Accepting request 266596 from Base:System

1

OBS-URL: https://build.opensuse.org/request/show/266596
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=84
This commit is contained in:
Stephan Kulow 2015-01-21 20:50:33 +00:00 committed by Git OBS Bridge
commit 372453258c
11 changed files with 93 additions and 140 deletions

View File

@ -4,10 +4,10 @@
g10/sign.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++----- g10/sign.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
3 files changed, 66 insertions(+), 5 deletions(-) 3 files changed, 66 insertions(+), 5 deletions(-)
Index: gnupg-2.1.0/g10/gpg.c Index: gnupg-2.1.1/g10/gpg.c
=================================================================== ===================================================================
--- gnupg-2.1.0.orig/g10/gpg.c 2014-11-07 11:35:21.599605797 +0100 --- gnupg-2.1.1.orig/g10/gpg.c
+++ gnupg-2.1.0/g10/gpg.c 2014-11-07 16:50:14.742067262 +0100 +++ gnupg-2.1.1/g10/gpg.c
@@ -349,6 +349,7 @@ enum cmd_and_opt_values @@ -349,6 +349,7 @@ enum cmd_and_opt_values
oTTYtype, oTTYtype,
oLCctype, oLCctype,
@ -16,7 +16,7 @@ Index: gnupg-2.1.0/g10/gpg.c
oXauthority, oXauthority,
oGroup, oGroup,
oUnGroup, oUnGroup,
@@ -733,6 +734,7 @@ static ARGPARSE_OPTS opts[] = { @@ -730,6 +731,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oPersonalCompressPreferences, ARGPARSE_s_s (oPersonalCompressPreferences,
"personal-compress-preferences", "@"), "personal-compress-preferences", "@"),
ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"), ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
@ -24,7 +24,7 @@ Index: gnupg-2.1.0/g10/gpg.c
/* Aliases. I constantly mistype these, and assume other people do /* Aliases. I constantly mistype these, and assume other people do
as well. */ as well. */
@@ -2126,6 +2128,7 @@ main (int argc, char **argv) @@ -2125,6 +2127,7 @@ main (int argc, char **argv)
opt.def_cert_expire = "0"; opt.def_cert_expire = "0";
set_homedir (default_homedir ()); set_homedir (default_homedir ());
opt.passphrase_repeat = 1; opt.passphrase_repeat = 1;
@ -40,11 +40,11 @@ Index: gnupg-2.1.0/g10/gpg.c
case oForceMDC: opt.force_mdc = 1; break; case oForceMDC: opt.force_mdc = 1; break;
case oNoForceMDC: opt.force_mdc = 0; break; case oNoForceMDC: opt.force_mdc = 0; break;
Index: gnupg-2.1.0/g10/options.h Index: gnupg-2.1.1/g10/options.h
=================================================================== ===================================================================
--- gnupg-2.1.0.orig/g10/options.h 2014-11-07 11:35:21.599605797 +0100 --- gnupg-2.1.1.orig/g10/options.h
+++ gnupg-2.1.0/g10/options.h 2014-11-07 16:49:59.770885017 +0100 +++ gnupg-2.1.1/g10/options.h
@@ -193,6 +193,7 @@ struct @@ -192,6 +192,7 @@ struct
int no_auto_check_trustdb; int no_auto_check_trustdb;
int preserve_permissions; int preserve_permissions;
int no_homedir_creation; int no_homedir_creation;
@ -52,13 +52,13 @@ Index: gnupg-2.1.0/g10/options.h
struct groupitem *grouplist; struct groupitem *grouplist;
int mangle_dos_filenames; int mangle_dos_filenames;
int enable_progress_filter; int enable_progress_filter;
Index: gnupg-2.1.0/g10/sign.c Index: gnupg-2.1.1/g10/sign.c
=================================================================== ===================================================================
--- gnupg-2.1.0.orig/g10/sign.c 2014-11-07 11:35:21.599605797 +0100 --- gnupg-2.1.1.orig/g10/sign.c
