From d539c287c52c6bda5fb1e3ac20de9ac3f5cda52e40c243764af548c2cabbf7ce Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 28 Nov 2019 11:22:11 +0000 Subject: [PATCH] Accepting request 751408 from home:pmonrealgonzalez:branches:Base:System - Update to 2.2.18 [bsc#1157900, CVE-2019-14855] * gpg: Changed the way keys are detected on a smartcards; this allows the use of non-OpenPGP cards. In the case of a not very likely regression the new option --use-only-openpgp-card is available. [#4681] * gpg: The commands --full-gen-key and --quick-gen-key now allow direct key generation from supported cards. [#4681] * gpg: Prepare against chosen-prefix SHA-1 collisions in key signatures. This change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust. Note that this includes all key signature created with dsa1024 keys. The new option --allow-weak-key-signatues can be used to override the new and safer behaviour. [#4755,CVE-2019-14855] * gpg: Improve performance for import of large keyblocks. [#4592] * gpg: Implement a keybox compression run. [#4644] * gpg: Show warnings from dirmngr about redirect and certificate problems (details require --verbose as usual). * gpg: Allow to pass the empty string for the passphrase if the '--passphase=' syntax is used. [#4633] * gpg: Fix printing of the KDF object attributes. * gpg: Avoid surprises with --locate-external-key and certain --auto-key-locate settings. [#4662] * gpg: Improve selection of best matching key. [#4713] * gpg: Delete key binding signature when deletring a subkey. [#4665,#4457] * gpg: Fix a potential loss of key sigantures during import with self-sigs-only active. [#4628] * gpg: Silence "marked as ultimately trusted" diagnostics if option --quiet is used. [#4634] * gpg: Silence some diagnostics during in key listsing even with OBS-URL: https://build.opensuse.org/request/show/751408 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=237 --- gnupg-2.2.17.tar.bz2 | 3 -- gnupg-2.2.17.tar.bz2.sig | Bin 310 -> 0 bytes gnupg-2.2.18.tar.bz2 | 3 ++ gnupg-2.2.18.tar.bz2.sig | Bin 0 -> 310 bytes gnupg-2.2.8-files-are-digests.patch | 46 +++++++++++----------- gnupg-add_legacy_FIPS_mode_option.patch | 22 +++++------ gpg2.changes | 50 ++++++++++++++++++++++++ gpg2.spec | 4 +- 8 files changed, 89 insertions(+), 39 deletions(-) delete mode 100644 gnupg-2.2.17.tar.bz2 delete mode 100644 gnupg-2.2.17.tar.bz2.sig create mode 100644 gnupg-2.2.18.tar.bz2 create mode 100644 gnupg-2.2.18.tar.bz2.sig diff --git a/gnupg-2.2.17.tar.bz2 b/gnupg-2.2.17.tar.bz2 deleted file mode 100644 index a2bd98e..0000000 --- a/gnupg-2.2.17.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:afa262868e39b651a2db4c071fba90415154243e83a830ca00516f9a807fd514 -size 6717554 diff --git a/gnupg-2.2.17.tar.bz2.sig b/gnupg-2.2.17.tar.bz2.sig deleted file mode 100644 index cb5b7fe8dc9d9bd58d3a8079228a1ce53e76e78cbbb3121ded1f45b1a05e0abe..0000000000000000000000000000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j-KX(1!T23_i24?49Zn>o@?CF8aQ0$n7g)&L3#5G0#9 z(oZGhwqDT({xQ;nm$8B{pIQIqzkm7Ka-bw=d`7g>i;HB`h!gmJOVB=`!o@?CF8aQ0$toY@Bj)45G0#9 z(oZGhw#T6d|6ZDxW+zfM44*2;zS4GkpgR%gO<>}{|pIPb}TYM@cwrsN9J0# z#bI=`yd0$1=@xn3*uD0$(oTaWLG@OJVBxk!$YuQ=AeF*(9Z!v%8au8zpnFH#tsD60 IK!^*Dq2W@R1ONa4 literal 0 HcmV?d00001 diff --git a/gnupg-2.2.8-files-are-digests.patch b/gnupg-2.2.8-files-are-digests.patch index 6de374e..110ad63 100644 --- a/gnupg-2.2.8-files-are-digests.patch +++ b/gnupg-2.2.8-files-are-digests.patch @@ -4,11 +4,11 @@ g10/sign.