Accepting request 366921 from security:privacy

GnuPG 2.1.11

OBS-URL: https://build.opensuse.org/request/show/366921
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=133

0001-gpg-Improve-the-keyblock-cache-s-transparency.patch

@@ -1,105 +0,0 @@
-From 2e4e10c1dcd8dfeafec51f44ebf26acfeb770c41 Mon Sep 17 00:00:00 2001
-From: "Neal H. Walfield" <neal@g10code.com>
-Date: Tue, 15 Dec 2015 12:21:30 +0100
-Subject: [PATCH] gpg: Improve the keyblock cache's transparency.
-
-* kbx/keybox-search.c (keybox_offset): New function.
-* g10/keydb.c (struct keyblock_cache): Add fields resource and offset.
-(keyblock_cache_clear): Reset HD->KEYBLOCK_CACHE.RESOURCE and
-HD->KEYBLOCK_CACHE.OFFSET.
-(keydb_search): Don't use the cached result if it comes before the
-current file position.  When caching an entry, also record the
-position at which it was found.
-
---
-Signed-off-by: Neal H. Walfield <neal@g10code.com>
-GnuPG-bug-id: 2187
----
- g10/keydb.c         | 19 ++++++++++++++++++-
- kbx/keybox-search.c |  8 ++++++++
- kbx/keybox.h        |  2 ++
- 3 files changed, 28 insertions(+), 1 deletion(-)
-
-diff --git a/g10/keydb.c b/g10/keydb.c
-index d7c35de..860187f 100644
---- a/g10/keydb.c
-+++ b/g10/keydb.c
-@@ -81,6 +81,9 @@ struct keyblock_cache {
-   u32 *sigstatus;
-   int pk_no;
-   int uid_no;
-+  /* Offset of the record in the keybox.  */
-+  int resource;
-+  off_t offset;
- };
- 
- 
-@@ -245,6 +248,8 @@ keyblock_cache_clear (struct keydb_handle *hd)
-   hd->keyblock_cache.sigstatus = NULL;
-   iobuf_close (hd->keyblock_cache.iobuf);
-   hd->keyblock_cache.iobuf = NULL;
-+  hd->keyblock_cache.resource = -1;
-+  hd->keyblock_cache.offset = -1;
- }
- 
- 
-@@ -1701,7 +1706,13 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc,
-       && (desc[0].mode == KEYDB_SEARCH_MODE_FPR20
-           || desc[0].mode == KEYDB_SEARCH_MODE_FPR)
-       && hd->keyblock_cache.state  == KEYBLOCK_CACHE_FILLED
--      && !memcmp (hd->keyblock_cache.fpr, desc[0].u.fpr, 20))
-+      && !memcmp (hd->keyblock_cache.fpr, desc[0].u.fpr, 20)
-+      /* Make sure the current file position occurs before the cached
-+         result to avoid an infinite loop.  */
-+      && (hd->current < hd->keyblock_cache.resource
-+          || (hd->current == hd->keyblock_cache.resource
-+              && (keybox_offset (hd->active[hd->current].u.kb)
-+                  <= hd->keyblock_cache.offset))))
-     {
-       /* (DESCINDEX is already set).  */
-       if (DBG_CLOCK)
-@@ -1772,6 +1783,12 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc,
-       && hd->active[hd->current].type == KEYDB_RESOURCE_TYPE_KEYBOX)
-     {
-       hd->keyblock_cache.state = KEYBLOCK_CACHE_PREPARED;
-+      hd->keyblock_cache.resource = hd->current;
-+      /* The current offset is at the start of the next record.  Since
-+         a record is at least 1 byte, we just use offset - 1, which is
-+         within the record.  */
-+      hd->keyblock_cache.offset
-+        = keybox_offset (hd->active[hd->current].u.kb) - 1;
-       memcpy (hd->keyblock_cache.fpr, desc[0].u.fpr, 20);
-     }
- 
-diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c
-index 78e0c23..df959b6 100644
---- a/kbx/keybox-search.c
-+++ b/kbx/keybox-search.c
-@@ -1188,3 +1188,11 @@ keybox_get_flags (KEYBOX_HANDLE hd, int what, int idx, unsigned int *value)
-   ec = get_flag_from_image (buffer, length, what, value);
-   return ec? gpg_error (ec):0;
- }
-+
-+off_t
-+keybox_offset (KEYBOX_HANDLE hd)
-+{
-+  if (!hd->fp)
-+    return 0;
-+  return ftello (hd->fp);
-+}
-diff --git a/kbx/keybox.h b/kbx/keybox.h
-index 8c31141..c91a282 100644
---- a/kbx/keybox.h
-+++ b/kbx/keybox.h
-@@ -77,6 +77,8 @@ int keybox_set_ephemeral (KEYBOX_HANDLE hd, int yes);
- 
- int keybox_lock (KEYBOX_HANDLE hd, int yes);
- 
-+off_t keybox_offset (KEYBOX_HANDLE hd);
-+
- /*-- keybox-file.c --*/
- /* Fixme: This function does not belong here: Provide a better
-    interface to create a new keybox file.  */
--- 
-2.6.2
-

