Accepting request 266596 from Base:System

1

OBS-URL: https://build.opensuse.org/request/show/266596
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=84

gnupg-2.0.18-files-are-digests.patch

@@ -4,10 +4,10 @@
  g10/sign.c    |   66 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
  3 files changed, 66 insertions(+), 5 deletions(-)
 
-Index: gnupg-2.1.0/g10/gpg.c
+Index: gnupg-2.1.1/g10/gpg.c
 ===================================================================
---- gnupg-2.1.0.orig/g10/gpg.c	2014-11-07 11:35:21.599605797 +0100
+--- gnupg-2.1.1.orig/g10/gpg.c
-+++ gnupg-2.1.0/g10/gpg.c	2014-11-07 16:50:14.742067262 +0100
++++ gnupg-2.1.1/g10/gpg.c
 @@ -349,6 +349,7 @@ enum cmd_and_opt_values
      oTTYtype,
      oLCctype,
@@ -16,7 +16,7 @@ Index: gnupg-2.1.0/g10/gpg.c
      oXauthority,
      oGroup,
      oUnGroup,
-@@ -733,6 +734,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -730,6 +731,7 @@ static ARGPARSE_OPTS opts[] = {
    ARGPARSE_s_s (oPersonalCompressPreferences,
                                           "personal-compress-preferences", "@"),
    ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
@@ -24,7 +24,7 @@ Index: gnupg-2.1.0/g10/gpg.c
  
    /* Aliases.  I constantly mistype these, and assume other people do
       as well. */
-@@ -2126,6 +2128,7 @@ main (int argc, char **argv)
+@@ -2125,6 +2127,7 @@ main (int argc, char **argv)
      opt.def_cert_expire = "0";
      set_homedir (default_homedir ());
      opt.passphrase_repeat = 1;
@@ -40,11 +40,11 @@ Index: gnupg-2.1.0/g10/gpg.c
  
  	  case oForceMDC: opt.force_mdc = 1; break;
  	  case oNoForceMDC: opt.force_mdc = 0; break;
-Index: gnupg-2.1.0/g10/options.h
+Index: gnupg-2.1.1/g10/options.h
 ===================================================================
---- gnupg-2.1.0.orig/g10/options.h	2014-11-07 11:35:21.599605797 +0100
+--- gnupg-2.1.1.orig/g10/options.h
-+++ gnupg-2.1.0/g10/options.h	2014-11-07 16:49:59.770885017 +0100
++++ gnupg-2.1.1/g10/options.h
-@@ -193,6 +193,7 @@ struct
+@@ -192,6 +192,7 @@ struct
    int no_auto_check_trustdb;
    int preserve_permissions;
    int no_homedir_creation;
@@ -52,13 +52,13 @@ Index: gnupg-2.1.0/g10/options.h
    struct groupitem *grouplist;
    int mangle_dos_filenames;
    int enable_progress_filter;
-Index: gnupg-2.1.0/g10/sign.c
+Index: gnupg-2.1.1/g10/sign.c
 ===================================================================
---- gnupg-2.1.0.orig/g10/sign.c	2014-11-07 11:35:21.599605797 +0100
+--- gnupg-2.1.1.orig/g10/sign.c
-+++ gnupg-2.1.0/g10/sign.c	2014-11-07 17:13:40.128218081 +0100
++++ gnupg-2.1.1/g10/sign.c
-@@ -703,8 +703,12 @@ write_signature_packets (SK_LIST sk_list
+@@ -706,8 +706,12 @@ write_signature_packets (SK_LIST sk_list
-       build_sig_subpkt_from_sig (sig);
+           mk_notation_policy_etc (sig, NULL, pk);
-       mk_notation_policy_etc (sig, pk, NULL);
+         }
  
 +      if (!opt.files_are_digests) {
        hash_sigversion_to_magic (md, sig);
@@ -69,7 +69,7 @@ Index: gnupg-2.1.0/g10/sign.c
  
        rc = do_sign (pk, sig, md, hash_for (pk), cache_nonce);
        gcry_md_close (md);
-@@ -762,6 +766,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -765,6 +769,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
      SK_LIST sk_rover = NULL;
      int multifile = 0;
      u32 duration=0;
@@ -78,7 +78,7 @@ Index: gnupg-2.1.0/g10/sign.c
  
      pfx = new_progress_context ();
      afx = new_armor_context ();
-@@ -778,7 +784,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -781,7 +787,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
  	fname = NULL;
  
      if( fname && filenames->next && (!detached || encryptflag) )
@@ -96,7 +96,7 @@ Index: gnupg-2.1.0/g10/sign.c
  
      if(encryptflag==2
         && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
-@@ -799,7 +814,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -802,7 +817,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
        goto leave;
  
