Accepting request 291611 from security:privacy

1

OBS-URL: https://build.opensuse.org/request/show/291611
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=96

gnupg-2.0.4-install_tools.diff

@@ -1,33 +0,0 @@
-Index: tools/Makefile.am
-===================================================================
---- tools/Makefile.am.orig
-+++ tools/Makefile.am
-@@ -36,8 +36,8 @@ sbin_SCRIPTS = addgnupghome applygnupgde
- 
- bin_SCRIPTS = gpgsm-gencert.sh
- if HAVE_USTAR
--# bin_SCRIPTS += gpg-zip
--noinst_SCRIPTS = gpg-zip
-+bin_SCRIPTS += gpg-zip
-+#noinst_SCRIPTS = gpg-zip
- endif
- 
- if BUILD_SYMCRYPTRUN
-@@ -55,7 +55,7 @@ endif
- # Fixme: We should remove the gpgkey2ssh tool.
- bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun}
- if !HAVE_W32_SYSTEM
--bin_PROGRAMS += watchgnupg gpgparsemail
-+bin_PROGRAMS += watchgnupg gpgparsemail gpgsplit
- endif
- if !HAVE_W32CE_SYSTEM
- bin_PROGRAMS += gpgkey2ssh ${gpgtar}
-@@ -66,7 +66,7 @@ libexec_PROGRAMS = gpg-check-pattern
- endif
- 
- if !HAVE_W32CE_SYSTEM
--noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert gpgsplit
-+noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert
- endif
- 
- common_libs = $(libcommon)

gnupg-large_keys.patch

@@ -1,46 +0,0 @@
-From: Lorenz Hüdepohl <dev@stellardeath.org>
-Date: 2014-11-27 17:01:07 +0000
-Subject: Continue to support existing large RSA keys
-References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739424
-Upstream: no
-
-For RSA keys up to probably 8192 bits it seems to be enough to call
-configure with the additional options
-
-  --enable-large-secmem
-  --enable-large-rsa
-
-However, there are existing keys out there that are even larger.
-
-Werner Koch thinks that it is silly to use keys that are this large. He
-is probably even right with this, which is why this patch still does not
-allow to create new keys larger than the set maximum (4096/8192
-depending on whether enable-large-rsa is set in gpg.conf).
-
-I still want to continue to use my existing 10k bits key, though.
-
----
-diff -ur gnupg-2.1.0.org/agent/command.c gnupg-2.1.0/agent/command.c
---- gnupg-2.1.0.org/agent/command.c	2014-11-04 17:10:44.000000000 +0200
-+++ gnupg-2.1.0/agent/command.c	2014-11-26 18:04:11.548271074 +0200
-@@ -47,7 +47,7 @@
- /* Maximum allowed size of the key parameters.  */
- #define MAXLEN_KEYPARAM 1024
- /* Maximum allowed size of key data as used in inquiries (bytes). */
--#define MAXLEN_KEYDATA 4096
-+#define MAXLEN_KEYDATA 8192
- /* The size of the import/export KEK key (in bytes).  */
- #define KEYWRAP_KEYSIZE (128/8)
- 
-diff -ur gnupg-2.1.0.org/configure.ac gnupg-2.1.0/configure.ac
---- gnupg-2.1.0.org/configure.ac	2014-11-04 17:09:28.000000000 +0200
-+++ gnupg-2.1.0/configure.ac	2014-11-17 19:40:28.632527090 +0200
-@@ -230,7 +230,7 @@
-               large_secmem=$enableval, large_secmem=no)
- AC_MSG_RESULT($large_secmem)
- if test "$large_secmem" = yes ; then
--   SECMEM_BUFFER_SIZE=65536
-+   SECMEM_BUFFER_SIZE=262144
- else
-    SECMEM_BUFFER_SIZE=32768
- fi

gnupg-remove_development_version_warning.patch

@@ -1,15 +0,0 @@
-Index: gnupg-2.1.0/autogen.sh
-===================================================================
---- gnupg-2.1.0.orig/autogen.sh	2014-11-05 09:04:41.000000000 +0100
-+++ gnupg-2.1.0/autogen.sh	2014-11-11 17:46:57.154859332 +0100
-@@ -228,8 +228,8 @@ if [ "$myhost" = "find-version" ]; then
-       rvd=$((0x$(echo ${rev} | head -c 4)))
-     else
-       ingit=no
--      beta=yes
--      tmp="-unknown"
-+      beta=no
-+      tmp=""
-       rev="0000000"
-       rvd="0"
-     fi

gpg2.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Mar 19 15:56:12 UTC 2015 - astieger@suse.com
+
+- Ensure secure memory can be used with default 64k memlock limit
+  Fixes [boo#915931], removes gnupg-large_keys.patch
+- Removed gnupg-remove_development_version_warning.patch, obsolete
+- Removed gnupg-2.0.4-install_tools.diff, replaced by spec install
+- Removed autoconf requirement and autoreconf calls thus obsoleted
+
 -------------------------------------------------------------------
 Tue Feb 24 08:10:22 UTC 2015 - astieger@suse.com
 

gpg2.spec

@@ -27,17 +27,13 @@ Source:         ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2
 Source2:        ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
 # https://www.gnupg.org/signature_key.html
 Source3:        %{name}.keyring
-Patch2:         gnupg-2.0.4-install_tools.diff
 Patch4:         gnupg-2.0.9-langinfo.patch
 Patch5:         gnupg-2.0.18-files-are-digests.patch
 Patch6:         gnupg-dont-fail-with-seahorse-agent.patch
 Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
 Patch11:        gnupg-add_legacy_FIPS_mode_option.patch
-Patch12:        gnupg-remove_development_version_warning.patch
-Patch14:        gnupg-large_keys.patch
 Patch15:        0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch
-BuildRequires:  automake >= 1.14
 BuildRequires:  expect
 BuildRequires:  fdupes
 BuildRequires:  gnutls-devel >= 3.0
@@ -79,19 +75,15 @@ gpg-agent, and a keybox library.
 
 %prep
 %setup -q -n gnupg-%{version}
-%patch2
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch8 -p1
 %patch9 -p1
 %patch11 -p1
-%patch12 -p1
-%patch14 -p1
 %patch15 -p1
 
 %build
-autoreconf -fi
 # build PIEs (position independent executables) for address space randomisation:
 %ifarch s390x %{sparc}
 # s390x needs to use the large PIE model (at least for gpg.c):
@@ -138,6 +130,10 @@ install -m 644 AUTHORS COPYING ChangeLog NEWS THANKS TODO doc/FAQ %{buildroot}/%
 # install scdaemon to %{_bindir} (bnc#863645)
 mv %{buildroot}%{_libdir}/scdaemon %{buildroot}%{_bindir}
 mv %{buildroot}%{_libdir}/dirmngr_ldap %{buildroot}%{_bindir}
+# install legacy tools
+install -m 755 tools/gpg-zip %{buildroot}/%{_bindir}
+install -m 755 tools/gpgsplit %{buildroot}/%{_bindir}
+
 %find_lang gnupg2
 %if 0%{?suse_version} > 1020
 %fdupes %{buildroot}