+++ gnupg-2.1.0/g10/sign.c 2014-11-07 17:13:40.128218081 +0100 +++ gnupg-2.1.1/g10/sign.c
@@ -703,8 +703,12 @@ write_signature_packets (SK_LIST sk_list @@ -706,8 +706,12 @@ write_signature_packets (SK_LIST sk_list
build_sig_subpkt_from_sig (sig); mk_notation_policy_etc (sig, NULL, pk);
mk_notation_policy_etc (sig, pk, NULL); }
+ if (!opt.files_are_digests) { + if (!opt.files_are_digests) {
hash_sigversion_to_magic (md, sig); hash_sigversion_to_magic (md, sig);
@ -69,7 +69,7 @@ Index: gnupg-2.1.0/g10/sign.c
rc = do_sign (pk, sig, md, hash_for (pk), cache_nonce); rc = do_sign (pk, sig, md, hash_for (pk), cache_nonce);
gcry_md_close (md); gcry_md_close (md);
@@ -762,6 +766,8 @@ sign_file (ctrl_t ctrl, strlist_t filena @@ -765,6 +769,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
SK_LIST sk_rover = NULL; SK_LIST sk_rover = NULL;
int multifile = 0; int multifile = 0;
u32 duration=0; u32 duration=0;
@ -78,7 +78,7 @@ Index: gnupg-2.1.0/g10/sign.c
pfx = new_progress_context (); pfx = new_progress_context ();
afx = new_armor_context (); afx = new_armor_context ();
@@ -778,7 +784,16 @@ sign_file (ctrl_t ctrl, strlist_t filena @@ -781,7 +787,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
fname = NULL; fname = NULL;
if( fname && filenames->next && (!detached || encryptflag) ) if( fname && filenames->next && (!detached || encryptflag) )
@ -96,7 +96,7 @@ Index: gnupg-2.1.0/g10/sign.c
if(encryptflag==2 if(encryptflag==2
&& (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
@@ -799,7 +814,7 @@ sign_file (ctrl_t ctrl, strlist_t filena @@ -802,7 +817,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
goto leave; goto leave;
/* prepare iobufs */ /* prepare iobufs */
@ -105,7 +105,7 @@ Index: gnupg-2.1.0/g10/sign.c
inp = NULL; /* we do it later */ inp = NULL; /* we do it later */
else { else {
inp = iobuf_open(fname); inp = iobuf_open(fname);
@@ -938,7 +953,7 @@ sign_file (ctrl_t ctrl, strlist_t filena @@ -940,7 +955,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
gcry_md_enable (mfx.md, hash_for (sk_rover->pk)); gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
@ -114,7 +114,7 @@ Index: gnupg-2.1.0/g10/sign.c
iobuf_push_filter( inp, md_filter, &mfx ); iobuf_push_filter( inp, md_filter, &mfx );
if( detached && !encryptflag) if( detached && !encryptflag)
@@ -993,6 +1008,8 @@ sign_file (ctrl_t ctrl, strlist_t filena @@ -995,6 +1010,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
write_status_begin_signing (mfx.md); write_status_begin_signing (mfx.md);
@ -123,7 +123,7 @@ Index: gnupg-2.1.0/g10/sign.c
/* Setup the inner packet. */ /* Setup the inner packet. */
if( detached ) { if( detached ) {
if( multifile ) { if( multifile ) {
@@ -1033,6 +1050,45 @@ sign_file (ctrl_t ctrl, strlist_t filena @@ -1035,6 +1052,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
if( opt.verbose ) if( opt.verbose )
putc( '\n', stderr ); putc( '\n', stderr );
} }
@ -169,7 +169,7 @@ Index: gnupg-2.1.0/g10/sign.c
else { else {
/* read, so that the filter can calculate the digest */ /* read, so that the filter can calculate the digest */
while( iobuf_get(inp) != -1 ) while( iobuf_get(inp) != -1 )
@@ -1050,8 +1106,8 @@ sign_file (ctrl_t ctrl, strlist_t filena @@ -1052,8 +1108,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
/* write the signatures */ /* write the signatures */
rc = write_signature_packets (sk_list, out, mfx.md, rc = write_signature_packets (sk_list, out, mfx.md,

