Accepting request 710973 from home:jsikes:branches:Base:System

Finally fixed boo#1137307. Finally! ... Enjoy!

OBS-URL: https://build.opensuse.org/request/show/710973
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=231

gnupg-2.2.16-secmem.patch

@@ -0,0 +1,35 @@
+Index: gnupg-2.2.16/g10/gpg.c
+===================================================================
+--- gnupg-2.2.16.orig/g10/gpg.c
++++ gnupg-2.2.16/g10/gpg.c
+@@ -973,7 +973,7 @@ make_libversion (const char *libname, co
+ 
+   if (maybe_setuid)
+     {
+-      gcry_control (GCRYCTL_INIT_SECMEM, 0, 0);  /* Drop setuid. */
++      gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0);  /* Drop setuid. */
+       maybe_setuid = 0;
+     }
+   s = getfnc (NULL);
+@@ -1125,7 +1125,7 @@ build_list (const char *text, char lette
+   char *string;
+ 
+   if (maybe_setuid)
+-    gcry_control (GCRYCTL_INIT_SECMEM, 0, 0);  /* Drop setuid. */
++    gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0);  /* Drop setuid. */
+ 
+   indent = utf8_charcount (text, -1);
+   len = 0;
+Index: gnupg-2.2.16/sm/gpgsm.c
+===================================================================
+--- gnupg-2.2.16.orig/sm/gpgsm.c
++++ gnupg-2.2.16/sm/gpgsm.c
+@@ -533,7 +533,7 @@ make_libversion (const char *libname, co
+ 
+   if (maybe_setuid)
+     {
+-      gcry_control (GCRYCTL_INIT_SECMEM, 0, 0);  /* Drop setuid. */
++      gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0);  /* Drop setuid. */
+       maybe_setuid = 0;
+     }
+   s = getfnc (NULL);

gpg2.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jun 19 21:02:05 UTC 2019 - Jason Sikes <jsikes@suse.de>
+
+- Fix secure memory being disabled before fips checks in libgcrypt [boo#1137307]
+  * Added gnupg-2.2.16-secmem.patch
+
 -------------------------------------------------------------------
 Thu May 30 08:00:37 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 

gpg2.spec

@@ -36,6 +36,7 @@ Patch6:         gnupg-dont-fail-with-seahorse-agent.patch
 Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
 Patch11:        gnupg-add_legacy_FIPS_mode_option.patch
+Patch12:        gnupg-2.2.16-secmem.patch
 BuildRequires:  expect
 BuildRequires:  fdupes
 BuildRequires:  libassuan-devel >= 2.5.0
@@ -87,6 +88,7 @@ gpg2 provides GPGSM, gpg-agent, and a keybox library.
 %patch8 -p1
 %patch9 -p1
 %patch11 -p1
+%patch12 -p1
 touch -d 2018-05-04 doc/gpg.texi # to compensate for patch11 in order to not have man pages and info files have the build date (boo#1047218)
 
 %build