Accepting request 347464 from security:privacy

2.1.10 OBS-URL: https://build.opensuse.org/request/show/347464 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=122
2015-12-04 15:26:14 +00:00 · 2015-12-04 15:26:14 +00:00 · 0febbaf009
commit 0febbaf009
parent bcc045f104
9 changed files with 98 additions and 51 deletions
--- a/gnupg-2.0.18-files-are-digests.patch
+++ b/gnupg-2.0.18-files-are-digests.patch
@ -4,11 +4,11 @@
 g10/sign.c    |   68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
 3 files changed, 67 insertions(+), 6 deletions(-)

-Index: gnupg-2.1.3/g10/gpg.c
+Index: gnupg-2.1.10/g10/gpg.c
 ===================================================================
--- gnupg-2.1.3.orig/g10/gpg.c	2015-04-06 14:03:32.000000000 +0200
-+++ gnupg-2.1.3/g10/gpg.c	2015-04-11 20:45:24.000000000 +0200
-@@ -352,6 +352,7 @@ enum cmd_and_opt_values
+--- gnupg-2.1.10.orig/g10/gpg.c	2015-12-04 14:25:25.749577555 +0100
+++ gnupg-2.1.10/g10/gpg.c	2015-12-04 14:26:04.777192262 +0100
+@@ -355,6 +355,7 @@ enum cmd_and_opt_values
     oTTYtype,
     oLCctype,
     oLCmessages,
@ -16,23 +16,23 @@ Index: gnupg-2.1.3/g10/gpg.c
     oXauthority,
     oGroup,
     oUnGroup,
-@@ -738,6 +739,7 @@ static ARGPARSE_OPTS opts[] = {
-   ARGPARSE_s_s (oPersonalCompressPreferences,
-                                          "personal-compress-preferences", "@"),
-   ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
+@@ -757,6 +758,7 @@ static ARGPARSE_OPTS opts[] = {
+   ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
+   ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
+   ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
 +  ARGPARSE_s_n (oFilesAreDigests, "files-are-digests", "@"),
 
   /* Aliases.  I constantly mistype these, and assume other people do
      as well. */
-@@ -2148,6 +2150,7 @@ main (int argc, char **argv)
+@@ -2483,6 +2485,7 @@ main (int argc, char **argv)
     opt.def_cert_expire = "0";
     set_homedir (default_homedir ());
     opt.passphrase_repeat = 1;
 +    opt.files_are_digests=0;
     opt.emit_version = 1; /* Limit to the major number.  */
- 
-     /* Check whether we have a config file on the command line.  */
-@@ -2661,6 +2664,7 @@ main (int argc, char **argv)
+     opt.weak_digests = NULL;
+     additional_weak_digest("MD5");
+@@ -3022,6 +3025,7 @@ main (int argc, char **argv)
 	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
 	    break;
 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
@ -40,11 +40,11 @@ Index: gnupg-2.1.3/g10/gpg.c
 
 	  case oForceMDC: opt.force_mdc = 1; break;
 	  case oNoForceMDC: opt.force_mdc = 0; break;
-Index: gnupg-2.1.3/g10/options.h
+Index: gnupg-2.1.10/g10/options.h
 ===================================================================
--- gnupg-2.1.3.orig/g10/options.h	2015-04-06 13:41:53.000000000 +0200
-+++ gnupg-2.1.3/g10/options.h	2015-04-11 20:45:24.000000000 +0200
-@@ -194,6 +194,7 @@ struct
+--- gnupg-2.1.10.orig/g10/options.h	2015-12-04 14:25:25.749577555 +0100
+++ gnupg-2.1.10/g10/options.h	2015-12-04 14:25:28.472550675 +0100
+@@ -205,6 +205,7 @@ struct
   int no_auto_check_trustdb;
   int preserve_permissions;
   int no_homedir_creation;
@ -52,10 +52,10 @@ Index: gnupg-2.1.3/g10/options.h
   struct groupitem *grouplist;
   int mangle_dos_filenames;
   int enable_progress_filter;
-Index: gnupg-2.1.3/g10/sign.c
+Index: gnupg-2.1.10/g10/sign.c
 ===================================================================
--- gnupg-2.1.3.orig/g10/sign.c	2015-04-05 19:43:32.000000000 +0200
-+++ gnupg-2.1.3/g10/sign.c	2015-04-11 20:45:24.000000000 +0200
+--- gnupg-2.1.10.orig/g10/sign.c	2015-12-04 14:25:25.750577545 +0100
+++ gnupg-2.1.10/g10/sign.c	2015-12-04 14:25:28.473550666 +0100
@@ -41,7 +41,7 @@
 #include "pkglue.h"
 #include "sysutils.h"
@ -65,7 +65,7 @@ Index: gnupg-2.1.3/g10/sign.c
 
