Accepting request 751577 from Base:System

OBS-URL: https://build.opensuse.org/request/show/751577
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=143

gnupg-2.2.17.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:afa262868e39b651a2db4c071fba90415154243e83a830ca00516f9a807fd514
-size 6717554

gnupg-2.2.18.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:30d37ce2ca55b2b9b61480b2a175a3b22066ab41cd3f84688448919b566dec0a
+size 6740621

gnupg-2.2.8-files-are-digests.patch

@@ -4,11 +4,11 @@
  g10/sign.c    |   68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
  3 files changed, 67 insertions(+), 6 deletions(-)
 
-Index: gnupg-2.2.8/g10/gpg.c
+Index: gnupg-2.2.18/g10/gpg.c
 ===================================================================
---- gnupg-2.2.8.orig/g10/gpg.c	2018-06-06 11:59:06.000000000 +0200
-+++ gnupg-2.2.8/g10/gpg.c	2018-06-08 16:34:33.287514003 +0200
-@@ -376,6 +376,7 @@ enum cmd_and_opt_values
+--- gnupg-2.2.18.orig/g10/gpg.c
++++ gnupg-2.2.18/g10/gpg.c
+@@ -378,6 +378,7 @@ enum cmd_and_opt_values
      oTTYtype,
      oLCctype,
      oLCmessages,
@@ -16,7 +16,7 @@ Index: gnupg-2.2.8/g10/gpg.c
      oXauthority,
      oGroup,
      oUnGroup,
-@@ -824,6 +825,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -830,6 +831,7 @@ static ARGPARSE_OPTS opts[] = {
    ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
    ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
    ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
@@ -24,7 +24,7 @@ Index: gnupg-2.2.8/g10/gpg.c
  
    /* Aliases.  I constantly mistype these, and assume other people do
       as well. */
-@@ -2392,6 +2394,7 @@ main (int argc, char **argv)
+@@ -2412,6 +2414,7 @@ main (int argc, char **argv)
      opt.def_cert_expire = "0";
      gnupg_set_homedir (NULL);
      opt.passphrase_repeat = 1;
@@ -32,7 +32,7 @@ Index: gnupg-2.2.8/g10/gpg.c
      opt.emit_version = 0;
      opt.weak_digests = NULL;
  
-@@ -2963,6 +2966,7 @@ main (int argc, char **argv)
+@@ -2988,6 +2991,7 @@ main (int argc, char **argv)
  	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
  	    break;
  	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
@@ -40,10 +40,10 @@ Index: gnupg-2.2.8/g10/gpg.c
  
            case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
  
-Index: gnupg-2.2.8/g10/options.h
+Index: gnupg-2.2.18/g10/options.h
 ===================================================================
---- gnupg-2.2.8.orig/g10/options.h	2018-05-31 12:03:06.000000000 +0200
-+++ gnupg-2.2.8/g10/options.h	2018-06-08 16:34:33.287514003 +0200
+--- gnupg-2.2.18.orig/g10/options.h
++++ gnupg-2.2.18/g10/options.h
 @@ -210,6 +210,7 @@ struct
    int no_auto_check_trustdb;
    int preserve_permissions;
@@ -52,10 +52,10 @@ Index: gnupg-2.2.8/g10/options.h
    struct groupitem *grouplist;
    int mangle_dos_filenames;
    int enable_progress_filter;
-Index: gnupg-2.2.8/g10/sign.c
+Index: gnupg-2.2.18/g10/sign.c
 ===================================================================
---- gnupg-2.2.8.orig/g10/sign.c	2017-08-28 12:22:54.000000000 +0200
-+++ gnupg-2.2.8/g10/sign.c	2018-06-08 16:34:33.287514003 +0200
+--- gnupg-2.2.18.orig/g10/sign.c
++++ gnupg-2.2.18/g10/sign.c
 @@ -43,6 +43,8 @@
  #include "../common/mbox-util.h"
  #include "../common/compliance.h"
@@ -65,7 +65,7 @@ Index: gnupg-2.2.8/g10/sign.c
  #ifdef HAVE_DOSISH_SYSTEM
  #define LF "\r\n"
  #else
-@@ -727,6 +729,8 @@ write_signature_packets (ctrl_t ctrl,
+@@ -749,6 +751,8 @@ write_signature_packets (ctrl_t ctrl,
        if (duration || opt.sig_policy_url
            || opt.sig_notations || opt.sig_keyserver_url)
          sig->version = 4;
@@ -74,7 +74,7 @@ Index: gnupg-2.2.8/g10/sign.c
        else
          sig->version = pk->version;
  