      /* prepare iobufs */
@@ -105,7 +105,7 @@ Index: gnupg-2.1.0/g10/sign.c
  	inp = NULL; /* we do it later */
      else {
        inp = iobuf_open(fname);
-@@ -938,7 +953,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -940,7 +955,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
      for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
        gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
  
@@ -114,7 +114,7 @@ Index: gnupg-2.1.0/g10/sign.c
  	iobuf_push_filter( inp, md_filter, &mfx );
  
      if( detached && !encryptflag)
-@@ -993,6 +1008,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -995,6 +1010,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
  
      write_status_begin_signing (mfx.md);
  
@@ -123,7 +123,7 @@ Index: gnupg-2.1.0/g10/sign.c
      /* Setup the inner packet. */
      if( detached ) {
  	if( multifile ) {
-@@ -1033,6 +1050,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1035,6 +1052,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
  	    if( opt.verbose )
  		putc( '\n', stderr );
  	}
@@ -169,7 +169,7 @@ Index: gnupg-2.1.0/g10/sign.c
  	else {
  	    /* read, so that the filter can calculate the digest */
  	    while( iobuf_get(inp) != -1 )
-@@ -1050,8 +1106,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1052,8 +1108,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
  
      /* write the signatures */
      rc = write_signature_packets (sk_list, out, mfx.md,

gnupg-2.0.4-install_tools.diff

@@ -1,7 +1,7 @@
 Index: tools/Makefile.am
 ===================================================================
---- tools/Makefile.am.orig	2014-11-06 18:12:17.743916141 +0100
+--- tools/Makefile.am.orig
-+++ tools/Makefile.am	2014-11-06 18:13:17.073677366 +0100
++++ tools/Makefile.am
 @@ -36,8 +36,8 @@ sbin_SCRIPTS = addgnupghome applygnupgde
  
  bin_SCRIPTS = gpgsm-gencert.sh
@@ -30,4 +30,4 @@ Index: tools/Makefile.am
 +noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert
  endif
  
- common_libs = $(libcommon) ../gl/libgnu.a
+ common_libs = $(libcommon)

gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch

@@ -1,77 +0,0 @@
-From: Werner Koch <wk@gnupg.org>
-Date: Tue, 25 Nov 2014 11:58:56 +0100
-Subject: [PATCH] Fix buffer overflow in openpgp_oid_to_str.
-References: boo#907198 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da
-Upstream: committed
-
-* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow.
-
-* common/t-openpgp-oid.c (BADOID): New.
-(test_openpgp_oid_to_str): Add test cases.
---
-
-The code has an obvious error by not considering invalid encoding for
-arc-2.  A first byte of 0x80 can be used to make a value of less then
-80 and we then subtract 80 from that value as required by the OID
-encoding rules.  Due to the unsigned integer this results in a pretty
-long value which won't fit anymore into the allocated buffer.
-
-The fix is obvious.  Also added a few simple test cases.  Note that we
-keep on using sprintf instead of snprintf because managing the
-remaining length of the buffer would probably be more error prone than
-assuring that the buffer is large enough.  Getting rid of sprintf
-altogether by using direct conversion along with membuf_t like code
-might be possible.
-
-Reported-by: Hanno Böck
-Signed-off-by: Werner Koch <wk@gnupg.org>
-
-Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7
----
- common/openpgp-oid.c   |    2 ++
- common/t-openpgp-oid.c |    9 +++++++++
- 2 files changed, 11 insertions(+)
-
-diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c
-index 010c23f..d3d1f2a 100644
---- a/common/openpgp-oid.c
-+++ b/common/openpgp-oid.c
-@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a)
-         val <<= 7;
-         val |= buf[n] & 0x7f;
-       }
-+    if (val < 80)
-+      goto badoid;
-     val -= 80;
-     sprintf (p, "2.%lu", val);
-     p += strlen (p);
-diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c
-index 79e5a70..5cd778d 100644
---- a/common/t-openpgp-oid.c
-+++ b/common/t-openpgp-oid.c
-@@ -32,6 +32,9 @@
-   } while(0)
- 
- 
-+#define BADOID "1.3.6.1.4.1.11591.2.12242973"
-+
-+
- static void
- test_openpgp_oid_from_str (void)
- {
-@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void)
-     { "1.3.132.0.35",
-       { 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }},
- 
-+    { BADOID,
-+      { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }},
-+
-+    { BADOID,
-+      { 1, 0x80 }},
-+
-     { NULL }};
-   gcry_mpi_t a;
-   int idx;
--- 
-1.7.10.4
-

gnupg-2.1.0.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:16a8c3f50a15bf37d2dfb1c5e4bb3ec533e1d0b6a4043ff3680a376a3ad4058b
-size 3111585

gnupg-2.1.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:70ecd01d2875db62624c911c2fd815742f50aef5492698eb3bfc09a08690ce49
+size 4801472

gnupg-add_legacy_FIPS_mode_option.patch

@@ -3,11 +3,11 @@
  g10/gpg.c    |    9 +++++++++
  2 files changed, 27 insertions(+)
 