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------ 3 files changed, 67 insertions(+), 6 deletions(-) -Index: gnupg-2.2.8/g10/gpg.c +Index: gnupg-2.2.18/g10/gpg.c =================================================================== ---- gnupg-2.2.8.orig/g10/gpg.c 2018-06-06 11:59:06.000000000 +0200 -+++ gnupg-2.2.8/g10/gpg.c 2018-06-08 16:34:33.287514003 +0200 -@@ -376,6 +376,7 @@ enum cmd_and_opt_values +--- gnupg-2.2.18.orig/g10/gpg.c ++++ gnupg-2.2.18/g10/gpg.c +@@ -378,6 +378,7 @@ enum cmd_and_opt_values oTTYtype, oLCctype, oLCmessages, @@ -16,7 +16,7 @@ Index: gnupg-2.2.8/g10/gpg.c oXauthority, oGroup, oUnGroup, -@@ -824,6 +825,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -830,6 +831,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_s (oWeakDigest, "weak-digest","@"), ARGPARSE_s_n (oUnwrap, "unwrap", "@"), ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"), @@ -24,7 +24,7 @@ Index: gnupg-2.2.8/g10/gpg.c /* Aliases. I constantly mistype these, and assume other people do as well. */ -@@ -2392,6 +2394,7 @@ main (int argc, char **argv) +@@ -2412,6 +2414,7 @@ main (int argc, char **argv) opt.def_cert_expire = "0"; gnupg_set_homedir (NULL); opt.passphrase_repeat = 1; @@ -32,7 +32,7 @@ Index: gnupg-2.2.8/g10/gpg.c opt.emit_version = 0; opt.weak_digests = NULL; -@@ -2963,6 +2966,7 @@ main (int argc, char **argv) +@@ -2988,6 +2991,7 @@ main (int argc, char **argv) opt.verify_options&=~VERIFY_SHOW_PHOTOS; break; case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; @@ -40,10 +40,10 @@ Index: gnupg-2.2.8/g10/gpg.c case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break; -Index: gnupg-2.2.8/g10/options.h +Index: gnupg-2.2.18/g10/options.h =================================================================== ---- gnupg-2.2.8.orig/g10/options.h 2018-05-31 12:03:06.000000000 +0200 -+++ gnupg-2.2.8/g10/options.h 2018-06-08 16:34:33.287514003 +0200 +--- gnupg-2.2.18.orig/g10/options.h ++++ gnupg-2.2.18/g10/options.h @@ -210,6 +210,7 @@ struct int no_auto_check_trustdb; int preserve_permissions; @@ -52,10 +52,10 @@ Index: gnupg-2.2.8/g10/options.h struct groupitem *grouplist; int mangle_dos_filenames; int enable_progress_filter; -Index: gnupg-2.2.8/g10/sign.c +Index: gnupg-2.2.18/g10/sign.c =================================================================== ---- gnupg-2.2.8.orig/g10/sign.c 2017-08-28 12:22:54.000000000 +0200 -+++ gnupg-2.2.8/g10/sign.c 2018-06-08 16:34:33.287514003 +0200 +--- gnupg-2.2.18.orig/g10/sign.c ++++ gnupg-2.2.18/g10/sign.c @@ -43,6 +43,8 @@ #include "../common/mbox-util.h" #include "../common/compliance.h" @@ -65,7 +65,7 @@ Index: gnupg-2.2.8/g10/sign.c #ifdef HAVE_DOSISH_SYSTEM #define LF "\r\n" #else -@@ -727,6 +729,8 @@ write_signature_packets (ctrl_t ctrl, +@@ -749,6 +751,8 @@ write_signature_packets (ctrl_t ctrl, if (duration || opt.sig_policy_url || opt.sig_notations || opt.sig_keyserver_url) sig->version = 4; @@ -74,7 +74,7 @@ Index: gnupg-2.2.8/g10/sign.c else sig->version = pk->version; -@@ -750,8 +754,12 @@ write_signature_packets (ctrl_t ctrl, +@@ -772,8 +776,12 @@ write_signature_packets (ctrl_t ctrl, mk_notation_policy_etc (sig, NULL, pk); } @@ -85,9 +85,9 @@ Index: gnupg-2.2.8/g10/sign.c + log_bug("files-are-digests doesn't work with v4 sigs\n"); + } - rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce); + rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0); gcry_md_close (md); -@@ -813,6 +821,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -835,6 +843,8 @@ sign_file (ctrl_t ctrl, strlist_t