From 225b92ae0142d0ce924715e28b0901b3c88133b9a06ef8df3ef308ef11958aaf Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Sun, 6 Apr 2008 03:55:31 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=20 --- gnupg-1.9.18-tmpdir.diff | 1 + gnupg-2.0.4-default-tty.diff | 5 +- gnupg-2.0.4-oldkey.diff | 11 --- gnupg-2.0.8-from-upstream.diff | 142 --------------------------------- gnupg-2.0.8-warningfixes.diff | 31 ------- gnupg-2.0.8.tar.bz2 | 3 - gnupg-2.0.9-RSA_ES.patch | 39 +++++++++ gnupg-2.0.9.tar.bz2 | 3 + gpg2.changes | 13 +++ gpg2.spec | 66 ++++++++------- 10 files changed, 95 insertions(+), 219 deletions(-) delete mode 100644 gnupg-2.0.4-oldkey.diff delete mode 100644 gnupg-2.0.8-from-upstream.diff delete mode 100644 gnupg-2.0.8-warningfixes.diff delete mode 100644 gnupg-2.0.8.tar.bz2 create mode 100644 gnupg-2.0.9-RSA_ES.patch create mode 100644 gnupg-2.0.9.tar.bz2 diff --git a/gnupg-1.9.18-tmpdir.diff b/gnupg-1.9.18-tmpdir.diff index 85ae375..c62cfd6 100644 --- a/gnupg-1.9.18-tmpdir.diff +++ b/gnupg-1.9.18-tmpdir.diff @@ -1,3 +1,4 @@ +# create gpg-agent socket in TMPDIR Index: agent/gpg-agent.c =================================================================== --- agent/gpg-agent.c.orig diff --git a/gnupg-2.0.4-default-tty.diff b/gnupg-2.0.4-default-tty.diff index e4191f7..806ed2c 100644 --- a/gnupg-2.0.4-default-tty.diff +++ b/gnupg-2.0.4-default-tty.diff @@ -1,6 +1,7 @@ +# sets default tty to /dev/tty --- common/asshelp.c +++ common/asshelp.c -@@ -90,6 +90,8 @@ +@@ -95,6 +95,8 @@ dft_ttyname = getenv ("GPG_TTY"); if ((!dft_ttyname || !*dft_ttyname) && ttyname (0)) dft_ttyname = ttyname (0); @@ -11,7 +12,7 @@ { --- common/simple-pwquery.c +++ common/simple-pwquery.c -@@ -217,6 +217,8 @@ +@@ -222,6 +222,8 @@ #ifndef HAVE_W32_SYSTEM if ((!dft_ttyname || !*dft_ttyname) && ttyname (0)) dft_ttyname = ttyname (0); diff --git a/gnupg-2.0.4-oldkey.diff b/gnupg-2.0.4-oldkey.diff deleted file mode 100644 index 0856e2a..0000000 --- a/gnupg-2.0.4-oldkey.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- g10/seckey-cert.c -+++ g10/seckey-cert.c -@@ -212,7 +212,7 @@ do_check( PKT_secret_key *sk, const char - csum += checksum (buffer, ndata); - gcry_mpi_release (sk->skey[i]); - -- err = gcry_mpi_scan( &sk->skey[i], GCRYMPI_FMT_USG, -+ err = gcry_mpi_scan( &sk->skey[i], GCRYMPI_FMT_PGP, - buffer, ndata, &ndata ); - xfree (buffer); - if (err) diff --git a/gnupg-2.0.8-from-upstream.diff b/gnupg-2.0.8-from-upstream.diff deleted file mode 100644 index 37011c7..0000000 --- a/gnupg-2.0.8-from-upstream.diff +++ /dev/null @@ -1,142 +0,0 @@ - -This patch contains hand-selected fixes from upstream, some are needed -to make 'make check' of gpgme succeed without errors. - bk@suse.de - ---- gnupg-2.0.8//doc/qualified.txt 2007-12-13 16:13:10.000000000 +0100 -+++ gnupg-r4688//doc/qualified.txt 2008-02-06 16:58:10.000000000 +0100 -@@ -4,9 +4,9 @@ - # signatures are. Comments like this one and empty lines are allowed - # Lines do have a length limit but this is not a serious limitation as - # the format of the entries is fixed and checked by gpgsm: A --# non-comment line starts with optional white