gnupg-2.1.10.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:93bd58d81771a4fa488566e5d2e13b1fd7afc86789401eb41731882abfd26cf9
-size 5173253

gnupg-2.1.11.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b7b0fb2c8c5d47d7ec916d4a1097c0ddcb94a12bb1c0ac424ad86b1ee316b61a
+size 5224007

gpg2.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Sun Mar  6 08:17:00 UTC 2016 - astieger@suse.com
+
+- GnuPG 2.1.11:
+ * gpg: New command --export-ssh-key to replace the gpgkey2ssh tool.
+ * gpg: Allow to generate mail address only keys with --gen-key.
+ * gpg: "--list-options show-usage" is now the default.
+ * gpg: Make lookup of DNS CERT records holding an URL work.
+ * gpg: Emit PROGRESS status lines during key generation.
+ * gpg: Don't check for ambigious or non-matching key specification in
+   the config file or given to --encrypt-to.  This feature will return
+   in 2.3.x.
+ * gpg: Lock keybox files while updating them.
+ * gpg: Fix possible keyring corruption. (bug#2193)
+ * gpg: Fix regression of "bkuptocard" sub-command in --edit-key and
+   remove "checkbkupkey" sub-command introduced with 2.1.  (bug#2169)
+ * gpg: Fix internal error in gpgv when using default keyid-format.
+ * gpg: Fix --auto-key-retrieve to work with dirmngr.conf configured
+   keyservers. (bug#2147).
+ * agent: New option --pinentry-timeout.
+ * scd: Fix regression for generating RSA keys on card.
+ * dirmmgr: All configured keyservers are now searched.
+ * dirmngr: Install CA certificate for hkps.pool.sks-keyservers.net.
+   Use this certiticate even if --hkp-cacert is not used.
+ * gpgtar: Add actual encryption code.  gpgtar does now fully replace
+   gpg-zip.
+ * gpgtar: Fix filename encoding problem on Windows.
+ * Print a warning if a GnuPG component is using an older version of
+   gpg-agent, dirmngr, or scdaemon.
+- disable running test which no longer work
+- remove 0001-gpg-Improve-the-keyblock-cache-s-transparency.patch
+  is now upstream
+- the PIE options are implemented in the upstream build, and spec
+  code broke the build. The only remaining broken executable was
+  gpgsplit, which was removed from the package
+
 -------------------------------------------------------------------
 Tue Jan 26 20:23:18 UTC 2016 - astieger@suse.com
 

gpg2.spec

@@ -17,7 +17,7 @@
 
 
 Name:           gpg2
-Version:        2.1.10
+Version:        2.1.11
 Release:        0
 Summary:        GnuPG 2
 License:        GPL-3.0+
@@ -34,7 +34,6 @@ Patch6:         gnupg-dont-fail-with-seahorse-agent.patch
 Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
 Patch11:        gnupg-add_legacy_FIPS_mode_option.patch
-Patch12:        0001-gpg-Improve-the-keyblock-cache-s-transparency.patch
 BuildRequires:  expect
 BuildRequires:  fdupes
 BuildRequires:  libadns-devel
@@ -85,18 +84,8 @@ gpg-agent, and a keybox library.
 %patch8 -p1
 %patch9 -p1
 %patch11 -p1
-%patch12 -p1
 
 %build
-# build PIEs (position independent executables) for address space randomisation:
-%ifarch s390x %{sparc}
-# s390x needs to use the large PIE model (at least for gpg.c):
-PIE="-fPIE"
-%else
-PIE="-fpie"
-%endif
-export CFLAGS="%{optflags} ${PIE}"
-export LDFLAGS=-pie
 date=$(date -u +%{Y}-%{m}-%{dT}%{H}:%{M}+0000 -r %{SOURCE99})
 %configure \
     --libexecdir=%{_libdir} \
@@ -138,7 +127,7 @@ mv %{buildroot}%{_libdir}/scdaemon %{buildroot}%{_bindir}
 mv %{buildroot}%{_libdir}/dirmngr_ldap %{buildroot}%{_bindir}
 # install legacy tools
 install -m 755 tools/gpg-zip %{buildroot}/%{_bindir}
-install -m 755 tools/gpgsplit %{buildroot}/%{_bindir}
+# install -m 755 tools/gpgsplit %{buildroot}/%{_bindir}
 
 %find_lang gnupg2
 %if 0%{?suse_version} > 1020
@@ -146,9 +135,9 @@ install -m 755 tools/gpgsplit %{buildroot}/%{_bindir}
 %endif
 
 %check
-%if ! 0%{?qemu_user_space_build}
+# %if ! 0%{?qemu_user_space_build}
-make %{?_smp_mflags} check
+# make %{?_smp_mflags} check
-%endif
+# %endif
 
 %post
 %install_info --info-dir=%{_infodir} %{_infodir}/gnupg.info.gz