-@@ -750,8 +754,12 @@ write_signature_packets (ctrl_t ctrl,
+@@ -772,8 +776,12 @@ write_signature_packets (ctrl_t ctrl,
            mk_notation_policy_etc (sig, NULL, pk);
          }
  
@@ -85,9 +85,9 @@ Index: gnupg-2.2.8/g10/sign.c
 +          log_bug("files-are-digests doesn't work with v4 sigs\n");
 +      }
  
-       rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce);
+       rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
        gcry_md_close (md);
-@@ -813,6 +821,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -835,6 +843,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
      SK_LIST sk_rover = NULL;
      int multifile = 0;
      u32 duration=0;
@@ -96,7 +96,7 @@ Index: gnupg-2.2.8/g10/sign.c
  
      pfx = new_progress_context ();
      afx = new_armor_context ();
-@@ -830,7 +840,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -852,7 +862,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
  	fname = NULL;
  
      if( fname && filenames->next && (!detached || encryptflag) )
@@ -114,7 +114,7 @@ Index: gnupg-2.2.8/g10/sign.c
  
      if(encryptflag==2
         && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
-@@ -851,7 +870,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -873,7 +892,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
        goto leave;
  
      /* prepare iobufs */
@@ -123,7 +123,7 @@ Index: gnupg-2.2.8/g10/sign.c
  	inp = NULL; /* we do it later */
      else {
        inp = iobuf_open(fname);
-@@ -989,7 +1008,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1011,7 +1030,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
      for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
        gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
  
@@ -132,7 +132,7 @@ Index: gnupg-2.2.8/g10/sign.c
  	iobuf_push_filter( inp, md_filter, &mfx );
  
      if( detached && !encryptflag)
-@@ -1044,6 +1063,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1066,6 +1085,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
  
      write_status_begin_signing (mfx.md);
  
@@ -141,7 +141,7 @@ Index: gnupg-2.2.8/g10/sign.c
      /* Setup the inner packet. */
      if( detached ) {
  	if( multifile ) {
-@@ -1084,6 +1105,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1106,6 +1127,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
  	    if( opt.verbose )
                log_printf ("\n");
  	}
@@ -187,7 +187,7 @@ Index: gnupg-2.2.8/g10/sign.c
  	else {
  	    /* read, so that the filter can calculate the digest */
  	    while( iobuf_get(inp) != -1 )
-@@ -1102,8 +1162,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1124,8 +1184,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
  
      /* write the signatures */
      rc = write_signature_packets (ctrl, sk_list, out, mfx.md,

gnupg-add_legacy_FIPS_mode_option.patch

@@ -3,11 +3,11 @@
  g10/gpg.c    |    9 +++++++++
  2 files changed, 27 insertions(+)
 
-Index: gnupg-2.2.7/doc/gpg.texi
+Index: gnupg-2.2.18/doc/gpg.texi
 ===================================================================
---- gnupg-2.2.7.orig/doc/gpg.texi	2018-05-04 16:14:30.949580264 +0200
-+++ gnupg-2.2.7/doc/gpg.texi	2018-05-04 16:14:34.025609243 +0200
-@@ -2097,6 +2097,24 @@ implies, this option is for experts only
+--- gnupg-2.2.18.orig/doc/gpg.texi
++++ gnupg-2.2.18/doc/gpg.texi
+@@ -2115,6 +2115,24 @@ implies, this option is for experts only
  understand the implications of what it allows you to do, leave this
  off. @option{--no-expert} disables this option.
  