filena SK_LIST sk_rover = NULL; int multifile = 0; u32 duration=0; @@ -96,7 +96,7 @@ Index: gnupg-2.2.8/g10/sign.c pfx = new_progress_context (); afx = new_armor_context (); -@@ -830,7 +840,16 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -852,7 +862,16 @@ sign_file (ctrl_t ctrl, strlist_t filena fname = NULL; if( fname && filenames->next && (!detached || encryptflag) ) @@ -114,7 +114,7 @@ Index: gnupg-2.2.8/g10/sign.c if(encryptflag==2 && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) -@@ -851,7 +870,7 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -873,7 +892,7 @@ sign_file (ctrl_t ctrl, strlist_t filena goto leave; /* prepare iobufs */ @@ -123,7 +123,7 @@ Index: gnupg-2.2.8/g10/sign.c inp = NULL; /* we do it later */ else { inp = iobuf_open(fname); -@@ -989,7 +1008,7 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1011,7 +1030,7 @@ sign_file (ctrl_t ctrl, strlist_t filena for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) gcry_md_enable (mfx.md, hash_for (sk_rover->pk)); @@ -132,7 +132,7 @@ Index: gnupg-2.2.8/g10/sign.c iobuf_push_filter( inp, md_filter, &mfx ); if( detached && !encryptflag) -@@ -1044,6 +1063,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1066,6 +1085,8 @@ sign_file (ctrl_t ctrl, strlist_t filena write_status_begin_signing (mfx.md); @@ -141,7 +141,7 @@ Index: gnupg-2.2.8/g10/sign.c /* Setup the inner packet. */ if( detached ) { if( multifile ) { -@@ -1084,6 +1105,45 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1106,6 +1127,45 @@ sign_file (ctrl_t ctrl, strlist_t filena if( opt.verbose ) log_printf ("\n"); } @@ -187,7 +187,7 @@ Index: gnupg-2.2.8/g10/sign.c else { /* read, so that the filter can calculate the digest */ while( iobuf_get(inp) != -1 ) -@@ -1102,8 +1162,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1124,8 +1184,8 @@ sign_file (ctrl_t ctrl, strlist_t filena /* write the signatures */ rc = write_signature_packets (ctrl, sk_list, out, mfx.md, diff --git a/gnupg-add_legacy_FIPS_mode_option.patch b/gnupg-add_legacy_FIPS_mode_option.patch index 0a89bec..6fe53e2 100644 --- a/gnupg-add_legacy_FIPS_mode_option.patch +++ b/gnupg-add_legacy_FIPS_mode_option.patch @@ -3,11 +3,11 @@ g10/gpg.c | 9 +++++++++ 2 files changed, 27 insertions(+) -Index: gnupg-2.2.7/doc/gpg.texi +Index: gnupg-2.2.18/doc/gpg.texi =================================================================== ---- gnupg-2.2.7.orig/doc/gpg.texi 2018-05-04 16:14:30.949580264 +0200 -+++ gnupg-2.2.7/doc/gpg.texi 2018-05-04 16:14:34.025609243 +0200 -@@ -2097,6 +2097,24 @@ implies, this option is for experts only +--- gnupg-2.2.18.orig/doc/gpg.texi ++++ gnupg-2.2.18/doc/gpg.texi +@@ -2115,6 +2115,24 @@ implies, this option is for experts only understand the implications of what it allows you to do, leave this off. @option{--no-expert} disables this option. @@ -32,19 +32,19 @@ Index: gnupg-2.2.7/doc/gpg.texi @end table -Index: gnupg-2.2.7/g10/gpg.c +Index: gnupg-2.2.18/g10/gpg.c =================================================================== ---- gnupg-2.2.7.orig/g10/gpg.c 2018-05-04 16:14:30.949580264 +0200 -+++ gnupg-2.2.7/g10/gpg.c 2018-05-04 16:15:00.441858109 +0200 +--- gnupg-2.2.18.orig/g10/gpg.c ++++ gnupg-2.2.18/g10/gpg.c @@ -425,6 +425,7 @@ enum cmd_and_opt_values - oKeyOrigin, oRequestOrigin, oNoSymkeyCache, + oUseOnlyOpenPGPCard, + oSetLegacyFips, oNoop }; -@@ -872,6 +873,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -870,6 +871,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"), ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"), @@ -52,8 +52,8 @@ Index: gnupg-2.2.7/g10/gpg.c ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"), -@@ -3568,6 +3570,13 @@ main (int argc, char **argv) - opt.def_new_key_algo = pargs.r.ret_str; +@@ -3600,6 +3602,13 @@ main (int argc, char **argv) + opt.flags.use_only_openpgp_card = 1; break; + case oSetLegacyFips: diff --git a/gpg2.changes b/gpg2.changes index 14c8e3e..e0d0aee 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,53 @@ +------------------------------------------------------------------- +Wed Nov 27 15:42:22 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 2.2.18 [bsc#1157900, CVE-2019-14855] + * gpg: Changed the way keys are detected on a smartcards; this + allows the use of non-OpenPGP cards. In the case of a not very + likely regression the new option --use-only-openpgp-card is + available. [#4681] + * gpg: The commands --full-gen-key and --quick-gen-key now allow + direct key generation from supported cards. [#4681] + * gpg: Prepare against chosen-prefix SHA-1 collisions in key + signatures. This change removes all SHA-1 based key signature + newer than 2019-01-19 from the web-of-trust. Note that this + includes all key signature created with dsa1024 keys. The new + option --allow-weak-key-signatues can be used to override the new + and safer behaviour. [#4755,CVE-2019-14855] + * gpg: Improve performance for import of large keyblocks. [#4592] + * gpg: Implement a keybox compression run. [#4644] + * gpg: Show warnings from dirmngr about redirect and certificate + problems (details require --verbose as usual). + * gpg: Allow to pass the empty string for the passphrase if the + '--passphase=' syntax is used. [#4633] + * gpg: Fix printing of the KDF object attributes. + * gpg: Avoid surprises with --locate-external-key and certain + --auto-key-locate settings. [#4662] + * gpg: Improve selection of best matching key. [#4713] + * gpg: Delete key binding signature when deletring a subkey. + [#4665,#4457] + * gpg: Fix a potential loss of key sigantures during import with + self-sigs-only active. [#4628] + * gpg: Silence "marked as ultimately trusted" diagnostics if + option --quiet is used. [#4634] + * gpg: Silence some diagnostics during in key listsing even with + option --verbose. [#4627] + * gpg, gpgsm: Change parsing of agent's pkdecrypt results. [#4652] + * gpgsm: Support AES-256 keys. + * gpgsm: Fix a bug in triggering a keybox compression run if + --faked-system-time is used. + * dirmngr: System CA certificates are no longer used for the SKS + pool if GNUTLS instead of NTBTLS is used as TLS library. [#4594] + * dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces + to avoid long timeouts. [#4165] + * scd: Fix BWI value for APDU level transfers to make Gemalto Ezio + Shield and Trustica Cryptoucan work. [#4654,#4566] + * wkd: gpg-wks-client --install-key now installs the required policy + file. +- Rebase patches: + * gnupg-2.2.8-files-are-digests.patch + * gnupg-add_legacy_FIPS_mode_option.patch + ------------------------------------------------------------------- Thu Sep 19 12:05:13 UTC 2019 - Ludwig Nussel diff --git a/gpg2.spec b/gpg2.spec index ab707ce..54f76da 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -1,7 +1,7 @@ # # spec file for package gpg2 # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: gpg2 -Version: 2.2.17 +Version: 2.2.18 Release: 0 Summary: File encryption, decryption, signature creation and verification utility License: GPL-3.0-or-later