spaces, followed by --# exactly 40 hex character, white space and a lowercased 2 letter --# country code. Additional data delimited with by a white space is -+# non-comment line starts with optional whitespaces, followed by -+# exactly 40 hex character, whitespace and a lowercased 2 letter -+# country code. Additional data delimited with by a whitespace is - # current ignored but might late be used for other purposes. - # - # Note: The subversion copy of this file carries a gpg:signature -@@ -193,7 +193,7 @@ E0:BF:1B:91:91:6B:88:E4:F1:15:92:22:CE:3 - #[checked: 2007-12-13 via received ZIP file with qualified signature from - # /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag - # /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg] --C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA -+C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA de - - # ID: 0x3A7D979B - # S/N: 00C4216083F35C54F67B09A80C3C55FE7D -@@ -208,7 +208,7 @@ C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:7 - #[checked: 2007-12-13 via received ZIP file with qualified signature from - # /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag - # /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg"] --D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B -+D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B de - - - #******************************************* ---- gnupg-2.0.8//g10/card-util.c 2007-07-17 14:59:52.000000000 +0200 -+++ gnupg-r4688//g10/card-util.c 2008-02-06 16:58:14.000000000 +0100 -@@ -156,6 +156,8 @@ get_manufacturer (unsigned int no) - case 0x0001: return "PPC Card Systems"; - case 0x0002: return "Prism"; - case 0x0003: return "OpenFortress"; -+ case 0x0004: return "Wewid AB"; -+ - /* 0x00000 and 0xFFFF are defined as test cards per spec, - 0xFFF00 to 0xFFFE are assigned for use with randomly created - serial numbers. */ ---- gnupg-2.0.8//g10/gpg.c 2007-12-14 12:08:13.000000000 +0100 -+++ gnupg-r4688//g10/gpg.c 2008-02-06 16:58:14.000000000 +0100 -@@ -623,6 +623,7 @@ static ARGPARSE_OPTS opts[] = { - { oLockNever, "lock-never", 0, "@" }, - { oLoggerFD, "logger-fd",1, "@" }, - { oLoggerFile, "log-file",2, "@" }, -+ { oLoggerFile, "logger-file",2, "@" }, /* For 1.4 compatibility. */ - { oUseEmbeddedFilename, "use-embedded-filename", 0, "@" }, - { oNoUseEmbeddedFilename, "no-use-embedded-filename", 0, "@" }, - { oUtf8Strings, "utf8-strings", 0, "@" }, ---- gnupg-2.0.8//tools/ChangeLog 2007-12-14 16:56:04.000000000 +0100 -+++ gnupg-r4688//tools/ChangeLog 2008-02-06 16:58:09.000000000 +0100 -@@ -1,3 +1,18 @@ -+2008-02-01 Marcus Brinkmann -+ -+ * gpgconf-comp.c (gc_component_list_options): Fix memcpy. -+ Reported by Marc Mutz. -+ -+2008-01-22 Werner Koch -+ -+ * gpgconf-comp.c: Use gnupg domain for honor-http-proxy. Make -+ "LDAP server list" group title translatable. -+ -+2008-01-17 Marcus Brinkmann -+ -+ * gpgconf-comp.c (change_options_program): Strip duplicated -+ utf8-strings entries for gnupg backend. Don't create them either. -+ - 2007-12-10 Marcus Brinkmann - - * gpgconf-comp.c (gc_component_list_options): Fix up expert level ---- gnupg-2.0.8//tools/gpgconf-comp.c 2007-12-14 16:56:04.000000000 +0100 -+++ gnupg-r4688//tools/gpgconf-comp.c 2008-02-06 16:58:10.000000000 +0100 -@@ -840,7 +840,7 @@ static gc_option_t gc_options_dirmngr[] - "dirmngr", "|URL|redirect all HTTP requests to URL", - GC_ARG_TYPE_STRING, GC_BACKEND_DIRMNGR }, - { "honor-http-proxy", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED, -- "dirmngr", N_("use system's HTTP proxy setting"), -+ "gnupg", N_("use system's HTTP proxy setting"), - GC_ARG_TYPE_NONE, GC_BACKEND_DIRMNGR }, - - { "LDAP", -@@ -874,7 +874,7 @@ static gc_option_t gc_options_dirmngr[] - GC_BACKEND_DIRMNGR in this component, so that the entry for - "ldapserverlist-file will be initialized before this one. */ - { "LDAP Server", GC_OPT_FLAG_ARG_OPT|GC_OPT_FLAG_LIST, GC_LEVEL_BASIC, -- NULL, "LDAP server list", -+ "gnupg", N_("LDAP server list"), - GC_ARG_TYPE_LDAP_SERVER, GC_BACKEND_DIRMNGR_LDAP_SERVER_LIST }, - { "max-replies", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC, - "dirmngr", "|N|do not return more than N items in one query", -@@ -1568,7 +1568,7 @@ gc_component_list_options (int component - gc_option_t opt_copy; - - /* Fix up the group level. */ -- memcpy (&opt_copy, option, sizeof (opt)); -+ memcpy (&opt_copy, option, sizeof (opt_copy)); - opt_copy.level = level; - list_one_option (&opt_copy, out); - } -@@ -2467,6 +2467,8 @@ change_options_program (gc_component_t c - char *src_filename; - char *dest_filename; - char *orig_filename; -+ /* Special hack for gpg, see below. */ -+ int utf8strings_seen = 0; - - /* FIXME. Throughout the function, do better error reporting. */ - dest_filename = xstrdup (get_config_pathname (component, backend)); -@@ -2526,6 +2528,15 @@ change_options_program (gc_component_t c - else - break; - } -+ else if (backend == GC_BACKEND_GPG && in_marker -+ && ! strcmp ("utf8-strings\n", line)) -+ { -+ /* Strip duplicated entries. */ -+ if (utf8strings_seen) -+ disable = 1; -+ else -+ utf8strings_seen = 1; -+ } - - start = line; - while (*start == ' ' || *start == '\t') -@@ -2591,7 +2602,7 @@ change_options_program (gc_component_t c - followed by the rest of the original file. */ - - /* We have to turn on UTF8 strings for GnuPG. */ -- if (backend == GC_BACKEND_GPG) -+ if (backend == GC_BACKEND_GPG && ! utf8strings_seen) - fprintf (src_file, "utf8-strings\n"); - - option = gc_component[component].options; diff --git a/gnupg-2.0.8-warningfixes.diff b/gnupg-2.0.8-warningfixes.diff deleted file mode 100644 index a9b57c3..0000000 --- a/gnupg-2.0.8-warningfixes.diff +++ /dev/null @@ -1,31 +0,0 @@ -Fixes these two warnings: - -certdump.c:938: warning: the address of 't' will always evaluate as 'true' -dotlock.c:457: warning: 'pid' may be used uninitialized in this function - -Index: sm/certdump.c -=================================================================== ---- sm/certdump.c (revision 4688) -+++ sm/certdump.c (working copy) -@@ -935,7 +935,7 @@ - ksba_free (sexp); - - ksba_cert_get_validity (cert, 0, t); -- if (t && *t) -+ if (*t) - sprintf (created, "%.4s-%.2s-%.2s", t, t+4, t+6); - else - *created = 0; -Index: jnlib/dotlock.c -=================================================================== ---- jnlib/dotlock.c (revision 4688) -+++ jnlib/dotlock.c (working copy) -@@ -454,7 +454,7 @@ - #else - char buffer_space[10+1+70+1]; /* 70 is just an estimated value; node - name are usually shorter. */ -- int fd, pid; -+ int fd, pid = -1; - char *buffer, *p; - size_t expected_len; - int res, nread; diff --git a/gnupg-2.0.8.tar.bz2 b/gnupg-2.0.8.tar.bz2 deleted file mode 100644 index 4b57014..0000000 --- a/gnupg-2.0.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:16f310afe4740a26475c7273f585861a4bdefecbde27c214cc30c0db45d26913 -size 3654523 diff --git a/gnupg-2.0.9-RSA_ES.patch b/gnupg-2.0.9-RSA_ES.patch new file mode 100644 index 0000000..febef55 --- /dev/null +++ b/gnupg-2.0.9-RSA_ES.patch @@ -0,0 +1,39 @@ +# adds back support for deprecated RSA_E, RSA_S algorithms +--- gnupg-2.0.9.orig/g10/misc.c ++++ gnupg-2.0.9/g10/misc.c +@@ -1285,6 +1285,8 @@ pubkey_get_npkey( int algo ) + + if (algo == GCRY_PK_ELG_E) + algo = GCRY_PK_ELG; ++ if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S) ++ algo = GCRY_PK_RSA; + if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NPKEY, NULL, &n)) + n = 0; + return n; +@@ -1298,6 +1300,8 @@ pubkey_get_nskey( int algo ) + + if (algo == GCRY_PK_ELG_E) + algo = GCRY_PK_ELG; ++ if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S) ++ algo = GCRY_PK_RSA; + if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSKEY, NULL, &n )) + n = 0; + return n; +@@ -1311,6 +1315,8 @@ pubkey_get_nsig( int algo ) + + if (algo == GCRY_PK_ELG_E) + algo = GCRY_PK_ELG; ++ if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S) ++ algo = GCRY_PK_RSA; + if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSIGN, NULL, &n)) + n = 0; + return n; +@@ -1324,6 +1330,8 @@ pubkey_get_nenc( int algo ) + + if (algo == GCRY_PK_ELG_E) + algo = GCRY_PK_ELG; ++ if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S) ++ algo = GCRY_PK_RSA; + if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NENCR, NULL, &n )) + n = 0; + return n; diff --git a/gnupg-2.0.9.tar.bz2 b/gnupg-2.0.9.tar.bz2 new file mode 100644 index 0000000..382aeba --- /dev/null +++ b/gnupg-2.0.9.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2dc124908a1dfa3b79d2b0a82aa1a31817128feb14e84a26226beaab13179686 +size 3718925 diff --git a/gpg2.changes b/gpg2.changes index c54aa82..89c7eeb 100644 --- a/gpg2.changes +++ b/gpg2.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri Mar 28 16:14:33 CET 2008 - pcerny@suse.cz + +- update to 2.0.9 + * fixes CVE-2008-1530 (bnc#374254) + * removing gnupg-2.0.8-from-upstream.diff (included in release) + * removing gnupg-2.0.4-oldkey.diff (accepted by upstream) + * removing gnupg-2.0.8-warningfixes.diff + (also appears in upstream) +- patch gnupg-2.0.9-RSA_ES.patch + * adding back support for deprecated RSA_E, RSA_S algorithms + (bnc#342979) + ------------------------------------------------------------------- Wed Mar 26 22:07:29 CET 2008 - coolo@suse.de diff --git a/gpg2.spec b/gpg2.spec index 16418ee..12a2886 100644 --- a/gpg2.spec +++ b/gpg2.spec @@ -1,5 +1,5 @@ # -# spec file for package gpg2 (Version 2.0.8) +# spec file for package gpg2 (Version 2.0.9) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,8 +12,8 @@ Name: gpg2 -Version: 2.0.8 -Release: 29 +Version: 2.0.9 +Release: 1 #krb5 BuildRequires: expect fdupes libassuan-devel pth BuildRequires: libgcrypt-devel libksba-devel opensc-devel @@ -26,17 +26,15 @@ Group: Productivity/Networking/Security PreReq: %install_info_prereq AutoReqProv: on Requires: pinentry dirmngr %name-lang = %{version} -Provides: newpg gpg = 1.4.8 gnupg = %{version} -Obsoletes: newpg gpg <= 1.4.8 +Provides: newpg gpg = 1.4.9 gnupg = %{version} +Obsoletes: newpg gpg <= 1.4.9 Summary: GnuPG 2 -Source: gnupg-2.0.8.tar.bz2 -Patch2: gnupg-2.0.8-from-upstream.diff -Patch3: gnupg-2.0.4-oldkey.diff -Patch4: gnupg-2.0.8-warningfixes.diff +Source: gnupg-2.0.9.tar.bz2 Patch5: gnupg-1.9.22-ccid-driver-fix.diff Patch6: gnupg-1.9.18-tmpdir.diff Patch7: gnupg-2.0.4-install_tools.diff Patch9: gnupg-2.0.4-default-tty.diff +Patch10: gnupg-2.0.9-RSA_ES.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -53,14 +51,12 @@ Authors: %lang_package %prep %setup -q -n gnupg-%version -%patch2 -p1 -%patch3 -%patch4 %patch5 %patch6 # Note: this patch only patches Makefile.am files, so it needs automake to run. %patch7 %patch9 +%patch10 -p1 %build # Required for patch7: @@ -74,24 +70,24 @@ CFLAGS="%{optflags} -fPIE" LDFLAGS=-pie \ CFLAGS="%{optflags} -fpie" LDFLAGS=-pie \ %endif ./configure \ - --prefix=%{_prefix} \ - --sysconfdir=/etc \ - --libdir=%{_libdir} \ - --infodir=%{_infodir} \ - --with-agent-pgm=%{_prefix}/bin/gpg-agent \ - --with-pinentry-pgm=%{_prefix}/bin/pinentry \ - --with-dirmngr-pgm=%{_prefix}/bin/dirmngr \ - --enable-ldap \ - --enable-external-hkp \ - --enable-shared \ - --enable-gpgsm=yes \ - --enable-gpg \ - --enable-static-rnd=linux \ - --with-gnu-ld \ - --mandir=%{_mandir} \ - --libexecdir=%{_libdir} \ - --program-prefix="" %{_target_cpu}-suse-linux \ - --with-scdaemon-pgm=%{_prefix}/bin/scdaemon + --prefix=%{_prefix} \ + --sysconfdir=/etc \ + --libdir=%{_libdir} \ + --infodir=%{_infodir} \ + --with-agent-pgm=%{_prefix}/bin/gpg-agent \ + --with-pinentry-pgm=%{_prefix}/bin/pinentry \ + --with-dirmngr-pgm=%{_prefix}/bin/dirmngr \ + --enable-ldap \ + --enable-external-hkp \ + --enable-shared \ + --enable-gpgsm=yes \ + --enable-gpg \ + --enable-static-rnd=linux \ + --with-gnu-ld \ + --mandir=%{_mandir} \ + --libexecdir=%{_libdir} \ + --program-prefix="" %{_target_cpu}-suse-linux \ + --with-scdaemon-pgm=%{_prefix}/bin/scdaemon make %install @@ -136,6 +132,16 @@ $RPM_BUILD_ROOT/usr/bin/gpgsplit -v -p secsplit- --secret-to-public --uncompress /usr/share/gnupg %changelog +* Fri Mar 28 2008 pcerny@suse.cz +- update to 2.0.9 + * fixes CVE-2008-1530 (bnc#374254) + * removing gnupg-2.0.8-from-upstream.diff (included in release) + * removing gnupg-2.0.4-oldkey.diff (accepted by upstream) + * removing gnupg-2.0.8-warningfixes.diff + (also appears in upstream) +- patch gnupg-2.0.9-RSA_ES.patch + * adding back support for deprecated RSA_E, RSA_S algorithms + (bnc#342979) * Wed Mar 26 2008 coolo@suse.de - require the split out lang package * Sun Mar 23 2008 coolo@suse.de