 #ifdef HAVE_DOSISH_SYSTEM
 #define LF "\r\n"
-@@ -706,8 +706,12 @@ write_signature_packets (SK_LIST sk_list
+@@ -681,8 +681,12 @@ write_signature_packets (SK_LIST sk_list
           mk_notation_policy_etc (sig, NULL, pk);
         }
 
@ -78,7 +78,7 @@ Index: gnupg-2.1.3/g10/sign.c
 
       rc = do_sign (pk, sig, md, hash_for (pk), cache_nonce);
       gcry_md_close (md);
-@@ -765,6 +769,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -740,6 +744,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
     SK_LIST sk_rover = NULL;
     int multifile = 0;
     u32 duration=0;
@ -87,7 +87,7 @@ Index: gnupg-2.1.3/g10/sign.c
 
     pfx = new_progress_context ();
     afx = new_armor_context ();
-@@ -781,7 +787,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -756,7 +762,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
 	fname = NULL;
 
     if( fname && filenames->next && (!detached || encryptflag) )
@ -105,7 +105,7 @@ Index: gnupg-2.1.3/g10/sign.c
 
     if(encryptflag==2
        && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
-@@ -802,7 +817,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -777,7 +792,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
       goto leave;
 
     /* prepare iobufs */
@ -114,7 +114,7 @@ Index: gnupg-2.1.3/g10/sign.c
 	inp = NULL; /* we do it later */
     else {
       inp = iobuf_open(fname);
-@@ -940,7 +955,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -915,7 +930,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
     for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
       gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
 
@ -123,7 +123,7 @@ Index: gnupg-2.1.3/g10/sign.c
 	iobuf_push_filter( inp, md_filter, &mfx );
 
     if( detached && !encryptflag)
-@@ -995,6 +1010,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -970,6 +985,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
 
     write_status_begin_signing (mfx.md);
 
@ -132,7 +132,7 @@ Index: gnupg-2.1.3/g10/sign.c
     /* Setup the inner packet. */
     if( detached ) {
 	if( multifile ) {
-@@ -1035,6 +1052,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1010,6 +1027,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
 	    if( opt.verbose )
               log_printf ("\n");
 	}
@ -178,7 +178,7 @@ Index: gnupg-2.1.3/g10/sign.c
 	else {
 	    /* read, so that the filter can calculate the digest */
 	    while( iobuf_get(inp) != -1 )
-@@ -1052,8 +1108,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
+@@ -1027,8 +1083,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
 
     /* write the signatures */
     rc = write_signature_packets (sk_list, out, mfx.md,
--- a/gnupg-2.1.10.tar.bz2
+++ b/gnupg-2.1.10.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:93bd58d81771a4fa488566e5d2e13b1fd7afc86789401eb41731882abfd26cf9
+size 5173253
--- a/gnupg-2.1.10.tar.bz2.sig
+++ b/gnupg-2.1.10.tar.bz2.sig
--- a/gnupg-2.1.9.tar.bz2
+++ b/gnupg-2.1.9.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1cb7633a57190beb66f9249cb7446603229b273d4d89331b75c652fa4a29f7b6
-size 4925167
--- a/gnupg-2.1.9.tar.bz2.sig
+++ b/gnupg-2.1.9.tar.bz2.sig
--- a/gnupg-add_legacy_FIPS_mode_option.patch
+++ b/gnupg-add_legacy_FIPS_mode_option.patch
@ -3,11 +3,11 @@
 g10/gpg.c    |    9 +++++++++
 2 files changed, 27 insertions(+)