-Index: gnupg-2.1.0/doc/gpg.texi
+Index: gnupg-2.1.1/doc/gpg.texi
 ===================================================================
---- gnupg-2.1.0.orig/doc/gpg.texi	2014-11-06 18:31:32.218688065 +0100
+--- gnupg-2.1.1.orig/doc/gpg.texi
-+++ gnupg-2.1.0/doc/gpg.texi	2014-11-06 18:31:33.871709178 +0100
++++ gnupg-2.1.1/doc/gpg.texi
-@@ -1828,6 +1828,24 @@ implies, this option is for experts only
+@@ -1842,6 +1842,24 @@ implies, this option is for experts only
  understand the implications of what it allows you to do, leave this
  off. @option{--no-expert} disables this option.
  
@@ -32,19 +32,19 @@ Index: gnupg-2.1.0/doc/gpg.texi
  @end table
  
  
-Index: gnupg-2.1.0/g10/gpg.c
+Index: gnupg-2.1.1/g10/gpg.c
 ===================================================================
---- gnupg-2.1.0.orig/g10/gpg.c	2014-11-06 18:31:32.220688090 +0100
+--- gnupg-2.1.1.orig/g10/gpg.c
-+++ gnupg-2.1.0/g10/gpg.c	2014-11-06 18:32:03.833091859 +0100
++++ gnupg-2.1.1/g10/gpg.c
-@@ -380,6 +380,7 @@ enum cmd_and_opt_values
+@@ -381,6 +381,7 @@ enum cmd_and_opt_values
-     oNoAllowMultipleMessages,
      oAllowWeakDigestAlgos,
      oFakedSystemTime,
+     oNoAutostart,
 +    oSetLegacyFips,
  
      oNoop
    };
-@@ -772,6 +773,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -769,6 +770,7 @@ static ARGPARSE_OPTS opts[] = {
    ARGPARSE_s_n (oAllowMultipleMessages,      "allow-multiple-messages", "@"),
    ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
    ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
@@ -52,9 +52,9 @@ Index: gnupg-2.1.0/g10/gpg.c
  
    /* These two are aliases to help users of the PGP command line
       product use gpg with minimal pain.  Many commands are common
-@@ -3138,6 +3140,13 @@ main (int argc, char **argv)
+@@ -3134,6 +3136,13 @@ main (int argc, char **argv)
-             }
+ 
-             break;
+           case oNoAutostart: opt.autostart = 0; break;
  
 +	  case oSetLegacyFips:
 +	    if(gcry_fips_mode_active())

gnupg-detect_FIPS_mode.patch

@@ -1,7 +1,7 @@
-Index: gnupg-2.1.0/g10/encrypt.c
+Index: gnupg-2.1.1/g10/encrypt.c
 ===================================================================
---- gnupg-2.1.0.orig/g10/encrypt.c	2014-11-06 18:27:35.176659675 +0100
+--- gnupg-2.1.1.orig/g10/encrypt.c
-+++ gnupg-2.1.0/g10/encrypt.c	2014-11-06 18:29:10.987883901 +0100
++++ gnupg-2.1.1/g10/encrypt.c
 @@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro
                    /* Because 3DES is implicitly in the prefs, this can
                       only happen if we do not have any public keys in
@@ -14,25 +14,21 @@ Index: gnupg-2.1.0/g10/encrypt.c
                  }
  