@@ -32,19 +32,19 @@ Index: gnupg-2.2.7/doc/gpg.texi
  @end table
  
  
-Index: gnupg-2.2.7/g10/gpg.c
+Index: gnupg-2.2.18/g10/gpg.c
 ===================================================================
---- gnupg-2.2.7.orig/g10/gpg.c	2018-05-04 16:14:30.949580264 +0200
-+++ gnupg-2.2.7/g10/gpg.c	2018-05-04 16:15:00.441858109 +0200
+--- gnupg-2.2.18.orig/g10/gpg.c
++++ gnupg-2.2.18/g10/gpg.c
 @@ -425,6 +425,7 @@ enum cmd_and_opt_values
-     oKeyOrigin,
      oRequestOrigin,
      oNoSymkeyCache,
+     oUseOnlyOpenPGPCard,
 +    oSetLegacyFips,
  
      oNoop
    };
-@@ -872,6 +873,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -870,6 +871,7 @@ static ARGPARSE_OPTS opts[] = {
    ARGPARSE_s_n (oAllowMultipleMessages,      "allow-multiple-messages", "@"),
    ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
    ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
@@ -52,8 +52,8 @@ Index: gnupg-2.2.7/g10/gpg.c
  
    ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"),
  
-@@ -3568,6 +3570,13 @@ main (int argc, char **argv)
-             opt.def_new_key_algo = pargs.r.ret_str;
+@@ -3600,6 +3602,13 @@ main (int argc, char **argv)
+             opt.flags.use_only_openpgp_card = 1;
              break;
  
 +	  case oSetLegacyFips:

gpg2.changes

@@ -1,3 +1,53 @@
+-------------------------------------------------------------------
+Wed Nov 27 15:42:22 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Update to 2.2.18 [bsc#1157900, CVE-2019-14855]
+  * gpg: Changed the way keys are detected on a smartcards; this
+    allows the use of non-OpenPGP cards.  In the case of a not very
+    likely regression the new option --use-only-openpgp-card is
+    available.  [#4681]
+  * gpg: The commands --full-gen-key and --quick-gen-key now allow
+    direct key generation from supported cards.  [#4681]
+  * gpg: Prepare against chosen-prefix SHA-1 collisions in key
+    signatures.  This change removes all SHA-1 based key signature
+    newer than 2019-01-19 from the web-of-trust.  Note that this
+    includes all key signature created with dsa1024 keys.  The new
+    option --allow-weak-key-signatues can be used to override the new
+    and safer behaviour.  [#4755,CVE-2019-14855]
+  * gpg: Improve performance for import of large keyblocks.  [#4592]
+  * gpg: Implement a keybox compression run.  [#4644]
+  * gpg: Show warnings from dirmngr about redirect and certificate
+    problems (details require --verbose as usual).
+  * gpg: Allow to pass the empty string for the passphrase if the
+    '--passphase=' syntax is used.  [#4633]
+  * gpg: Fix printing of the KDF object attributes.
+  * gpg: Avoid surprises with --locate-external-key and certain
+    --auto-key-locate settings.  [#4662]
+  * gpg: Improve selection of best matching key.  [#4713]
+  * gpg: Delete key binding signature when deletring a subkey.
+    [#4665,#4457]
+  * gpg: Fix a potential loss of key sigantures during import with
+    self-sigs-only active.  [#4628]
+  * gpg: Silence "marked as ultimately trusted" diagnostics if
+    option --quiet is used.  [#4634]
+  * gpg: Silence some diagnostics during in key listsing even with
+    option --verbose.  [#4627]
+  * gpg, gpgsm: Change parsing of agent's pkdecrypt results.  [#4652]
+  * gpgsm: Support AES-256 keys.
+  * gpgsm: Fix a bug in triggering a keybox compression run if
+    --faked-system-time is used.
+  * dirmngr: System CA certificates are no longer used for the SKS
+    pool if GNUTLS instead of NTBTLS is used as TLS library.  [#4594]
+  * dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces
+    to avoid long timeouts.  [#4165]
+  * scd: Fix BWI value for APDU level transfers to make Gemalto Ezio
+    Shield and Trustica Cryptoucan work.  [#4654,#4566]
+  * wkd: gpg-wks-client --install-key now installs the required policy
+    file.
+- Rebase patches:
+  * gnupg-2.2.8-files-are-digests.patch
+  * gnupg-add_legacy_FIPS_mode_option.patch
+
 -------------------------------------------------------------------
 Thu Sep 19 12:05:13 UTC 2019 - Ludwig Nussel <lnussel@suse.de>
 

gpg2.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package gpg2
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           gpg2
-Version:        2.2.17
+Version:        2.2.18
 Release:        0
 Summary:        File encryption, decryption, signature creation and verification utility
 License:        GPL-3.0-or-later