Accepting request 905868 from Base:System

OBS-URL: https://build.opensuse.org/request/show/905868
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpgme?expand=0&rev=87

gpgme-1.15.1.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:eebc3c1b27f1c8979896ff361ba9bb4778b508b2496c2fc10e3775a40b1de1ad
-size 1699349

gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch

@@ -0,0 +1,126 @@
+From 81a33ea5e1b86d586b956e893a5b25c4cd41c969 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <dev@ingo-kloecker.de>
+Date: Sat, 26 Jun 2021 18:02:47 +0200
+Subject: [PATCH] core: Fix use-after-free issue in test
+
+* tests/gpg/t-edit-sign.c (sign_key, verify_key_signature): New.
+(main): Factored out signing and verifying the result.
+--
+
+Factoring the two steps of the test into different functions fixes the
+use-after-free issue that was caused by accidentaly using a variable
+of the first step in the second step.
+
+GnuPG-bug-id: 5509
+---
+ tests/gpg/t-edit-sign.c | 54 ++++++++++++++++++++++++++++-------------
+ 1 file changed, 37 insertions(+), 17 deletions(-)
+
+diff --git a/tests/gpg/t-edit-sign.c b/tests/gpg/t-edit-sign.c
+index 2f983622..e0494c54 100644
+--- a/tests/gpg/t-edit-sign.c
++++ b/tests/gpg/t-edit-sign.c
+@@ -107,31 +107,19 @@ interact_fnc (void *opaque, const char *status, const char *args, int fd)
+ }
+ 
+ 
+-int
+-main (int argc, char **argv)
++void
++sign_key (const char *key_fpr, const char *signer_fpr)
+ {
+   gpgme_ctx_t ctx;
+   gpgme_error_t err;
+   gpgme_data_t out = NULL;
+-  const char *signer_fpr = "A0FF4590BB6122EDEF6E3C542D727CC768697734"; /* Alpha Test */
+   gpgme_key_t signing_key = NULL;
+-  const char *key_fpr = "D695676BDCEDCC2CDD6152BCFE180B1DA9E3B0B2"; /* Bravo Test */
+   gpgme_key_t key = NULL;
+-  gpgme_key_t signed_key = NULL;
+-  gpgme_user_id_t signed_uid = NULL;
+-  gpgme_key_sig_t key_sig = NULL;
+   char *agent_info;
+-  int mode;
+-
+-  (void)argc;
+-  (void)argv;
+-
+-  init_gpgme (GPGME_PROTOCOL_OpenPGP);
+ 
+   err = gpgme_new (&ctx);
+   fail_if_err (err);
+ 
+-  /* Sign the key */
+   agent_info = getenv("GPG_AGENT_INFO");
+   if (!(agent_info && strchr (agent_info, ':')))
+     gpgme_set_passphrase_cb (ctx, passphrase_cb, 0);
+@@ -159,8 +147,23 @@ main (int argc, char **argv)
+   gpgme_data_release (out);
+   gpgme_key_unref (key);
+   gpgme_key_unref (signing_key);
++  gpgme_release (ctx);
++}
++
++
++void
++verify_key_signature (const char *key_fpr, const char *signer_keyid)
++{
++  gpgme_ctx_t ctx;
++  gpgme_error_t err;
++  gpgme_key_t signed_key = NULL;
++  gpgme_user_id_t signed_uid = NULL;
++  gpgme_key_sig_t key_sig = NULL;
++  int mode;
++
++  err = gpgme_new (&ctx);
++  fail_if_err (err);
+ 
+-  /* Verify the key signature */
+   mode  = gpgme_get_keylist_mode (ctx);
+   mode |= GPGME_KEYLIST_MODE_SIGS;
+   err = gpgme_set_keylist_mode (ctx, mode);
+@@ -168,7 +171,7 @@ main (int argc, char **argv)
+   err = gpgme_get_key (ctx, key_fpr, &signed_key, 0);
+   fail_if_err (err);
+ 
+-  signed_uid = key->uids;
++  signed_uid = signed_key->uids;
+   if (!signed_uid)
+     {
+       fprintf (stderr, "Signed key has no user IDs\n");
+@@ -180,7 +183,7 @@ main (int argc, char **argv)
+       exit (1);
+     }
+   key_sig = signed_uid->signatures->next;
+-  if (strcmp ("2D727CC768697734", key_sig->keyid))
++  if (strcmp (signer_keyid, key_sig->keyid))
+     {
+       fprintf (stderr, "Unexpected key ID in second user ID sig: %s\n",
+                 key_sig->keyid);
+@@ -196,6 +199,23 @@ main (int argc, char **argv)
+ 
+   gpgme_key_unref (signed_key);
+   gpgme_release (ctx);
++}
++
++
++int
++main (int argc, char **argv)
++{
++  const char *signer_fpr = "A0FF4590BB6122EDEF6E3C542D727CC768697734"; /* Alpha Test */
++  const char *signer_keyid = signer_fpr + strlen(signer_fpr) - 16;
++  const char *key_fpr = "D695676BDCEDCC2CDD6152BCFE180B1DA9E3B0B2"; /* Bravo Test */
++
++  (void)argc;
++  (void)argv;
++
++  init_gpgme (GPGME_PROTOCOL_OpenPGP);
++
++  sign_key (key_fpr, signer_fpr);
++  verify_key_signature (key_fpr, signer_keyid);
+ 
+   return 0;
+ }
+-- 
+2.32.0
+

gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch

@@ -0,0 +1,33 @@
+From 6a79e90dedc19877ae1c520fed875b57089a5425 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Ingo=20Kl=C3=B6cker?= <dev@ingo-kloecker.de>
+Date: Thu, 8 Jul 2021 11:54:06 +0200
+Subject: [PATCH] Make sure expiration time is interpreted as unsigned number
+
+* lang/qt/tests/t-various.cpp (testSignKeyWithExpiration): Convert
+expiration time to uint_least32_t.
+--
+
+This fixes the test on 32-bit systems where time_t (the return type of
+expirationTime()) is a signed 32-bit integer type.
+
+GnuPG-bug-id: 5522
+---
+ lang/qt/tests/t-various.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lang/qt/tests/t-various.cpp b/lang/qt/tests/t-various.cpp
+index 8563b681..72a2487a 100644
+--- a/lang/qt/tests/t-various.cpp
++++ b/lang/qt/tests/t-various.cpp
+@@ -355,7 +355,7 @@ private Q_SLOTS:
+         target.update();
+         const auto keySignature = target.userID(0).signature(target.userID(0).numSignatures() - 1);
+         QVERIFY(!keySignature.neverExpires());
+-        const auto expirationDate = QDateTime::fromSecsSinceEpoch(keySignature.expirationTime()).date();
++        const auto expirationDate = QDateTime::fromSecsSinceEpoch(uint_least32_t(keySignature.expirationTime())).date();
+         QCOMPARE(expirationDate, QDate(2106, 2, 6));  // expiration date is capped at 2106-02-06
+     }
+ 
+-- 
+2.11.0
+

gpgme-1.16.0.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6c8cc4aedb10d5d4c905894ba1d850544619ee765606ac43df7405865de29ed0
+size 1718913

gpgme.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Wed Jul  7 18:19:43 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- gpgme 1.16.0:
+  * New context flag "cert-expire"
+  * New data flags "io-buffer-size" and "sensitive"
+  * cpp,qt: Add support for trust signatures
+  * qt: Add support for flags in LDAP server options
+  * qt: Fix too high memory consumption due to QProcess
+  * qt: Do not set empty base DN as query of keyserver URL
+  * qt: Extend SignKeyJob to create signatures with expiration date
+  * python: New optional parameter filter_signatures for decrypt
+- run all tests again
+- add patches to fix tests:
+  * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch
+  * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch
+
 -------------------------------------------------------------------
 Thu Mar 25 16:27:58 UTC 2021 - Ben Greiner <code@bnavigator.de>
 