-Index: gnupg-2.1.9/doc/gpg.texi
+Index: gnupg-2.1.10/doc/gpg.texi
 ===================================================================
--- gnupg-2.1.9.orig/doc/gpg.texi
-+++ gnupg-2.1.9/doc/gpg.texi
-@@ -1778,6 +1778,24 @@ implies, this option is for experts only
+--- gnupg-2.1.10.orig/doc/gpg.texi	2015-12-04 14:28:28.840769433 +0100
+++ gnupg-2.1.10/doc/gpg.texi	2015-12-04 14:28:33.784720588 +0100
+@@ -1875,6 +1875,24 @@ implies, this option is for experts only
 understand the implications of what it allows you to do, leave this
 off. @option{--no-expert} disables this option.
 
@ -32,19 +32,19 @@ Index: gnupg-2.1.9/doc/gpg.texi
 @end table
 
 
-Index: gnupg-2.1.9/g10/gpg.c
+Index: gnupg-2.1.10/g10/gpg.c
 ===================================================================
--- gnupg-2.1.9.orig/g10/gpg.c
-+++ gnupg-2.1.9/g10/gpg.c
-@@ -386,6 +386,7 @@ enum cmd_and_opt_values
-     oNoAutostart,
-     oPrintPKARecords,
-     oPrintDANERecords,
+--- gnupg-2.1.10.orig/g10/gpg.c	2015-12-04 14:28:28.843769403 +0100
+++ gnupg-2.1.10/g10/gpg.c	2015-12-04 14:29:04.084421214 +0100
+@@ -394,6 +394,7 @@ enum cmd_and_opt_values
+     oWeakDigest,
+     oUnwrap,
+     oOnlySignTextIDs,
 +    oSetLegacyFips,
 
     oNoop
   };
-@@ -780,6 +781,7 @@ static ARGPARSE_OPTS opts[] = {
+@@ -796,6 +797,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oAllowMultipleMessages,      "allow-multiple-messages", "@"),
   ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
   ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
@ -52,7 +52,7 @@ Index: gnupg-2.1.9/g10/gpg.c
 
   /* These two are aliases to help users of the PGP command line
      product use gpg with minimal pain.  Many commands are common
-@@ -3188,6 +3190,13 @@ main (int argc, char **argv)
+@@ -3556,6 +3558,13 @@ main (int argc, char **argv)
 
           case oNoAutostart: opt.autostart = 0; break;
 
--- a/gnupg-set_umask_before_open_outfile.patch
+++ b/gnupg-set_umask_before_open_outfile.patch
@ -1,7 +1,7 @@
-Index: gnupg-2.1.0/g10/plaintext.c
+Index: gnupg-2.1.10/g10/plaintext.c
 ===================================================================
--- gnupg-2.1.0.orig/g10/plaintext.c	2014-11-07 11:35:18.100563974 +0100
-+++ gnupg-2.1.0/g10/plaintext.c	2014-11-07 16:51:59.919347340 +0100
+--- gnupg-2.1.10.orig/g10/plaintext.c	2015-11-30 17:39:52.000000000 +0100
+++ gnupg-2.1.10/g10/plaintext.c	2015-12-04 14:26:56.876677813 +0100
@@ -25,6 +25,7 @@
 #include <errno.h>
 #include <assert.h>
@ -18,9 +18,9 @@ Index: gnupg-2.1.0/g10/plaintext.c
 +#define GPG_SAFE_PERMS (S_IRUSR | S_IWUSR)
 +#define GPG_SAFE_UMASK (0777 & ~GPG_SAFE_PERMS)
 
