------------------------------------------------- Tue Nov 24 10:27:58 UTC 2015 - vcizek@suse.com - enable tests for PPC64 again, the problem from bsc#935887 went away +------------------------------------------------------------------- +Fri Nov 20 16:03:03 UTC 2015 - astieger@suse.com + +- Improve upgrade to gpg2 from security:privacy w.r.t. libassuan + run-time dependencies (boo#955982) + ------------------------------------------------------------------- Sat Oct 10 11:39:55 UTC 2015 - astieger@suse.com diff --git a/gpg2.spec b/gpg2.spec index 2d21dec..b3f10d7 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -17,7 +17,7 @@ Name: gpg2 -Version: 2.1.9 +Version: 2.1.10 Release: 0 Summary: GnuPG 2 License: GPL-3.0+ @@ -38,7 +38,7 @@ BuildRequires: expect BuildRequires: fdupes BuildRequires: gnutls-devel >= 3.0 BuildRequires: libadns-devel -BuildRequires: libassuan-devel >= 2.1.0 +BuildRequires: libassuan-devel >= 2.4.1 BuildRequires: libbz2-devel BuildRequires: libcurl-devel >= 7.10 # patch11 (gnupg-add_legacy_FIPS_mode_option.patch) mentions GCRYCTL_INACTIVATE_FIPS_FLAG @@ -52,7 +52,10 @@ BuildRequires: npth-devel >= 0.91 BuildRequires: openldap2-devel BuildRequires: pkg-config BuildRequires: readline-devel +BuildRequires: sqlite3-devel >= 3.7 BuildRequires: zlib-devel +# Add an explicit runtime dependency to match boo#955982 +Requires: libassuan0 >= 2.4.1 Requires: pinentry # FIXME: use proper Requires(pre/post/preun/...) PreReq: %{install_info_prereq}