gpgme.spec

@@ -30,10 +30,10 @@
 %endif
 %{!?python_module:%define python_module() python-%{**} python3-{**}}
 Name:           gpgme%{psuffix}
-Version:        1.15.1
+Version:        1.16.0
 Release:        0
 Summary:        Programmatic library interface to GnuPG
-License:        LGPL-2.1-or-later AND GPL-3.0-or-later
+License:        GPL-3.0-or-later AND LGPL-2.1-or-later
 Group:          Productivity/Security
 URL:            https://www.gnupg.org/related_software/gpgme/
 Source:         ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-%{version}.tar.bz2
@@ -43,6 +43,8 @@ Source2:        baselibs.conf
 Source3:        gpgme.keyring
 # used to have a fixed timestamp
 Source99:       gpgme.changes
+Patch0:         gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch
+Patch1:         gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch
 BuildRequires:  gcc-c++
 BuildRequires:  gpg2 >= 2.0.10
 BuildRequires:  libassuan-devel >= 2.4.2
@@ -147,6 +149,7 @@ management.
 This package contains the bindings to use the library from Python %{python_version} applications.
 
 %else
+
 %package -n python2-gpg
 Summary:        Python 2 bindings for GPGME, a library for accessing GnuPG
 Group:          Development/Languages/Python
@@ -204,10 +207,8 @@ This package contains the bindings to use the library in Qt C++ applications.
 
 %prep
 %setup -q -n gpgme-%{version}
-
+%patch0 -p1
-%ifarch %{ix86}
+%patch1 -p1
-sed -i -e '/t-callbacks.py/d' lang/python/tests/Makefile.{am,in}
-%endif
 
 %build
 build_timestamp=$(date -u +%{Y}-%{m}-%{dT}%{H}:%{M}+0000 -r %{SOURCE99})
@@ -263,7 +264,7 @@ rm -r %{buildroot}%{_libdir}/pkgconfig/gpgme*
 
 %if !%{with qt}
 %files
-%license COPYING COPYING.LESSER
+%license COPYING COPYING.LESSER LICENSES
 %doc AUTHORS ChangeLog ChangeLog-2011 README NEWS THANKS TODO VERSION
 %{_bindir}/gpgme-tool
 %{_bindir}/gpgme-json
@@ -272,9 +273,11 @@ rm -r %{buildroot}%{_libdir}/pkgconfig/gpgme*
 %{_infodir}/gpgme*
 
 %files -n libgpgme11
+%license COPYING COPYING.LESSER LICENSES
 %{_libdir}/libgpgme.so.*
 
 %files -n libgpgme-devel
+%license COPYING COPYING.LESSER LICENSES
 %{_libdir}/libgpgme.so
 %{_bindir}/gpgme-config
 %{_datadir}/aclocal/gpgme.m4
@@ -283,9 +286,11 @@ rm -r %{buildroot}%{_libdir}/pkgconfig/gpgme*
 %{_libdir}/pkgconfig/gpgme-glib.pc
 
 %files -n libgpgmepp6
+%license COPYING COPYING.LESSER LICENSES
 %{_libdir}/libgpgmepp.so.*
 
 %files -n libgpgmepp-devel
+%license COPYING COPYING.LESSER LICENSES
 %{_libdir}/libgpgmepp.so
 %{_includedir}/gpgme++
 %dir %{_libdir}/cmake
@@ -295,19 +300,23 @@ rm -r %{buildroot}%{_libdir}/pkgconfig/gpgme*
 
 %if %{with python2} && ! 0%{?python_subpackage_only}
 %files -n python2-gpg
+%license COPYING COPYING.LESSER LICENSES
 %{python_sitearch}/gpg*
 %endif
 
 %if %{with python3} || ( 0%{?python_subpackage_only} && %{with python2} )
 %files %{python_files gpg}
+%license COPYING COPYING.LESSER LICENSES
 %{python_sitearch}/gpg*
 %endif
 
 %if %{with qt}
 %files -n libqgpgme7
+%license COPYING COPYING.LESSER LICENSES
 %{_libdir}/libqgpgme.so.*
 
 %files -n libqgpgme-devel
+%license COPYING COPYING.LESSER LICENSES
 %{_includedir}/qgpgme/
 %{_includedir}/QGpgME/
 %dir %{_libdir}/cmake