diff --git a/gpgme-1.15.1.tar.bz2 b/gpgme-1.15.1.tar.bz2 deleted file mode 100644 index 1e9d147..0000000 --- a/gpgme-1.15.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:eebc3c1b27f1c8979896ff361ba9bb4778b508b2496c2fc10e3775a40b1de1ad -size 1699349 diff --git a/gpgme-1.15.1.tar.bz2.sig b/gpgme-1.15.1.tar.bz2.sig deleted file mode 100644 index 46f7728..0000000 Binary files a/gpgme-1.15.1.tar.bz2.sig and /dev/null differ diff --git a/gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch b/gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch new file mode 100644 index 0000000..a432d2f --- /dev/null +++ b/gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch @@ -0,0 +1,126 @@ +From 81a33ea5e1b86d586b956e893a5b25c4cd41c969 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= +Date: Sat, 26 Jun 2021 18:02:47 +0200 +Subject: [PATCH] core: Fix use-after-free issue in test + +* tests/gpg/t-edit-sign.c (sign_key, verify_key_signature): New. +(main): Factored out signing and verifying the result. +-- + +Factoring the two steps of the test into different functions fixes the +use-after-free issue that was caused by accidentaly using a variable +of the first step in the second step. + +GnuPG-bug-id: 5509 +--- + tests/gpg/t-edit-sign.c | 54 ++++++++++++++++++++++++++++------------- + 1 file changed, 37 insertions(+), 17 deletions(-) + +diff --git a/tests/gpg/t-edit-sign.c b/tests/gpg/t-edit-sign.c +index 2f983622..e0494c54 100644 +--- a/tests/gpg/t-edit-sign.c ++++ b/tests/gpg/t-edit-sign.c +@@ -107,31 +107,19 @@ interact_fnc (void *opaque, const char *status, const char *args, int fd) + } + + +-int +-main (int argc, char **argv) ++void ++sign_key (const char *key_fpr, const char *signer_fpr) + { + gpgme_ctx_t ctx; + gpgme_error_t err; + gpgme_data_t out = NULL; +- const char *signer_fpr = "A0FF4590BB6122EDEF6E3C542D727CC768697734"; /* Alpha Test */ + gpgme_key_t signing_key = NULL; +- const char *key_fpr = "D695676BDCEDCC2CDD6152BCFE180B1DA9E3B0B2"; /* Bravo Test */ + gpgme_key_t key = NULL; +- gpgme_key_t signed_key = NULL; +- gpgme_user_id_t signed_uid = NULL; +- gpgme_key_sig_t key_sig = NULL; + char *agent_info; +- int mode; +- +- (void)argc; +- (void)argv; +- +- init_gpgme (GPGME_PROTOCOL_OpenPGP); + + err = gpgme_new (&ctx); + fail_if_err (err); + +- /* Sign the key */ + agent_info = getenv("GPG_AGENT_INFO"); + if (!(agent_info && strchr (agent_info, ':'))) + gpgme_set_passphrase_cb (ctx, passphrase_cb, 0); +@@ -159,8 +147,23 @@ main (int argc, char **argv) + gpgme_data_release (out); + gpgme_key_unref (key); + gpgme_key_unref (signing_key); ++ gpgme_release (ctx); ++} ++ ++ ++void ++verify_key_signature (const char *key_fpr, const char *signer_keyid) ++{ ++ gpgme_ctx_t ctx; ++ gpgme_error_t err; ++ gpgme_key_t signed_key = NULL; ++ gpgme_user_id_t signed_uid = NULL; ++ gpgme_key_sig_t key_sig = NULL; ++ int mode; ++ ++ err = gpgme_new (&ctx); ++ fail_if_err (err); + +- /* Verify the key signature */ + mode = gpgme_get_keylist_mode (ctx); + mode |= GPGME_KEYLIST_MODE_SIGS; + err = gpgme_set_keylist_mode (ctx, mode); +@@ -168,7 +171,7 @@ main (int argc, char **argv) + err = gpgme_get_key (ctx, key_fpr, &signed_key, 0); + fail_if_err (err); + +- signed_uid = key->uids; ++ signed_uid = signed_key->uids; + if (!signed_uid) + { + fprintf (stderr, "Signed key has no user IDs\n"); +@@ -180,7 +183,7 @@ main (int argc, char **argv) + exit (1); + } + key_sig = signed_uid->signatures->next; +- if (strcmp ("2D727CC768697734", key_sig->keyid)) ++ if (strcmp (signer_keyid, key_sig->keyid)) + { + fprintf (stderr, "Unexpected key ID in second user ID sig: %s\n", + key_sig->keyid); +@@ -196,6 +199,23 @@ main (int argc, char **argv) + + gpgme_key_unref (signed_key); + gpgme_release (ctx); ++} ++ ++ ++int ++main (int argc, char **argv) ++{ ++ const char *signer_fpr = "A0FF4590BB6122EDEF6E3C542D727CC768697734"; /* Alpha Test */ ++ const char *signer_keyid = signer_fpr + strlen(signer_fpr) - 16; ++ const char *key_fpr = "D695676BDCEDCC2CDD6152BCFE180B1DA9E3B0B2"; /* Bravo Test */ ++ ++ (void)argc; ++ (void)argv; ++ ++ init_gpgme (GPGME_PROTOCOL_OpenPGP); ++ ++ sign_key (key_fpr, signer_fpr); ++ verify_key_signature (key_fpr, signer_keyid); + + return 0; + } +-- +2.32.0 + diff --git a/gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch b/gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch new file mode 100644 index 0000000..64ef120 --- /dev/null +++ b/gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch @@ -0,0 +1,33 @@ +From 6a79e90dedc19877ae1c520fed875b57089a5425 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Ingo=20Kl=C3=B6cker?= +Date: Thu, 8 Jul 2021 11:54:06 +0200 +Subject: [PATCH] Make sure expiration time is interpreted as unsigned number + +* lang/qt/tests/t-various.cpp (testSignKeyWithExpiration): Convert +expiration time to uint_least32_t. +-- + +This fixes the test on 32-bit systems where time_t (the return type of +expirationTime()) is a signed 32-bit integer type. + +GnuPG-bug-id: 5522 +--- + lang/qt/tests/t-various.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lang/qt/tests/t-various.cpp b/lang/qt/tests/t-various.cpp +index 8563b681..72a2487a 100644 +--- a/lang/qt/tests/t-various.cpp ++++ b/lang/qt/tests/t-various.cpp +@@ -355,7 +355,7 @@ private Q_SLOTS: + target.update(); + const auto keySignature = target.userID(0).signature(target.userID(0).numSignatures() - 1); + QVERIFY(!keySignature.neverExpires()); +- const auto expirationDate = QDateTime::fromSecsSinceEpoch(keySignature.expirationTime()).date(); ++ const auto expirationDate = QDateTime::fromSecsSinceEpoch(uint_least32_t(keySignature.expirationTime())).date(); + QCOMPARE(expirationDate, QDate(2106, 2, 6)); // expiration date is capped at 2106-02-06 + } + +-- +2.11.0 + diff --git a/gpgme-1.16.0.tar.bz2 b/gpgme-1.16.0.tar.bz2 new file mode 100644 index 0000000..40e00db --- /dev/null +++ b/gpgme-1.16.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6c8cc4aedb10d5d4c905894ba1d850544619ee765606ac43df7405865de29ed0 +size 1718913 diff --git a/gpgme-1.16.0.tar.bz2.sig b/gpgme-1.16.0.tar.bz2.sig new file mode 100644 index 0000000..8c128f0 Binary files /dev/null and b/gpgme-1.16.0.tar.bz2.sig differ diff --git a/gpgme.changes b/gpgme.changes index 8174f39..c0fef7a 100644 --- a/gpgme.changes +++ b/gpgme.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Jul 7 18:19:43 UTC 2021 - Andreas Stieger + +- gpgme 1.16.0: + * New context flag "cert-expire" + * New data flags "io-buffer-size" and "sensitive" + * cpp,qt: Add support for trust signatures + * qt: Add support for flags in LDAP server options + * qt: Fix too high memory consumption due to QProcess + * qt: Do not set empty base DN as query of keyserver URL + * qt: Extend SignKeyJob to create signatures with expiration date + * python: New optional parameter filter_signatures for decrypt +- add patches to fix tests: + * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch + * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch + ------------------------------------------------------------------- Thu Mar 25 16:27:58 UTC 2021 - Ben Greiner diff --git a/gpgme.spec b/gpgme.spec index c118a6e..fa04c96 100644 --- a/gpgme.spec +++ b/gpgme.spec @@ -30,10 +30,10 @@ %endif %{!?python_module:%define python_module() python-%{**} python3-{**}} Name: gpgme%{psuffix} -Version: 1.15.1 +Version: 1.16.0 Release: 0 Summary: Programmatic library interface to GnuPG -License: LGPL-2.1-or-later AND GPL-3.0-or-later +License: GPL-3.0-or-later AND LGPL-2.1-or-later Group: Productivity/Security URL: https://www.gnupg.org/related_software/gpgme/ Source: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-%{version}.tar.bz2 @@ -43,6 +43,8 @@ Source2: baselibs.conf Source3: gpgme.keyring # used to have a fixed timestamp Source99: gpgme.changes +Patch0: gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch +Patch1: gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch BuildRequires: gcc-c++ BuildRequires: gpg2 >= 2.0.10 BuildRequires: libassuan-devel >= 2.4.2 @@ -147,6 +149,7 @@ management. This package contains the bindings to use the library from Python %{python_version} applications. %else + %package -n python2-gpg Summary: Python 2 bindings for GPGME, a library for accessing GnuPG Group: Development/Languages/Python @@ -204,6 +207,8 @@ This package contains the bindings to use the library in Qt C++ applications. %prep %setup -q -n gpgme-%{version} +%patch0 -p1 +%patch1 -p1 %ifarch %{ix86} sed -i -e '/t-callbacks.py/d' lang/python/tests/Makefile.{am,in} @@ -263,7 +268,7 @@ rm -r %{buildroot}%{_libdir}/pkgconfig/gpgme* %if !%{with qt} %files -%license COPYING COPYING.LESSER +%license COPYING COPYING.LESSER LICENSES %doc AUTHORS ChangeLog ChangeLog-2011 README NEWS THANKS TODO VERSION %{_bindir}/gpgme-tool %{_bindir}/gpgme-json @@ -272,9 +277,11 @@ rm -r %{buildroot}%{_libdir}/pkgconfig/gpgme* %{_infodir}/gpgme* %files -n libgpgme11 +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libgpgme.so.* %files -n libgpgme-devel +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libgpgme.so %{_bindir}/gpgme-config %{_datadir}/aclocal/gpgme.m4 @@ -283,9 +290,11 @@ rm -r %{buildroot}%{_libdir}/pkgconfig/gpgme* %{_libdir}/pkgconfig/gpgme-glib.pc %files -n libgpgmepp6 +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libgpgmepp.so.* %files -n libgpgmepp-devel +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libgpgmepp.so %{_includedir}/gpgme++ %dir %{_libdir}/cmake @@ -295,19 +304,23 @@ rm -r %{buildroot}%{_libdir}/pkgconfig/gpgme* %if %{with python2} && ! 0%{?python_subpackage_only} %files -n python2-gpg +%license COPYING COPYING.LESSER LICENSES %{python_sitearch}/gpg* %endif %if %{with python3} || ( 0%{?python_subpackage_only} && %{with python2} ) %files %{python_files gpg} +%license COPYING COPYING.LESSER LICENSES %{python_sitearch}/gpg* %endif %if %{with qt} %files -n libqgpgme7 +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libqgpgme.so.* %files -n libqgpgme-devel +%license COPYING COPYING.LESSER LICENSES %{_includedir}/qgpgme/ %{_includedir}/QGpgME/ %dir %{_libdir}/cmake