Accepting request 751408 from home:pmonrealgonzalez:branches:Base:System

- Update to 2.2.18 [bsc#1157900, CVE-2019-14855] * gpg: Changed the way keys are detected on a smartcards; this allows the use of non-OpenPGP cards. In the case of a not very likely regression the new option --use-only-openpgp-card is available. [#4681] * gpg: The commands --full-gen-key and --quick-gen-key now allow direct key generation from supported cards. [#4681] * gpg: Prepare against chosen-prefix SHA-1 collisions in key signatures. This change removes all SHA-1 based key signature newer than 2019-01-19 from the web-of-trust. Note that this includes all key signature created with dsa1024 keys. The new option --allow-weak-key-signatues can be used to override the new and safer behaviour. [#4755,CVE-2019-14855] * gpg: Improve performance for import of large keyblocks. [#4592] * gpg: Implement a keybox compression run. [#4644] * gpg: Show warnings from dirmngr about redirect and certificate problems (details require --verbose as usual). * gpg: Allow to pass the empty string for the passphrase if the '--passphase=' syntax is used. [#4633] * gpg: Fix printing of the KDF object attributes. * gpg: Avoid surprises with --locate-external-key and certain --auto-key-locate settings. [#4662] * gpg: Improve selection of best matching key. [#4713] * gpg: Delete key binding signature when deletring a subkey. [#4665,#4457] * gpg: Fix a potential loss of key sigantures during import with self-sigs-only active. [#4628] * gpg: Silence "marked as ultimately trusted" diagnostics if option --quiet is used. [#4634] * gpg: Silence some diagnostics during in key listsing even with OBS-URL: https://build.opensuse.org/request/show/751408 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=237
2019-11-28 11:22:11 +00:00 · 2019-11-28 11:22:11 +00:00 · d539c287c5
commit d539c287c5
parent 9fd70b3f74
8 changed files with 89 additions and 39 deletions
--- a/gnupg-2.2.17.tar.bz2
+++ b/gnupg-2.2.17.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:afa262868e39b651a2db4c071fba90415154243e83a830ca00516f9a807fd514
-size 6717554
--- a/gnupg-2.2.17.tar.bz2.sig
+++ b/gnupg-2.2.17.tar.bz2.sig
--- a/gnupg-2.2.18.tar.bz2
+++ b/gnupg-2.2.18.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:30d37ce2ca55b2b9b61480b2a175a3b22066ab41cd3f84688448919b566dec0a
+size 6740621
--- a/gnupg-2.2.18.tar.bz2.sig
+++ b/gnupg-2.2.18.tar.bz2.sig
--- a/gnupg-2.2.8-files-are-digests.patch
+++ b/gnupg-2.2.8-files-are-digests.patch
@ -4,11 +4,11 @@
 g10/sign.c    |   68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
 3 files changed, 67 insertions(+), 6 deletions(-)

-Index: gnupg-2.2.8/g10/gpg.c
+Index: gnupg-2.2.18/g10/gpg.c
 ===================================================================
--- gnupg-2.2.8.orig/g10/gpg.c	2018-06-06 11:59:06.000000000 +0200
-+++ gnupg-2.2.8/g10/gpg.c	2018-06-08 16:34:33.287514003 +0200
-@@ -376,6 +376,7 @@ enum cmd_and_opt_values
+--- gnupg-2.2.18.orig/g10/gpg.c
+++ gnupg-2.2.18/g10/gpg.c
+@@ -378,6 +378,7 @@ enum cmd_and_opt_values
     oTTYtype,
     oLCctype,
     oLCmessages,
@ -16,7 +16,7 @@ Index: gnupg-2.2.8/g10/gpg.c
     oXauthority,
     oGroup,
     oUnGroup,
-@@ -824,6 +825,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -830,6 +831,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
   ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
   ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
@ -24,7 +24,7 @@ Index: gnupg-2.2.8/g10/gpg.c
 
   /* Aliases.  I constantly mistype these, and assume other people do
      as well. */
-@@ -2392,6 +2394,7 @@ main (int argc, char **argv)
+@@ -2412,6 +2414,7 @@ main (int argc, char **argv)
     opt.def_cert_expire = "0";
     gnupg_set_homedir (NULL);
     opt.passphrase_repeat = 1;
@ -32,7 +32,7 @@ Index: gnupg-2.2.8/g10/gpg.c
     opt.emit_version = 0;
     opt.weak_digests = NULL;
 
-@@ -2963,6 +2966,7 @@ main (int argc, char **argv)
+@@ -2988,6 +2991,7 @@ main (int argc, char **argv)
 	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
 	    break;
 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
@ -40,10 +40,10 @@ Index: gnupg-2.2.8/g10/gpg.c
 