View File

@ -1,7 +1,7 @@
Index: tools/Makefile.am Index: tools/Makefile.am
=================================================================== ===================================================================
--- tools/Makefile.am.orig 2014-11-06 18:12:17.743916141 +0100 --- tools/Makefile.am.orig
+++ tools/Makefile.am 2014-11-06 18:13:17.073677366 +0100 +++ tools/Makefile.am
@@ -36,8 +36,8 @@ sbin_SCRIPTS = addgnupghome applygnupgde @@ -36,8 +36,8 @@ sbin_SCRIPTS = addgnupghome applygnupgde
bin_SCRIPTS = gpgsm-gencert.sh bin_SCRIPTS = gpgsm-gencert.sh
@ -30,4 +30,4 @@ Index: tools/Makefile.am
+noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert +noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert
endif endif
common_libs = $(libcommon) ../gl/libgnu.a common_libs = $(libcommon)

View File

@ -1,77 +0,0 @@
From: Werner Koch <wk@gnupg.org>
Date: Tue, 25 Nov 2014 11:58:56 +0100
Subject: [PATCH] Fix buffer overflow in openpgp_oid_to_str.
References: boo#907198 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da
Upstream: committed
* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow.
* common/t-openpgp-oid.c (BADOID): New.
(test_openpgp_oid_to_str): Add test cases.
--
The code has an obvious error by not considering invalid encoding for
arc-2. A first byte of 0x80 can be used to make a value of less then
80 and we then subtract 80 from that value as required by the OID
encoding rules. Due to the unsigned integer this results in a pretty
long value which won't fit anymore into the allocated buffer.
The fix is obvious. Also added a few simple test cases. Note that we
keep on using sprintf instead of snprintf because managing the
remaining length of the buffer would probably be more error prone than
assuring that the buffer is large enough. Getting rid of sprintf
altogether by using direct conversion along with membuf_t like code
might be possible.
Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>
Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7
---
common/openpgp-oid.c | 2 ++
common/t-openpgp-oid.c | 9 +++++++++
2 files changed, 11 insertions(+)
diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c
index 010c23f..d3d1f2a 100644
--- a/common/openpgp-oid.c
+++ b/common/openpgp-oid.c
@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a)
val <<= 7;
val |= buf[n] & 0x7f;
}
+ if (val < 80)
+ goto badoid;
val -= 80;
sprintf (p, "2.%lu", val);
p += strlen (p);
diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c
index 79e5a70..5cd778d 100644
--- a/common/t-openpgp-oid.c
+++ b/common/t-openpgp-oid.c
@@ -32,6 +32,9 @@
} while(0)
+#define BADOID "1.3.6.1.4.1.11591.2.12242973"
+
+
static void
test_openpgp_oid_from_str (void)
{
@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void)
{ "1.3.132.0.35",
{ 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }},
+ { BADOID,
+ { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }},
+
+ { BADOID,
+ { 1, 0x80 }},
+
{ NULL }};
gcry_mpi_t a;
int idx;
--
1.7.10.4

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:16a8c3f50a15bf37d2dfb1c5e4bb3ec533e1d0b6a4043ff3680a376a3ad4058b
size 3111585

Binary file not shown.

3
gnupg-2.1.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:70ecd01d2875db62624c911c2fd815742f50aef5492698eb3bfc09a08690ce49
size 4801472

BIN
gnupg-2.1.1.tar.bz2.sig Normal file

Binary file not shown.

