From 32812df37db782f09a6356a2924ddbcbcd23d0ef158580c2a61b9d06545cb6c8 Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Tue, 10 Apr 2018 07:10:42 +0000 Subject: [PATCH 1/3] Accepting request 595099 from security:privacy GnuPG 2.2.6 OBS-URL: https://build.opensuse.org/request/show/595099 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=192 --- gnupg-2.2.5.tar.bz2 | 3 --- gnupg-2.2.5.tar.bz2.sig | Bin 620 -> 0 bytes gnupg-2.2.6.tar.bz2 | 3 +++ gnupg-2.2.6.tar.bz2.sig | Bin 0 -> 310 bytes gnupg-add_legacy_FIPS_mode_option.patch | 22 +++++++++--------- gpg2.changes | 29 ++++++++++++++++++++++++ gpg2.spec | 4 +--- 7 files changed, 44 insertions(+), 17 deletions(-) delete mode 100644 gnupg-2.2.5.tar.bz2 delete mode 100644 gnupg-2.2.5.tar.bz2.sig create mode 100644 gnupg-2.2.6.tar.bz2 create mode 100644 gnupg-2.2.6.tar.bz2.sig diff --git a/gnupg-2.2.5.tar.bz2 b/gnupg-2.2.5.tar.bz2 deleted file mode 100644 index ccb4d41..0000000 --- a/gnupg-2.2.5.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3fa189a32d4fb62147874eb1389047c267d9ba088f57ab521cb0df46f08aef57 -size 6584756 diff --git a/gnupg-2.2.5.tar.bz2.sig b/gnupg-2.2.5.tar.bz2.sig deleted file mode 100644 index 9c1f226edd63d4eef5c5f6c4a7d9f0178c11d7cbdf32a473aadbaa8803df0754..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 620 zcmV-y0+aoT0W$;u0SEvc79j-KX(1!T23_i24?49Zn>o@?CF8aQ0$PsS5C94Z5G0#9 z(oZGhwwccd|5G{ha*jA4g1utYjiK6r5o zl;UO$&E~~Pti|Vvg%$~|=IFKTgMXxuiWigk)+tBv@e8@0?`4rKNXFYKUAF8tEbKLg zrt3#4^`1I#^YzfICdJqf$F><%pL2uaI`DbTSmZ+R!D-$X_E8bt5`Z1X06G{`Cfwfv ztII>sI^qA3?R&W~yXveN30;FNB+}`|5S_aca-LVZ(K|KIl4@T9=1Q zOk|+2Wy^xn_tn=FPYI9?B?|Ii0JKp*R=4K!A2OQzg|O<_bgTkhLWC|3IFQ51pmC>h zU9-yo!lOmoKg~ET9OgrS{`?E!^u$jq>CZ7qt*GI>Lc>((!ZhZwu3?F*xAHM0VKml) zjkf=#QZqi(R0BpIzwm|SPx}Exd4WsS4O`rm>8j?I+v=RMS6MwY+!**eiEMRsK%w;5 zm-YZA>5tOdFkLhbI5bR3z{7B-kOc8tV8wj>kw5fPo@?CF8aQ0$R(-cK`|r5G0#9 z(oZGhwyN|8|7D=X7TitpC|Bw5C6|-ExW)_D1Em>761Ox^5SNqn0jT;#0o|2mB%^T! z3Y=xnZ^uSU9$F68vb=XiMJOT~3lH!%zCeuZ9##Kp?WcVcn66qnaV0Kip@F2mIeWc? z2A#Bn*!LiT;kpVNvceyZukQe+DLsSr)zums4N5LdyPcN@&`!urKd-Xv*z5u~t}i7r zqU`WuO-Hjm-iM_kc&C8p`4@T%m?jsl@KB0L<8iQewl#4~ZA9o&3Y?nChT3)CHpps( z>SHH=I_i;)yCN=4#I#JpBff(&!{yLiD+ZlPcD I7TM7Q0GoV}j{pDw literal 0 HcmV?d00001 diff --git a/gnupg-add_legacy_FIPS_mode_option.patch b/gnupg-add_legacy_FIPS_mode_option.patch index 01607e7..56d9841 100644 --- a/gnupg-add_legacy_FIPS_mode_option.patch +++ b/gnupg-add_legacy_FIPS_mode_option.patch @@ -3,11 +3,11 @@ g10/gpg.c | 9 +++++++++ 2 files changed, 27 insertions(+) -Index: gnupg-2.1.22/doc/gpg.texi +Index: gnupg-2.2.6/doc/gpg.texi =================================================================== ---- gnupg-2.1.22.orig/doc/gpg.texi -+++ gnupg-2.1.22/doc/gpg.texi -@@ -2079,6 +2079,24 @@ implies, this option is for experts only +--- gnupg-2.2.6.orig/doc/gpg.texi 2018-04-10 09:05:55.807324463 +0200 ++++ gnupg-2.2.6/doc/gpg.texi 2018-04-10 09:05:58.627349563 +0200 +@@ -2094,6 +2094,24 @@ implies, this option is for experts only understand the implications of what it allows you to do, leave this off. @option{--no-expert} disables this option. @@ -32,19 +32,19 @@ Index: gnupg-2.1.22/doc/gpg.texi @end table -Index: gnupg-2.1.22/g10/gpg.c +Index: gnupg-2.2.6/g10/gpg.c =================================================================== ---- gnupg-2.1.22.orig/g10/gpg.c -+++ gnupg-2.1.22/g10/gpg.c -@@ -422,6 +422,7 @@ enum cmd_and_opt_values - oDisableSignerUID, +--- gnupg-2.2.6.orig/g10/gpg.c 2018-04-10 09:05:55.807324463 +0200 ++++ gnupg-2.2.6/g10/gpg.c 2018-04-10 09:06:21.583553887 +0200 +@@ -424,6 +424,7 @@ enum cmd_and_opt_values oSender, oKeyOrigin, + oRequestOrigin, + oSetLegacyFips, oNoop }; -@@ -867,6 +868,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -871,6 +872,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"), ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"), @@ -52,7 +52,7 @@ Index: gnupg-2.1.22/g10/gpg.c ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"), -@@ -3537,6 +3539,13 @@ main (int argc, char **argv) +@@ -3565,6 +3567,13 @@ main (int argc, char **argv) opt.def_new_key_algo = pargs.r.ret_str; break; diff --git a/gpg2.changes b/gpg2.changes index e9a66c3..52aaa26 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Tue Apr 10 06:32:22 UTC 2018 - kbabioch@suse.com + +- GnuPG 2.2.6: + * gpg,gpgsm: New option --request-origin to pretend requests coming + from a browser or a remote site. + * gpg: Fix race condition on trustdb.gpg updates due to too early + released lock. + * gpg: Emit FAILURE status lines in almost all cases. + * gpg: Implement --dry-run for --passwd to make checking a key's + passphrase straightforward. + * gpg: Make sure to only accept a certification capable key for key + signatures. + * gpg: Better user interaction in --card-edit for the factory-reset + sub-command. + * gpg: Improve changing key attributes in --card-edit by adding an + explicit "key-attr" sub-command. + * gpg: Print the keygrips in the --card-status. + * scd: Support KDF DO setup. + * scd: Fix suspend/resume handling in the CCID driver. + * agent: Evict cached passphrases also via a timer. + * agent: Use separate passphrase caches depending on the request + origin. + * ssh: Support signature flags. + * dirmngr: Handle failures related to missing IPv6 support + gracefully. + * Allow the use of UNC directory names as homedir. [#3818] +- Dropped gnupg-CVE-2018-9234.patch since it is included upstream + ------------------------------------------------------------------- Thu Apr 5 08:38:58 UTC 2018 - kbabioch@suse.com diff --git a/gpg2.spec b/gpg2.spec index 2a62784..68043ee 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -17,7 +17,7 @@ Name: gpg2 -Version: 2.2.5 +Version: 2.2.6 Release: 0 Summary: File encryption, decryption, signature creation and verification utility License: GPL-3.0+ @@ -34,7 +34,6 @@ Patch6: gnupg-dont-fail-with-seahorse-agent.patch Patch8: gnupg-set_umask_before_open_outfile.patch Patch9: gnupg-detect_FIPS_mode.patch Patch11: gnupg-add_legacy_FIPS_mode_option.patch -Patch12: gnupg-CVE-2018-9234.patch BuildRequires: expect BuildRequires: fdupes BuildRequires: libassuan-devel >= 2.5.0 @@ -86,7 +85,6 @@ gpg2 provides GPGSM, gpg-agent, and a keybox library. %patch8 -p1 %patch9 -p1 %patch11 -p1 -%patch12 -p1 %build date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99}) From 848549204f55dcf002891e7feb2a8fdcbd9d28da753f2c24e6bed95ecec0652b Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Tue, 10 Apr 2018 07:13:37 +0000 Subject: [PATCH 2/3] fix OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=193 --- gnupg-CVE-2018-9234.patch | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 gnupg-CVE-2018-9234.patch diff --git a/gnupg-CVE-2018-9234.patch b/gnupg-CVE-2018-9234.patch deleted file mode 100644 index c3a550f..0000000 --- a/gnupg-CVE-2018-9234.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: Karol Babioch -Date: Thu Apr 5 10:32:21 CEST 2018 -Upstream: merged -References: https://dev.gnupg.org/rGa17d2d1f690ebe5d005b4589a5fe378b6487c657 -References: https://dev.gnupg.org/T3844 -Subject: Fix for bnc#1088255 (CVE-2018-9234) ---- - g10/getkey.c | 2 ++ - 1 file changed, 2 insertions(+) - -Index: gnupg-2.2.5/g10/getkey.c -=================================================================== ---- gnupg-2.2.5.orig/g10/getkey.c -+++ gnupg-2.2.5/g10/getkey.c -@@ -1810,6 +1810,8 @@ get_pubkey_byfprint (ctrl_t ctrl, PKT_pu - ctx.items[0].mode = fprint_len == 16 ? KEYDB_SEARCH_MODE_FPR16 - : KEYDB_SEARCH_MODE_FPR20; - memcpy (ctx.items[0].u.fpr, fprint, fprint_len); -+ if (pk) -+ ctx.req_usage = pk->req_usage; - rc = lookup (ctrl, &ctx, 0, &kb, &found_key); - if (!rc && pk) - pk_from_block (pk, kb, found_key); From dbd0d9985913419b8ba6efa23513757f9096c6c86a266e69fabfbfa9f1e19c12 Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Mon, 16 Apr 2018 18:29:24 +0000 Subject: [PATCH 3/3] refresh signature file OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=194 --- gnupg-2.2.6.tar.bz2.sig | Bin 310 -> 620 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/gnupg-2.2.6.tar.bz2.sig b/gnupg-2.2.6.tar.bz2.sig index fb7aa866891cd4c377c300116319fccae348c162b461e35f97112d83299880fc..acda3dac5a5fc1558c6454b811e03914d22974e667567ddbeef8acdf1205d5a4 100644 GIT binary patch delta 320 zcmV-G0l)sX0_+5^HUWQ$0W$;u0SEvc79j)!9>P;@SPhP%hNGGr&1i+D6IS9XeVJCNSYh0#?O;&XE z@!HK-dz`yxq_F9iWgfGDj`#d_I+9u7zuF=#*TY{axGF0>!*74#JdD@^KZa-Nsd$lN zk#-(%n?2bh`*vJ3F})CIB|!BU(V>d&Y(;Uv9btT}2&P}dB>)sJ?o4;gl!z8#=N8!L zGIvjFL)@Bc9b9h delta 7 OcmaFEvW;nj86yA;rUH-v