           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
 
-Index: gnupg-2.2.8/g10/options.h
+Index: gnupg-2.2.18/g10/options.h
 ===================================================================
--- gnupg-2.2.8.orig/g10/options.h	2018-05-31 12:03:06.000000000 +0200
-+++ gnupg-2.2.8/g10/options.h	2018-06-08 16:34:33.287514003 +0200
+--- gnupg-2.2.18.orig/g10/options.h
+++ gnupg-2.2.18/g10/options.h
@@ -210,6 +210,7 @@ struct
   int no_auto_check_trustdb;
   int preserve_permissions;
@ -52,10 +52,10 @@ Index: gnupg-2.2.8/g10/options.h
   struct groupitem *grouplist;
   int mangle_dos_filenames;
   int enable_progress_filter;
-Index: gnupg-2.2.8/g10/sign.c
+Index: gnupg-2.2.18/g10/sign.c
 ===================================================================
--- gnupg-2.2.8.orig/g10/sign.c	2017-08-28 12:22:54.000000000 +0200
-+++ gnupg-2.2.8/g10/sign.c	2018-06-08 16:34:33.287514003 +0200
+--- gnupg-2.2.18.orig/g10/sign.c
+++ gnupg-2.2.18/g10/sign.c
@@ -43,6 +43,8 @@
 #include "../common/mbox-util.h"
 #include "../common/compliance.h"
@ -65,7 +65,7 @@ Index: gnupg-2.2.8/g10/sign.c
 #ifdef HAVE_DOSISH_SYSTEM
 #define LF "\r\n"
 #else
-@@ -727,6 +729,8 @@ write_signature_packets (ctrl_t ctrl,
+@@ -749,6 +751,8 @@ write_signature_packets (ctrl_t ctrl,
       if (duration || opt.sig_policy_url
           || opt.sig_notations || opt.sig_keyserver_url)
         sig->version = 4;
@ -74,7 +74,7 @@ Index: gnupg-2.2.8/g10/sign.c
       else
         sig->version = pk->version;
 
-@@ -750,8 +754,12 @@ write_signature_packets (ctrl_t ctrl,
+@@ -772,8 +776,12 @@ write_signature_packets (ctrl_t ctrl,
           mk_notation_policy_etc (sig, NULL, pk);
         }
 
@ -85,9 +85,9 @@ Index: gnupg-2.2.8/g10/sign.c
 +          log_bug("files-are-digests doesn't work with v4 sigs\n");
 +      }
 
-       rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce);
+       rc = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
       gcry_md_close (md);
-@@ -813,6 +821,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -835,6 +843,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
     SK_LIST sk_rover = NULL;
     int multifile = 0;
     u32 duration=0;
@ -96,7 +96,7 @@ Index: gnupg-2.2.8/g10/sign.c
 
     pfx = new_progress_context ();
     afx = new_armor_context ();
-@@ -830,7 +840,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -852,7 +862,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
 	fname = NULL;
 
     if( fname && filenames->next && (!detached || encryptflag) )
@ -114,7 +114,7 @@ Index: gnupg-2.2.8/g10/sign.c
 
     if(encryptflag==2
        && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
-@@ -851,7 +870,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -873,7 +892,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
       goto leave;
 
     /* prepare iobufs */
@ -123,7 +123,7 @@ Index: gnupg-2.2.8/g10/sign.c
 	inp = NULL; /* we do it later */
     else {
       inp = iobuf_open(fname);
-@@ -989,7 +1008,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1011,7 +1030,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
     for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
       gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
 
@ -132,7 +132,7 @@ Index: gnupg-2.2.8/g10/sign.c
 	iobuf_push_filter( inp, md_filter, &mfx );
 
     if( detached && !encryptflag)
-@@ -1044,6 +1063,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1066,6 +1085,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
 
     write_status_begin_signing (mfx.md);
 
@ -141,7 +141,7 @@ Index: gnupg-2.2.8/g10/sign.c
     /* Setup the inner packet. */
     if( detached ) {
 	if( multifile ) {
-@@ -1084,6 +1105,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1106,6 +1127,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
 	    if( opt.verbose )
               log_printf ("\n");
 	}
@ -187,7 +187,7 @@ Index: gnupg-2.2.8/g10/sign.c
 	else {
 	    /* read, so that the filter can calculate the digest */
 	    while( iobuf_get(inp) != -1 )
-@@ -1102,8 +1162,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1124,8 +1184,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
 
     /* write the signatures */
     rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
--- a/gnupg-add_legacy_FIPS_mode_option.patch
+++ b/gnupg-add_legacy_FIPS_mode_option.patch
@ -3,11 +3,11 @@
 g10/gpg.c    |    9 +++++++++
 2 files changed, 27 insertions(+)

-Index: gnupg-2.2.7/doc/gpg.texi
+Index: gnupg-2.2.18/doc/gpg.texi
 ===================================================================
--- gnupg-2.2.7.orig/doc/gpg.texi	2018-05-04 16:14:30.949580264 +0200
-+++ gnupg-2.2.7/doc/gpg.texi	2018-05-04 16:14:34.025609243 +0200
-@@ -2097,6 +2097,24 @@ implies, this option is for experts only
+--- gnupg-2.2.18.orig/doc/gpg.texi
+++ gnupg-2.2.18/doc/gpg.texi
+@@ -2115,6 +2115,24 @@ implies, this option is for experts only
 understand the implications of what it allows you to do, leave this
 off. @option{--no-expert} disables this option.
 