View File

@ -3,11 +3,11 @@
g10/gpg.c | 9 +++++++++ g10/gpg.c | 9 +++++++++
2 files changed, 27 insertions(+) 2 files changed, 27 insertions(+)
Index: gnupg-2.1.0/doc/gpg.texi Index: gnupg-2.1.1/doc/gpg.texi
=================================================================== ===================================================================
--- gnupg-2.1.0.orig/doc/gpg.texi 2014-11-06 18:31:32.218688065 +0100 --- gnupg-2.1.1.orig/doc/gpg.texi
+++ gnupg-2.1.0/doc/gpg.texi 2014-11-06 18:31:33.871709178 +0100 +++ gnupg-2.1.1/doc/gpg.texi
@@ -1828,6 +1828,24 @@ implies, this option is for experts only @@ -1842,6 +1842,24 @@ implies, this option is for experts only
understand the implications of what it allows you to do, leave this understand the implications of what it allows you to do, leave this
off. @option{--no-expert} disables this option. off. @option{--no-expert} disables this option.
@ -32,19 +32,19 @@ Index: gnupg-2.1.0/doc/gpg.texi
@end table @end table
Index: gnupg-2.1.0/g10/gpg.c Index: gnupg-2.1.1/g10/gpg.c
=================================================================== ===================================================================
--- gnupg-2.1.0.orig/g10/gpg.c 2014-11-06 18:31:32.220688090 +0100 --- gnupg-2.1.1.orig/g10/gpg.c
+++ gnupg-2.1.0/g10/gpg.c 2014-11-06 18:32:03.833091859 +0100 +++ gnupg-2.1.1/g10/gpg.c
@@ -380,6 +380,7 @@ enum cmd_and_opt_values @@ -381,6 +381,7 @@ enum cmd_and_opt_values
oNoAllowMultipleMessages,
oAllowWeakDigestAlgos, oAllowWeakDigestAlgos,
oFakedSystemTime, oFakedSystemTime,
oNoAutostart,
+ oSetLegacyFips, + oSetLegacyFips,
oNoop oNoop
}; };
@@ -772,6 +773,7 @@ static ARGPARSE_OPTS opts[] = { @@ -769,6 +770,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"),
ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"), ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"), ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
@ -52,9 +52,9 @@ Index: gnupg-2.1.0/g10/gpg.c
/* These two are aliases to help users of the PGP command line /* These two are aliases to help users of the PGP command line
product use gpg with minimal pain. Many commands are common product use gpg with minimal pain. Many commands are common
@@ -3138,6 +3140,13 @@ main (int argc, char **argv) @@ -3134,6 +3136,13 @@ main (int argc, char **argv)
}
break; case oNoAutostart: opt.autostart = 0; break;
+ case oSetLegacyFips: + case oSetLegacyFips:
+ if(gcry_fips_mode_active()) + if(gcry_fips_mode_active())

View File

@ -1,7 +1,7 @@
Index: gnupg-2.1.0/g10/encrypt.c Index: gnupg-2.1.1/g10/encrypt.c
=================================================================== ===================================================================
--- gnupg-2.1.0.orig/g10/encrypt.c 2014-11-06 18:27:35.176659675 +0100 --- gnupg-2.1.1.orig/g10/encrypt.c
+++ gnupg-2.1.0/g10/encrypt.c 2014-11-06 18:29:10.987883901 +0100 +++ gnupg-2.1.1/g10/encrypt.c
@@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro @@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro
/* Because 3DES is implicitly in the prefs, this can /* Because 3DES is implicitly in the prefs, this can
only happen if we do not have any public keys in only happen if we do not have any public keys in
@ -14,14 +14,14 @@ Index: gnupg-2.1.0/g10/encrypt.c
} }
/* In case 3DES has been selected, print a warning if /* In case 3DES has been selected, print a warning if
Index: gnupg-2.1.0/g10/mainproc.c Index: gnupg-2.1.1/g10/mainproc.c
=================================================================== ===================================================================
--- gnupg-2.1.0.orig/g10/mainproc.c 2014-11-06 18:27:33.243634973 +0100 --- gnupg-2.1.1.orig/g10/mainproc.c
+++ gnupg-2.1.0/g10/mainproc.c 2014-11-06 18:27:35.178659700 +0100 +++ gnupg-2.1.1/g10/mainproc.c
@@ -690,9 +690,15 @@ proc_plaintext( CTX c, PACKET *pkt ) @@ -719,7 +719,12 @@ proc_plaintext( CTX c, PACKET *pkt )
often. There is no good way to specify what algorithms to according to 2440, so hopefully it won't come up that often.
use in that case, so these three are the historical There is no good way to specify what algorithms to use in
answer. */ that case, so these there are the historical answer. */
- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160); - gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+ +
+ /* Libgcrypt manual says that gcry_version_check must be called + /* Libgcrypt manual says that gcry_version_check must be called
@ -30,9 +30,5 @@ Index: gnupg-2.1.0/g10/mainproc.c
+ if( !gcry_fips_mode_active() ) + if( !gcry_fips_mode_active() )
+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); + gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1); gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
+ if( !gcry_fips_mode_active() )
+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
} }
if (opt.pgp2_workarounds && only_md5 && !opt.skip_verify if (DBG_HASHING)
&& opt.flags.allow_weak_digest_algos) {

