From 4dae542981813c8777033c6edbd4c469b741b9840c1eafe294bdc2f02fe33da0 Mon Sep 17 00:00:00 2001 From: Yuchen Lin Date: Fri, 22 Jun 2018 11:11:25 +0000 Subject: [PATCH] Accepting request 615264 from Base:System GnuPG 2.2.8 (bsc#1096745, CVE-2018-12020) OBS-URL: https://build.opensuse.org/request/show/615264 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=128 --- gnupg-2.2.7.tar.bz2 | 3 -- gnupg-2.2.7.tar.bz2.sig | Bin 310 -> 0 bytes ...tch => gnupg-2.2.8-files-are-digests.patch | 32 +++++++++--------- gnupg-2.2.8.tar.bz2 | 3 ++ gnupg-2.2.8.tar.bz2.sig | Bin 0 -> 310 bytes gpg2.changes | 22 ++++++++++++ gpg2.spec | 8 ++--- 7 files changed, 45 insertions(+), 23 deletions(-) delete mode 100644 gnupg-2.2.7.tar.bz2 delete mode 100644 gnupg-2.2.7.tar.bz2.sig rename gnupg-2.0.18-files-are-digests.patch => gnupg-2.2.8-files-are-digests.patch (88%) create mode 100644 gnupg-2.2.8.tar.bz2 create mode 100644 gnupg-2.2.8.tar.bz2.sig diff --git a/gnupg-2.2.7.tar.bz2 b/gnupg-2.2.7.tar.bz2 deleted file mode 100644 index 7cc2cef..0000000 --- a/gnupg-2.2.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d95b361ee6ef7eff86af40c8c72bf9313736ac9f7010d6604d78bf83818e976e -size 6631100 diff --git a/gnupg-2.2.7.tar.bz2.sig b/gnupg-2.2.7.tar.bz2.sig deleted file mode 100644 index 7e4ca39b0d8d3cc6e052543c65cdbb1831457ca07f27af78bf218f867b695933..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j-KX(1!T23_i24?49Zn>o@?CF8aQ0$S=AJpc*`5G0#9 z(oZGhw*SNk0Gh84=Q>A2n*Sozj_twIc3N4wRDXN5)?jE~T}wJSS_a^&iBS7}EB*}m zPQ(?F+b?c@goR&%aS^j+f!wyW2wVMU8cbI8wa6h$y6+~LmTXk=hW~1VxY13kAn`RO zwU9jQrsJQ^u?*yOe%1DsS0xkb8xl#cyPw3x%ubHK2B=d|0KsQD+F0<3tz2*sPdy^1x&@#<=_MM9%E2QXE+Y=V_Y!)aR2`zyxEpu#>%kyy5#dorJFa7ms5B$ zKrBpR+hztPCbpBPrywEf($g!H1lUN1Kr@6JRfXgaeyUMm8<)dRsb>1niA9m1PekXd I^lPMxw2zOIjsO4v diff --git a/gnupg-2.0.18-files-are-digests.patch b/gnupg-2.2.8-files-are-digests.patch similarity index 88% rename from gnupg-2.0.18-files-are-digests.patch rename to gnupg-2.2.8-files-are-digests.patch index 7035cc6..6de374e 100644 --- a/gnupg-2.0.18-files-are-digests.patch +++ b/gnupg-2.2.8-files-are-digests.patch @@ -4,11 +4,11 @@ g10/sign.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 67 insertions(+), 6 deletions(-) -Index: gnupg-2.1.23/g10/gpg.c +Index: gnupg-2.2.8/g10/gpg.c =================================================================== ---- gnupg-2.1.23.orig/g10/gpg.c 2017-08-09 15:46:17.000000000 +0200 -+++ gnupg-2.1.23/g10/gpg.c 2017-08-10 16:21:26.692847431 +0200 -@@ -380,6 +380,7 @@ enum cmd_and_opt_values +--- gnupg-2.2.8.orig/g10/gpg.c 2018-06-06 11:59:06.000000000 +0200 ++++ gnupg-2.2.8/g10/gpg.c 2018-06-08 16:34:33.287514003 +0200 +@@ -376,6 +376,7 @@ enum cmd_and_opt_values oTTYtype, oLCctype, oLCmessages, @@ -16,7 +16,7 @@ Index: gnupg-2.1.23/g10/gpg.c oXauthority, oGroup, oUnGroup, -@@ -829,6 +830,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -824,6 +825,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_s (oWeakDigest, "weak-digest","@"), ARGPARSE_s_n (oUnwrap, "unwrap", "@"), ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"), @@ -24,7 +24,7 @@ Index: gnupg-2.1.23/g10/gpg.c /* Aliases. I constantly mistype these, and assume other people do as well. */ -@@ -2388,6 +2390,7 @@ main (int argc, char **argv) +@@ -2392,6 +2394,7 @@ main (int argc, char **argv) opt.def_cert_expire = "0"; gnupg_set_homedir (NULL); opt.passphrase_repeat = 1; @@ -32,19 +32,19 @@ Index: gnupg-2.1.23/g10/gpg.c opt.emit_version = 0; opt.weak_digests = NULL; -@@ -2952,6 +2955,7 @@ main (int argc, char **argv) +@@ -2963,6 +2966,7 @@ main (int argc, char **argv) opt.verify_options&=~VERIFY_SHOW_PHOTOS; break; case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; + case oFilesAreDigests: opt.files_are_digests = 1; break; - case oForceMDC: opt.force_mdc = 1; break; - case oNoForceMDC: opt.force_mdc = 0; break; -Index: gnupg-2.1.23/g10/options.h + case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break; + +Index: gnupg-2.2.8/g10/options.h =================================================================== ---- gnupg-2.1.23.orig/g10/options.h 2017-08-09 15:46:17.000000000 +0200 -+++ gnupg-2.1.23/g10/options.h 2017-08-10 16:21:26.692847431 +0200 -@@ -213,6 +213,7 @@ struct +--- gnupg-2.2.8.orig/g10/options.h 2018-05-31 12:03:06.000000000 +0200 ++++ gnupg-2.2.8/g10/options.h 2018-06-08 16:34:33.287514003 +0200 +@@ -210,6 +210,7 @@ struct int no_auto_check_trustdb; int preserve_permissions; int no_homedir_creation; @@ -52,10 +52,10 @@ Index: gnupg-2.1.23/g10/options.h struct groupitem *grouplist; int mangle_dos_filenames; int enable_progress_filter; -Index: gnupg-2.1.23/g10/sign.c +Index: gnupg-2.2.8/g10/sign.c =================================================================== ---- gnupg-2.1.23.orig/g10/sign.c 2017-07-28 19:39:06.000000000 +0200 -+++ gnupg-2.1.23/g10/sign.c 2017-08-10 16:21:26.692847431 +0200 +--- gnupg-2.2.8.orig/g10/sign.c 2017-08-28 12:22:54.000000000 +0200 ++++ gnupg-2.2.8/g10/sign.c 2018-06-08 16:34:33.287514003 +0200 @@ -43,6 +43,8 @@ #include "../common/mbox-util.h" #include "../common/compliance.h" diff --git a/gnupg-2.2.8.tar.bz2 b/gnupg-2.2.8.tar.bz2 new file mode 100644 index 0000000..94e11d7 --- /dev/null +++ b/gnupg-2.2.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:777b4cb8ced21965a5053d4fa20fe11484f0a478f3d011cef508a1a49db50dcd +size 6632465 diff --git a/gnupg-2.2.8.tar.bz2.sig b/gnupg-2.2.8.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..9647eb57d717fff0700b3ef34679121d323d30e3b67f43e5b0dce857cbed61d8 GIT binary patch literal 310 zcmV-60m=S}0W$;u0SEvc79j-KX(1!T23_i24?49Zn>o@?CF8aQ0$Unh761wf5G0#9 z(oZGhws!{y`UB5HR609$J%amN_3-xi*}e`1ZQ(8(xCwSkZQCBe77nd$NdWAhIg*<9 z{_tC){^?&7q|;zNJEDzpuK!0_?h1z~0`CoKyAgq_Dn%c3a%A{r+auZ5-pS2HJwTiU zTOp2ZQVbNy4}yeZCPTKt@=z2esJ_1owLG<3&8!4UO~EfF?Cw0K(~6zRUd74VPbHf$ z#2Pp21M_JL8rr16P$W^1)akLL-Ri?CYKElY$b}#Z&8gPv4oAV!2yaxW-2&NY<-Ebv zr{7KnjU-H=ETr-=%B{EN5VHUBL41vmmx%3q#oDz-F;p6??MT9X`HQd^ySyz+fN6jm I%)788Dv;cgaR2}S literal 0 HcmV?d00001 diff --git a/gpg2.changes b/gpg2.changes index fbec722..4f5dec8 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Fri Jun 8 14:37:06 UTC 2018 - kbabioch@suse.com + +- Update to version 2.2.8: + * gpg: Decryption of messages not using the MDC mode will now lead to a + hard failure even if a legacy cipher algorithm was used. The option + --ignore-mdc-error can be used to turn this failure into a warning. Take + care: Never use that option unconditionally or without a prior warning. + * gpg: The MDC encryption mode is now always used regardless of the + cipher algorithm or any preferences. For testing --rfc2440 can be + used to create a message without an MDC. + * gpg: Sanitize the diagnostic output of the original file name in + verbose mode (bsc#1096745, CVE-2018-12020) + * gpg: Detect suspicious multiple plaintext packets in a more reliable way. + * gpg: Fix the duplicate key signature detection code. + * gpg: The options --no-mdc-warn, --force-mdc, --no-force-mdc, + --disable-mdc and --no-disable-mdc have no more effect. + * agent: Add DBUS_SESSION_BUS_ADDRESS and a few other envvars to the + list of startup environment variables. +- Refresh gnupg-2.0.18-files-are-digests.patch + to gnupg-2.2.8-files-are-digests.patch + ------------------------------------------------------------------- Fri May 4 14:15:27 UTC 2018 - astieger@suse.com diff --git a/gpg2.spec b/gpg2.spec index 25aeb85..89a86f9 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -17,19 +17,19 @@ Name: gpg2 -Version: 2.2.7 +Version: 2.2.8 Release: 0 Summary: File encryption, decryption, signature creation and verification utility -License: GPL-3.0+ +License: GPL-3.0-or-later Group: Productivity/Networking/Security -Url: http://www.gnupg.org/aegypten2/ +URL: https://www.gnupg.org Source: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2 Source2: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig # https://www.gnupg.org/signature_key.html Source3: %{name}.keyring Source99: %{name}.changes Patch4: gnupg-2.0.9-langinfo.patch -Patch5: gnupg-2.0.18-files-are-digests.patch +Patch5: gnupg-2.2.8-files-are-digests.patch Patch6: gnupg-dont-fail-with-seahorse-agent.patch Patch8: gnupg-set_umask_before_open_outfile.patch Patch9: gnupg-detect_FIPS_mode.patch