pool/gpg2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 199274 from home:vitezslav_cizek:branches:Base:System

Browse Source 
- fix CVE-2013-4351 (bnc#840510)

OBS-URL: https://build.opensuse.org/request/show/199274
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=63
This commit is contained in:
Stephan Kulow 2013-09-16 17:37:29 +00:00 committed by Git OBS Bridge
parent ccf09f118d
commit 9c07c5a07b
3 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
gpg2-CVE-2013-4351.patch Normal file
View File

@ -0,0 +1,60 @@
commit 8f8f3984e82a025cf1384132a419f67f39c7e07d
Author: Werner Koch <wk <at> gnupg.org>
Date: Fri Mar 15 15:46:03 2013 +0100
gpg: Distinguish between missing and cleared key flags.
* include/cipher.h (PUBKEY_USAGE_NONE): New.
* g10/getkey.c (parse_key_usage): Set new flag.
--
We do not want to use the default capabilities (derived from the
algorithm) if any key flags are given in a signature. Thus if key
flags are used in any way, the default key capabilities are never
used.
This allows to create a key with key flags set to all zero so it can't
be used. This better reflects common sense.
Modified g10/getkey.c
Index: gnupg-2.0.9/g10/getkey.c
===================================================================
--- gnupg-2.0.9.orig/g10/getkey.c 2013-09-16 16:51:02.752624501 +0200
+++ gnupg-2.0.9/g10/getkey.c 2013-09-16 16:54:20.955952692 +0200
@@ -1457,13 +1457,19 @@ parse_key_usage(PKT_signature *sig)
if(flags)
key_usage |= PUBKEY_USAGE_UNKNOWN;
+
+ if (!key_usage)
+ key_usage |= PUBKEY_USAGE_NONE;
}
+ else if (p) /* Key flags of length zero. */
+ key_usage |= PUBKEY_USAGE_NONE;
/* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
capability that we do not handle. This serves to distinguish
between a zero key usage which we handle as the default
capabilities for that algorithm, and a usage that we do not
- handle. */
+ handle. Likewise we use PUBKEY_USAGE_NONE to indicate that
+ key_flags have been given but they do not specify any usage. */
return key_usage;
}
Index: gnupg-2.0.9/include/cipher.h
===================================================================
--- gnupg-2.0.9.orig/include/cipher.h 2013-09-16 16:51:02.752624501 +0200
+++ gnupg-2.0.9/include/cipher.h 2013-09-16 16:56:27.028429026 +0200
@@ -62,6 +62,11 @@
#define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys. */
#define PUBKEY_USAGE_AUTH GCRY_PK_USAGE_AUTH /* Good for authentication. */
#define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN /* Unknown usage flag. */
+#define PUBKEY_USAGE_NONE 256 /* No usage given. */
+#if (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \
+ | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256
+# error Please choose another value for PUBKEY_USAGE_NONE
+#endif
#define DIGEST_ALGO_MD5 /* 1 */ GCRY_MD_MD5
#define DIGEST_ALGO_SHA1 /* 2 */ GCRY_MD_SHA1

5
gpg2.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Mon Sep 16 11:08:55 UTC 2013 - vcizek@suse.com
- fix CVE-2013-4351 (bnc#840510)
-------------------------------------------------------------------
Mon Aug 19 17:59:48 UTC 2013 - andreas.stieger@gmx.de

2
gpg2.spec
View File

@ -64,6 +64,7 @@ Patch8: gnupg-set_umask_before_open_outfile.patch
Patch9: gnupg-detect_FIPS_mode.patch
# PATCH-FIX-OPENSUSE coolo@suse.de -- automake 1.13 already includes $SHELL
Patch10: gnupg-2.0.20-automake113.diff
Patch11: gpg2-CVE-2013-4351.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -83,6 +84,7 @@ gpg-agent, and a keybox library.
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%build
autoreconf -fi