@ -32,19 +32,19 @@ Index: gnupg-2.2.7/doc/gpg.texi
 @end table
 
 
-Index: gnupg-2.2.7/g10/gpg.c
+Index: gnupg-2.2.18/g10/gpg.c
 ===================================================================
--- gnupg-2.2.7.orig/g10/gpg.c	2018-05-04 16:14:30.949580264 +0200
-+++ gnupg-2.2.7/g10/gpg.c	2018-05-04 16:15:00.441858109 +0200
+--- gnupg-2.2.18.orig/g10/gpg.c
+++ gnupg-2.2.18/g10/gpg.c
@@ -425,6 +425,7 @@ enum cmd_and_opt_values
-     oKeyOrigin,
     oRequestOrigin,
     oNoSymkeyCache,
+     oUseOnlyOpenPGPCard,
 +    oSetLegacyFips,
 
     oNoop
   };
-@@ -872,6 +873,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -870,6 +871,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oAllowMultipleMessages,      "allow-multiple-messages", "@"),
   ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
   ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
@ -52,8 +52,8 @@ Index: gnupg-2.2.7/g10/gpg.c
 
   ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"),
 
-@@ -3568,6 +3570,13 @@ main (int argc, char **argv)
-             opt.def_new_key_algo = pargs.r.ret_str;
+@@ -3600,6 +3602,13 @@ main (int argc, char **argv)
+             opt.flags.use_only_openpgp_card = 1;
             break;
 
 +	  case oSetLegacyFips:
--- a/gpg2.changes
+++ b/gpg2.changes
@ -1,3 +1,53 @@
+-------------------------------------------------------------------
+Wed Nov 27 15:42:22 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Update to 2.2.18 [bsc#1157900, CVE-2019-14855]
+  * gpg: Changed the way keys are detected on a smartcards; this
+    allows the use of non-OpenPGP cards.  In the case of a not very
+    likely regression the new option --use-only-openpgp-card is
+    available.  [#4681]
+  * gpg: The commands --full-gen-key and --quick-gen-key now allow
+    direct key generation from supported cards.  [#4681]
+  * gpg: Prepare against chosen-prefix SHA-1 collisions in key
+    signatures.  This change removes all SHA-1 based key signature
+    newer than 2019-01-19 from the web-of-trust.  Note that this
+    includes all key signature created with dsa1024 keys.  The new
+    option --allow-weak-key-signatues can be used to override the new
+    and safer behaviour.  [#4755,CVE-2019-14855]
+  * gpg: Improve performance for import of large keyblocks.  [#4592]
+  * gpg: Implement a keybox compression run.  [#4644]
+  * gpg: Show warnings from dirmngr about redirect and certificate
+    problems (details require --verbose as usual).
+  * gpg: Allow to pass the empty string for the passphrase if the
+    '--passphase=' syntax is used.  [#4633]
+  * gpg: Fix printing of the KDF object attributes.
+  * gpg: Avoid surprises with --locate-external-key and certain
+    --auto-key-locate settings.  [#4662]
+  * gpg: Improve selection of best matching key.  [#4713]
+  * gpg: Delete key binding signature when deletring a subkey.
+    [#4665,#4457]
+  * gpg: Fix a potential loss of key sigantures during import with
+    self-sigs-only active.  [#4628]
+  * gpg: Silence "marked as ultimately trusted" diagnostics if
+    option --quiet is used.  [#4634]
+  * gpg: Silence some diagnostics during in key listsing even with
+    option --verbose.  [#4627]
+  * gpg, gpgsm: Change parsing of agent's pkdecrypt results.  [#4652]
+  * gpgsm: Support AES-256 keys.
+  * gpgsm: Fix a bug in triggering a keybox compression run if
+    --faked-system-time is used.
+  * dirmngr: System CA certificates are no longer used for the SKS
+    pool if GNUTLS instead of NTBTLS is used as TLS library.  [#4594]
+  * dirmngr: On Windows detect usability of IPv4 and IPv6 interfaces
+    to avoid long timeouts.  [#4165]
+  * scd: Fix BWI value for APDU level transfers to make Gemalto Ezio
+    Shield and Trustica Cryptoucan work.  [#4654,#4566]
+  * wkd: gpg-wks-client --install-key now installs the required policy
+    file.
+- Rebase patches:
+  * gnupg-2.2.8-files-are-digests.patch
+  * gnupg-add_legacy_FIPS_mode_option.patch
+
 -------------------------------------------------------------------
 Thu Sep 19 12:05:13 UTC 2019 - Ludwig Nussel <lnussel@suse.de>

--- a/gpg2.spec
+++ b/gpg2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package gpg2
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@


 Name:           gpg2
-Version:        2.2.17
+Version:        2.2.18
 Release:        0
 Summary:        File encryption, decryption, signature creation and verification utility
 License:        GPL-3.0-or-later