- /* Handle a plaintext packet.  If MFX is not NULL, update the MDs
-  * Note: We should have used the filter stuff here, but we have to add
-@@ -169,11 +173,15 @@ handle_plaintext (PKT_plaintext * pt, md
+ /* Get the output filename.  On success, the actual filename that is
+    used is set in *FNAMEP and a filepointer is returned in *FP.
+@@ -146,11 +150,15 @@ get_output_file (const byte *embedded_na
       log_error (_("error creating '%s': %s\n"), fname, gpg_strerror (err));
       goto leave;
     }
--- a/gpg2.changes
+++ b/gpg2.changes
@ -1,9 +1,53 @@
+-------------------------------------------------------------------
+Fri Dec  4 13:35:40 UTC 2015 - astieger@suse.com
+
+- GnuPG 2.1.10 adds TOFU (Trust-On-First-USe) and anonymous key
+  retrival via Tor.
+ * gpg: New trust models "tofu" and "tofu+pgp".
+ * gpg: New command --tofu-policy.  New options --tofu-default-policy
+   and --tofu-db-format.
+ * gpg: New option --weak-digest to specify hash algorithms which
+   should be considered weak.
+ * gpg: Allow the use of multiple --default-key options; take the last
+   available key.
+ * gpg: New option --encrypt-to-default-key.
+ * gpg: New option --unwrap to only strip the encryption layer.
+ * gpg: New option --only-sign-text-ids to exclude photo IDs from key
+   signing.
+ * gpg: Check for ambigious or non-matching key specification in the
+   config file or given to --encrypt-to.
+ * gpg: Show the used card reader with --card-status.
+ * gpg: Print export statistics and an EXPORTED status line.
+ * gpg: Allow selecting subkeys by keyid in --edit-key.
+ * gpg: Allow updating the expiration time of multiple subkeys at
+   once.
+ * dirmngr: New option --use-tor.  For full support this requires
+   libassuan version 2.4.2 and a patched version of libadns
+   (e.g. adns-1.4-g10-7 as used by the standard Windows installer).
+ * dirmngr: New option --nameserver to specify the nameserver used in
+   Tor mode.
+ * dirmngr: Keyservers may again be specified by IP address.
+ * dirmngr: Fixed problems in resolving keyserver pools.
+ * dirmngr: Fixed handling of premature termination of TLS streams so
+   that large numbers of keys can be refreshed via hkps.
+ * gpg: Fixed a regression in --locate-key [since 2.1.9].
+ * gpg: Fixed another bug for keyrings with legacy keys.
+ * gpgsm: Allow combinations of usage flags in --gen-key.
+ * Make tilde expansion work with most options.
+ * Many other cleanups and bug fixes.
+
 -------------------------------------------------------------------
 Tue Nov 24 10:27:58 UTC 2015 - vcizek@suse.com

 - enable tests for PPC64 again,
  the problem from bsc#935887 went away

+-------------------------------------------------------------------
+Fri Nov 20 16:03:03 UTC 2015 - astieger@suse.com
+
+- Improve upgrade to gpg2 from security:privacy w.r.t. libassuan
+  run-time dependencies (boo#955982)
+
 -------------------------------------------------------------------
 Sat Oct 10 11:39:55 UTC 2015 - astieger@suse.com

--- a/gpg2.spec
+++ b/gpg2.spec
@ -17,7 +17,7 @@


 Name:           gpg2
-Version:        2.1.9
+Version:        2.1.10
 Release:        0
 Summary:        GnuPG 2
 License:        GPL-3.0+
@ -38,7 +38,7 @@ BuildRequires:  expect
 BuildRequires:  fdupes
 BuildRequires:  gnutls-devel >= 3.0
 BuildRequires:  libadns-devel
-BuildRequires:  libassuan-devel >= 2.1.0
+BuildRequires:  libassuan-devel >= 2.4.1
 BuildRequires:  libbz2-devel
 BuildRequires:  libcurl-devel >= 7.10
 # patch11 (gnupg-add_legacy_FIPS_mode_option.patch) mentions GCRYCTL_INACTIVATE_FIPS_FLAG
@ -52,7 +52,10 @@ BuildRequires:  npth-devel >= 0.91
 BuildRequires:  openldap2-devel
 BuildRequires:  pkg-config
 BuildRequires:  readline-devel
+BuildRequires:  sqlite3-devel >= 3.7
 BuildRequires:  zlib-devel
+# Add an explicit runtime dependency to match boo#955982
+Requires:       libassuan0 >= 2.4.1
 Requires:       pinentry
 # FIXME: use proper Requires(pre/post/preun/...)
 PreReq:         %{install_info_prereq}