diff --git a/0001-gpg-Improve-the-keyblock-cache-s-transparency.patch b/0001-gpg-Improve-the-keyblock-cache-s-transparency.patch new file mode 100644 index 0000000..d3f80b1 --- /dev/null +++ b/0001-gpg-Improve-the-keyblock-cache-s-transparency.patch @@ -0,0 +1,105 @@ +From 2e4e10c1dcd8dfeafec51f44ebf26acfeb770c41 Mon Sep 17 00:00:00 2001 +From: "Neal H. Walfield" +Date: Tue, 15 Dec 2015 12:21:30 +0100 +Subject: [PATCH] gpg: Improve the keyblock cache's transparency. + +* kbx/keybox-search.c (keybox_offset): New function. +* g10/keydb.c (struct keyblock_cache): Add fields resource and offset. +(keyblock_cache_clear): Reset HD->KEYBLOCK_CACHE.RESOURCE and +HD->KEYBLOCK_CACHE.OFFSET. +(keydb_search): Don't use the cached result if it comes before the +current file position. When caching an entry, also record the +position at which it was found. + +-- +Signed-off-by: Neal H. Walfield +GnuPG-bug-id: 2187 +--- + g10/keydb.c | 19 ++++++++++++++++++- + kbx/keybox-search.c | 8 ++++++++ + kbx/keybox.h | 2 ++ + 3 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/g10/keydb.c b/g10/keydb.c +index d7c35de..860187f 100644 +--- a/g10/keydb.c ++++ b/g10/keydb.c +@@ -81,6 +81,9 @@ struct keyblock_cache { + u32 *sigstatus; + int pk_no; + int uid_no; ++ /* Offset of the record in the keybox. */ ++ int resource; ++ off_t offset; + }; + + +@@ -245,6 +248,8 @@ keyblock_cache_clear (struct keydb_handle *hd) + hd->keyblock_cache.sigstatus = NULL; + iobuf_close (hd->keyblock_cache.iobuf); + hd->keyblock_cache.iobuf = NULL; ++ hd->keyblock_cache.resource = -1; ++ hd->keyblock_cache.offset = -1; + } + + +@@ -1701,7 +1706,13 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, + && (desc[0].mode == KEYDB_SEARCH_MODE_FPR20 + || desc[0].mode == KEYDB_SEARCH_MODE_FPR) + && hd->keyblock_cache.state == KEYBLOCK_CACHE_FILLED +- && !memcmp (hd->keyblock_cache.fpr, desc[0].u.fpr, 20)) ++ && !memcmp (hd->keyblock_cache.fpr, desc[0].u.fpr, 20) ++ /* Make sure the current file position occurs before the cached ++ result to avoid an infinite loop. */ ++ && (hd->current < hd->keyblock_cache.resource ++ || (hd->current == hd->keyblock_cache.resource ++ && (keybox_offset (hd->active[hd->current].u.kb) ++ <= hd->keyblock_cache.offset)))) + { + /* (DESCINDEX is already set). */ + if (DBG_CLOCK) +@@ -1772,6 +1783,12 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, + && hd->active[hd->current].type == KEYDB_RESOURCE_TYPE_KEYBOX) + { + hd->keyblock_cache.state = KEYBLOCK_CACHE_PREPARED; ++ hd->keyblock_cache.resource = hd->current; ++ /* The current offset is at the start of the next record. Since ++ a record is at least 1 byte, we just use offset - 1, which is ++ within the record. */ ++ hd->keyblock_cache.offset ++ = keybox_offset (hd->active[hd->current].u.kb) - 1; + memcpy (hd->keyblock_cache.fpr, desc[0].u.fpr, 20); + } + +diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c +index 78e0c23..df959b6 100644 +--- a/kbx/keybox-search.c ++++ b/kbx/keybox-search.c +@@ -1188,3 +1188,11 @@ keybox_get_flags (KEYBOX_HANDLE hd, int what, int idx, unsigned int *value) + ec = get_flag_from_image (buffer, length, what, value); + return ec? gpg_error (ec):0; + } ++ ++off_t ++keybox_offset (KEYBOX_HANDLE hd) ++{ ++ if (!hd->fp) ++ return 0; ++ return ftello (hd->fp); ++} +diff --git a/kbx/keybox.h b/kbx/keybox.h +index 8c31141..c91a282 100644 +--- a/kbx/keybox.h ++++ b/kbx/keybox.h +@@ -77,6 +77,8 @@ int keybox_set_ephemeral (KEYBOX_HANDLE hd, int yes); + + int keybox_lock (KEYBOX_HANDLE hd, int yes); + ++off_t keybox_offset (KEYBOX_HANDLE hd); ++ + /*-- keybox-file.c --*/ + /* Fixme: This function does not belong here: Provide a better + interface to create a new keybox file. */ +-- +2.6.2 + diff --git a/gpg2.changes b/gpg2.changes index 8209510..5db5fee 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Jan 19 13:56:58 UTC 2016 - vcizek@suse.com + +- fix fingerprint ambiguity (bsc#958891) + * https://bugs.gnupg.org/gnupg/issue2198 + * add 0001-gpg-Improve-the-keyblock-cache-s-transparency.patch + ------------------------------------------------------------------- Sun Dec 6 14:14:45 UTC 2015 - p.drouand@gmail.com diff --git a/gpg2.spec b/gpg2.spec index a8d3136..faceafb 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -1,7 +1,7 @@ # # spec file for package gpg2 # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,6 +34,7 @@ Patch6: gnupg-dont-fail-with-seahorse-agent.patch Patch8: gnupg-set_umask_before_open_outfile.patch Patch9: gnupg-detect_FIPS_mode.patch Patch11: gnupg-add_legacy_FIPS_mode_option.patch +Patch12: 0001-gpg-Improve-the-keyblock-cache-s-transparency.patch BuildRequires: expect BuildRequires: fdupes BuildRequires: libadns-devel @@ -84,6 +85,7 @@ gpg-agent, and a keybox library. %patch8 -p1 %patch9 -p1 %patch11 -p1 +%patch12 -p1 %build # build PIEs (position independent executables) for address space randomisation: