From 4f103a2a39ce7ec863789ccc83f87c0bec32480b72c461f7a7b4fd2c8b47b749 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Thu, 5 Apr 2018 08:51:46 +0000 Subject: [PATCH] Accepting request 593727 from home:kbabioch:branches:Base:System - Added gnupg-CVE-2018-9234.patch: Enforce that key certification can only be done with the master key, and not a signing subkey. (bnc#1088255 CVE-2018-9234) OBS-URL: https://build.opensuse.org/request/show/593727 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=190 --- gnupg-CVE-2018-9234.patch | 23 +++++++++++++++++++++++ gpg2.changes | 7 +++++++ gpg2.spec | 2 ++ 3 files changed, 32 insertions(+) create mode 100644 gnupg-CVE-2018-9234.patch diff --git a/gnupg-CVE-2018-9234.patch b/gnupg-CVE-2018-9234.patch new file mode 100644 index 0000000..c3a550f --- /dev/null +++ b/gnupg-CVE-2018-9234.patch @@ -0,0 +1,23 @@ +From: Karol Babioch +Date: Thu Apr 5 10:32:21 CEST 2018 +Upstream: merged +References: https://dev.gnupg.org/rGa17d2d1f690ebe5d005b4589a5fe378b6487c657 +References: https://dev.gnupg.org/T3844 +Subject: Fix for bnc#1088255 (CVE-2018-9234) +--- + g10/getkey.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: gnupg-2.2.5/g10/getkey.c +=================================================================== +--- gnupg-2.2.5.orig/g10/getkey.c ++++ gnupg-2.2.5/g10/getkey.c +@@ -1810,6 +1810,8 @@ get_pubkey_byfprint (ctrl_t ctrl, PKT_pu + ctx.items[0].mode = fprint_len == 16 ? KEYDB_SEARCH_MODE_FPR16 + : KEYDB_SEARCH_MODE_FPR20; + memcpy (ctx.items[0].u.fpr, fprint, fprint_len); ++ if (pk) ++ ctx.req_usage = pk->req_usage; + rc = lookup (ctrl, &ctx, 0, &kb, &found_key); + if (!rc && pk) + pk_from_block (pk, kb, found_key); diff --git a/gpg2.changes b/gpg2.changes index c9cab4b..e9a66c3 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Apr 5 08:38:58 UTC 2018 - kbabioch@suse.com + +- Added gnupg-CVE-2018-9234.patch: Enforce that key certification + can only be done with the master key, and not a signing subkey. + (bnc#1088255 CVE-2018-9234) + ------------------------------------------------------------------- Sun Feb 25 12:14:54 UTC 2018 - astieger@suse.com diff --git a/gpg2.spec b/gpg2.spec index 3147026..2a62784 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -34,6 +34,7 @@ Patch6: gnupg-dont-fail-with-seahorse-agent.patch Patch8: gnupg-set_umask_before_open_outfile.patch Patch9: gnupg-detect_FIPS_mode.patch Patch11: gnupg-add_legacy_FIPS_mode_option.patch +Patch12: gnupg-CVE-2018-9234.patch BuildRequires: expect BuildRequires: fdupes BuildRequires: libassuan-devel >= 2.5.0 @@ -85,6 +86,7 @@ gpg2 provides GPGSM, gpg-agent, and a keybox library. %patch8 -p1 %patch9 -p1 %patch11 -p1 +%patch12 -p1 %build date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})