                /* In case 3DES has been selected, print a warning if
-Index: gnupg-2.1.0/g10/mainproc.c
+Index: gnupg-2.1.1/g10/mainproc.c
 ===================================================================
---- gnupg-2.1.0.orig/g10/mainproc.c	2014-11-06 18:27:33.243634973 +0100
+--- gnupg-2.1.1.orig/g10/mainproc.c
-+++ gnupg-2.1.0/g10/mainproc.c	2014-11-06 18:27:35.178659700 +0100
++++ gnupg-2.1.1/g10/mainproc.c
-@@ -690,9 +690,15 @@ proc_plaintext( CTX c, PACKET *pkt )
+@@ -719,7 +719,12 @@ proc_plaintext( CTX c, PACKET *pkt )
- 	   often.  There is no good way to specify what algorithms to
+          according to 2440, so hopefully it won't come up that often.
- 	   use in that case, so these three are the historical
+          There is no good way to specify what algorithms to use in
- 	   answer. */
+          that case, so these there are the historical answer. */
--	gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+-	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
 +
 +	/* Libgcrypt manual says that gcry_version_check must be called
 +	   before calling gcry_fips_mode_active. */
 +	gcry_check_version (NULL);
 +	if( !gcry_fips_mode_active() )
 +	  gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
- 	gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );
+ 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
--	gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
+     }
-+	if( !gcry_fips_mode_active() )
+   if (DBG_HASHING)
-+	  gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
-       }
-     if (opt.pgp2_workarounds && only_md5 && !opt.skip_verify
-         && opt.flags.allow_weak_digest_algos) {

gpg2.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Fri Dec 26 21:15:55 UTC 2014 - andreas.stieger@gmx.de
+
+- update to 2.1.1:
+  * gpg: Detect faulty use of --verify on detached signatures.
+  * gpg: New import option "keep-ownertrust".
+  * gpg: New sub-command "factory-reset" for --card-edit.
+  * gpg: A stub key for smartcards is now created by --card-status.
+  * gpg: Fixed regression in --refresh-keys.
+  * gpg: Fixed regresion in %g and %p codes for --sig-notation.
+  * gpg: Fixed best matching hash algo detection for ECDSA and EdDSA.
+  * gpg: Improved perceived speed of secret key listisngs.
+  * gpg: Print number of skipped PGP-2 keys on import.
+  * gpg: Removed the option aliases --throw-keyid and --notation-data;
+    use --throw-keyids and --set-notation instead.
+  * gpg: New import option "keep-ownertrust".
+  * gpg: Skip too large keys during import.
+  * gpg,gpgsm: New option --no-autostart to avoid starting gpg-agent or
+    dirmngr.
+  * gpg-agent: New option --extra-socket to provide a restricted
+    command set for use with remote clients.
+  * gpgconf --kill does not anymore start a service only to kill it.
+  * gpg-pconnect-agent: Add convenience option --uiserver.
+  * More translations (but most of them are not complete).
+  * To support remotely mounted home directories, the IPC sockets may
+    now be redirected.  This feature requires Libassuan 2.2.0.
+  * Improved portability and the usual bunch of bug fixes.
+- removed patch not part of upstream release:
+    gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch
+- refresh for context changes:
+    gnupg-2.0.18-files-are-digests.patch
+    gnupg-2.0.4-install_tools.diff
+- refresh for upstream code changes:
+    gnupg-add_legacy_FIPS_mode_option.patch
+    gnupg-detect_FIPS_mode.patch (MD5 removed)
+
 -------------------------------------------------------------------
 Thu Dec 25 18:09:11 UTC 2014 - dev@stellardeath.org
 

gpg2.spec

@@ -17,7 +17,7 @@
 
 
 Name:           gpg2
-Version:        2.1.0
+Version:        2.1.1
 Release:        0
 Summary:        GnuPG 2
 License:        GPL-3.0+
@@ -35,7 +35,6 @@ Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
 Patch11:        gnupg-add_legacy_FIPS_mode_option.patch
 Patch12:        gnupg-remove_development_version_warning.patch
-Patch13:        gnupg-2.1.0-boo-907198-openpgp_oid_to_str-buffer-overflow.patch
 Patch14:        gnupg-large_keys.patch
 BuildRequires:  automake >= 1.10
 BuildRequires:  expect
@@ -48,7 +47,7 @@ BuildRequires:  libcurl-devel >= 7.10
 # patch11 (gnupg-add_legacy_FIPS_mode_option.patch) mentions GCRYCTL_INACTIVATE_FIPS_FLAG
 # raising gcrypt requirement from 1.4.0
 BuildRequires:  libgcrypt-devel >= 1.6.1
-BuildRequires:  libgpg-error-devel >= 1.15
+BuildRequires:  libgpg-error-devel >= 1.16
 BuildRequires:  libksba-devel >= 1.2.0
 BuildRequires:  libusb-devel
 BuildRequires:  makeinfo
@@ -87,7 +86,6 @@ gpg-agent, and a keybox library.
 %patch9 -p1
 %patch11 -p1
 %patch12 -p1
-%patch13 -p1
 %patch14 -p1
 
 %build