View File

@ -1,3 +1,39 @@
-------------------------------------------------------------------
Fri Dec 26 21:15:55 UTC 2014 - andreas.stieger@gmx.de
- update to 2.1.1:
* gpg: Detect faulty use of --verify on detached signatures.
* gpg: New import option "keep-ownertrust".
* gpg: New sub-command "factory-reset" for --card-edit.
* gpg: A stub key for smartcards is now created by --card-status.
* gpg: Fixed regression in --refresh-keys.
* gpg: Fixed regresion in %g and %p codes for --sig-notation.
* gpg: Fixed best matching hash algo detection for ECDSA and EdDSA.
* gpg: Improved perceived speed of secret key listisngs.
* gpg: Print number of skipped PGP-2 keys on import.
* gpg: Removed the option aliases --throw-keyid and --notation-data;
use --throw-keyids and --set-notation instead.
* gpg: New import option "keep-ownertrust".
* gpg: Skip too large keys during import.
* gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or
dirmngr.
* gpg-agent: New option --extra-socket to provide a restricted
command set for use with remote clients.
* gpgconf --kill does not anymore start a service only to kill it.
* gpg-pconnect-agent: Add convenience option --uiserver.
* More translations (but most of them are not complete).
* To support remotely mounted home directories, the IPC sockets may
now be redirected. This feature requires Libassuan 2.2.0.
* Improved portability and the usual bunch of bug fixes.
- removed patch not part of upstream release:
gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch
- refresh for context changes:
gnupg-2.0.18-files-are-digests.patch
gnupg-2.0.4-install_tools.diff
- refresh for upstream code changes:
gnupg-add_legacy_FIPS_mode_option.patch
gnupg-detect_FIPS_mode.patch (MD5 removed)
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Dec 25 18:09:11 UTC 2014 - dev@stellardeath.org Thu Dec 25 18:09:11 UTC 2014 - dev@stellardeath.org

View File

@ -17,7 +17,7 @@
Name: gpg2 Name: gpg2
Version: 2.1.0 Version: 2.1.1
Release: 0 Release: 0
Summary: GnuPG 2 Summary: GnuPG 2
License: GPL-3.0+ License: GPL-3.0+
@ -35,7 +35,6 @@ Patch8: gnupg-set_umask_before_open_outfile.patch
Patch9: gnupg-detect_FIPS_mode.patch Patch9: gnupg-detect_FIPS_mode.patch
Patch11: gnupg-add_legacy_FIPS_mode_option.patch Patch11: gnupg-add_legacy_FIPS_mode_option.patch
Patch12: gnupg-remove_development_version_warning.patch Patch12: gnupg-remove_development_version_warning.patch
Patch13: gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch
Patch14: gnupg-large_keys.patch Patch14: gnupg-large_keys.patch
BuildRequires: automake >= 1.10 BuildRequires: automake >= 1.10
BuildRequires: expect BuildRequires: expect
@ -48,7 +47,7 @@ BuildRequires: libcurl-devel >= 7.10
# patch11 (gnupg-add_legacy_FIPS_mode_option.patch) mentions GCRYCTL_INACTIVATE_FIPS_FLAG # patch11 (gnupg-add_legacy_FIPS_mode_option.patch) mentions GCRYCTL_INACTIVATE_FIPS_FLAG
# raising gcrypt requirement from 1.4.0 # raising gcrypt requirement from 1.4.0
BuildRequires: libgcrypt-devel >= 1.6.1 BuildRequires: libgcrypt-devel >= 1.6.1
BuildRequires: libgpg-error-devel >= 1.15 BuildRequires: libgpg-error-devel >= 1.16
BuildRequires: libksba-devel >= 1.2.0 BuildRequires: libksba-devel >= 1.2.0
BuildRequires: libusb-devel BuildRequires: libusb-devel
BuildRequires: makeinfo BuildRequires: makeinfo
@ -87,7 +86,6 @@ gpg-agent, and a keybox library.
%patch9 -p1 %patch9 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1 %patch12 -p1
%patch13 -p1
%patch14 -p1 %patch14 -p1
%build %build