Accepting request 615264 from Base:System

GnuPG 2.2.8 (bsc#1096745, CVE-2018-12020)

OBS-URL: https://build.opensuse.org/request/show/615264
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=128

gnupg-2.2.7.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d95b361ee6ef7eff86af40c8c72bf9313736ac9f7010d6604d78bf83818e976e
-size 6631100

gnupg-2.2.8-files-are-digests.patch

@@ -4,11 +4,11 @@
  g10/sign.c    |   68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
  3 files changed, 67 insertions(+), 6 deletions(-)
 
-Index: gnupg-2.1.23/g10/gpg.c
+Index: gnupg-2.2.8/g10/gpg.c
 ===================================================================
---- gnupg-2.1.23.orig/g10/gpg.c	2017-08-09 15:46:17.000000000 +0200
-+++ gnupg-2.1.23/g10/gpg.c	2017-08-10 16:21:26.692847431 +0200
-@@ -380,6 +380,7 @@ enum cmd_and_opt_values
+--- gnupg-2.2.8.orig/g10/gpg.c	2018-06-06 11:59:06.000000000 +0200
++++ gnupg-2.2.8/g10/gpg.c	2018-06-08 16:34:33.287514003 +0200
+@@ -376,6 +376,7 @@ enum cmd_and_opt_values
      oTTYtype,
      oLCctype,
      oLCmessages,
@@ -16,7 +16,7 @@ Index: gnupg-2.1.23/g10/gpg.c
      oXauthority,
      oGroup,
      oUnGroup,
-@@ -829,6 +830,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -824,6 +825,7 @@ static ARGPARSE_OPTS opts[] = {
    ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
    ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
    ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
@@ -24,7 +24,7 @@ Index: gnupg-2.1.23/g10/gpg.c
  
    /* Aliases.  I constantly mistype these, and assume other people do
       as well. */
-@@ -2388,6 +2390,7 @@ main (int argc, char **argv)
+@@ -2392,6 +2394,7 @@ main (int argc, char **argv)
      opt.def_cert_expire = "0";
      gnupg_set_homedir (NULL);
      opt.passphrase_repeat = 1;
@@ -32,19 +32,19 @@ Index: gnupg-2.1.23/g10/gpg.c
      opt.emit_version = 0;
      opt.weak_digests = NULL;
  
-@@ -2952,6 +2955,7 @@ main (int argc, char **argv)
+@@ -2963,6 +2966,7 @@ main (int argc, char **argv)
  	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
  	    break;
  	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
 +	  case oFilesAreDigests: opt.files_are_digests = 1; break;
  
- 	  case oForceMDC: opt.force_mdc = 1; break;
- 	  case oNoForceMDC: opt.force_mdc = 0; break;
-Index: gnupg-2.1.23/g10/options.h
+           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
+ 
+Index: gnupg-2.2.8/g10/options.h
 ===================================================================
---- gnupg-2.1.23.orig/g10/options.h	2017-08-09 15:46:17.000000000 +0200
-+++ gnupg-2.1.23/g10/options.h	2017-08-10 16:21:26.692847431 +0200
-@@ -213,6 +213,7 @@ struct
+--- gnupg-2.2.8.orig/g10/options.h	2018-05-31 12:03:06.000000000 +0200
++++ gnupg-2.2.8/g10/options.h	2018-06-08 16:34:33.287514003 +0200
+@@ -210,6 +210,7 @@ struct
    int no_auto_check_trustdb;
    int preserve_permissions;
    int no_homedir_creation;
@@ -52,10 +52,10 @@ Index: gnupg-2.1.23/g10/options.h
    struct groupitem *grouplist;
    int mangle_dos_filenames;
    int enable_progress_filter;
-Index: gnupg-2.1.23/g10/sign.c
+Index: gnupg-2.2.8/g10/sign.c
 ===================================================================
---- gnupg-2.1.23.orig/g10/sign.c	2017-07-28 19:39:06.000000000 +0200
-+++ gnupg-2.1.23/g10/sign.c	2017-08-10 16:21:26.692847431 +0200
+--- gnupg-2.2.8.orig/g10/sign.c	2017-08-28 12:22:54.000000000 +0200
++++ gnupg-2.2.8/g10/sign.c	2018-06-08 16:34:33.287514003 +0200
 @@ -43,6 +43,8 @@
  #include "../common/mbox-util.h"
  #include "../common/compliance.h"

gnupg-2.2.8.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:777b4cb8ced21965a5053d4fa20fe11484f0a478f3d011cef508a1a49db50dcd
+size 6632465

gpg2.changes

@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Fri Jun  8 14:37:06 UTC 2018 - kbabioch@suse.com
+
+- Update to version 2.2.8:
+  * gpg: Decryption of messages not using the MDC mode will now lead to a
+    hard failure even if a legacy cipher algorithm was used. The option
+    --ignore-mdc-error can be used to turn this failure into a warning. Take
+    care: Never use that option unconditionally or without a prior warning.
+  * gpg: The MDC encryption mode is now always used regardless of the
+    cipher algorithm or any preferences.  For testing --rfc2440 can be
+    used to create a message without an MDC.
+  * gpg: Sanitize the diagnostic output of the original file name in
+    verbose mode (bsc#1096745, CVE-2018-12020)
+  * gpg: Detect suspicious multiple plaintext packets in a more reliable way.
+  * gpg: Fix the duplicate key signature detection code.
+  * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc,
+    --disable-mdc and --no-disable-mdc have no more effect.
+  * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the
+    list of startup environment variables.
+- Refresh gnupg-2.0.18-files-are-digests.patch
+  to gnupg-2.2.8-files-are-digests.patch
+
 -------------------------------------------------------------------
 Fri May  4 14:15:27 UTC 2018 - astieger@suse.com
 

gpg2.spec

@@ -17,19 +17,19 @@
 
 
 Name:           gpg2
-Version:        2.2.7
+Version:        2.2.8
 Release:        0
 Summary:        File encryption, decryption, signature creation and verification utility
-License:        GPL-3.0+
+License:        GPL-3.0-or-later
 Group:          Productivity/Networking/Security
-Url:            http://www.gnupg.org/aegypten2/
+URL:            https://www.gnupg.org
 Source:         ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2
 Source2:        ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
 # https://www.gnupg.org/signature_key.html
 Source3:        %{name}.keyring
 Source99:       %{name}.changes
 Patch4:         gnupg-2.0.9-langinfo.patch
-Patch5:         gnupg-2.0.18-files-are-digests.patch
+Patch5:         gnupg-2.2.8-files-are-digests.patch
 Patch6:         gnupg-dont-fail-with-seahorse-agent.patch
 Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch