Accepting request 202365 from home:AndreasStieger:branches:Base:System

update to 2.0.22 [bnc#844175] [CVE-2013-4402] OBS-URL: https://build.opensuse.org/request/show/202365 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=65
2013-10-05 15:00:23 +00:00 · 2013-10-05 15:00:23 +00:00 · be1a8efbc3
commit be1a8efbc3
parent 9c07c5a07b
8 changed files with 30 additions and 81 deletions
--- a/gnupg-2.0.21.tar.bz2
+++ b/gnupg-2.0.21.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:00df8902c7cef4d2440d36ca2a45985853eb36c34a4163bc995c3578030eeef5
-size 4300604
--- a/gnupg-2.0.21.tar.bz2.sig
+++ b/gnupg-2.0.21.tar.bz2.sig
--- a/gnupg-2.0.22.tar.bz2
+++ b/gnupg-2.0.22.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:437d0ab259854359fc48aa8795af80cff4975e559c111c92c03d0bc91408e251
+size 4277117
--- a/gnupg-2.0.22.tar.bz2.sig
+++ b/gnupg-2.0.22.tar.bz2.sig
--- a/gnupg-2.0.9-RSA_ES.patch
+++ b/gnupg-2.0.9-RSA_ES.patch
@ -3,43 +3,43 @@
 # g10/misc.c |    8 ++++++++
 # 1 file changed, 8 insertions(+)
 #
-Index: gnupg-2.0.20/g10/misc.c
+Index: gnupg-2.0.22/g10/misc.c
 ===================================================================
--- gnupg-2.0.20.orig/g10/misc.c	2013-05-10 13:55:47.000000000 +0100
-+++ gnupg-2.0.20/g10/misc.c	2013-05-10 19:57:18.000000000 +0100
-@@ -1326,6 +1326,8 @@ pubkey_get_npkey( int algo )
+--- gnupg-2.0.22.orig/g10/misc.c	2013-10-04 16:54:48.000000000 +0100
+++ gnupg-2.0.22/g10/misc.c	2013-10-05 12:39:16.000000000 +0100
+@@ -1333,6 +1333,8 @@ pubkey_get_npkey( int algo )
 
   if (algo == GCRY_PK_ELG_E)
     algo = GCRY_PK_ELG;
 +  if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
 +    algo = GCRY_PK_RSA;
-   if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NPKEY, NULL, &n))
+   if (gcry_pk_algo_info (map_pk_openpgp_to_gcry (algo),
+                          GCRYCTL_GET_ALGO_NPKEY, NULL, &n))
     n = 0;
-   return n;
-@@ -1339,6 +1341,8 @@ pubkey_get_nskey( int algo )
+@@ -1353,6 +1355,8 @@ pubkey_get_nskey( int algo )
 
   if (algo == GCRY_PK_ELG_E)
     algo = GCRY_PK_ELG;
 +  if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
 +    algo = GCRY_PK_RSA;
-   if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSKEY, NULL, &n ))
+   if (gcry_pk_algo_info (map_pk_openpgp_to_gcry (algo),
+                          GCRYCTL_GET_ALGO_NSKEY, NULL, &n ))
     n = 0;
-   return n;
-@@ -1352,6 +1356,8 @@ pubkey_get_nsig( int algo )
+@@ -1373,6 +1377,8 @@ pubkey_get_nsig( int algo )
 
   if (algo == GCRY_PK_ELG_E)
     algo = GCRY_PK_ELG;
 +  if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
 +    algo = GCRY_PK_RSA;
-   if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSIGN, NULL, &n))
+   if (gcry_pk_algo_info (map_pk_openpgp_to_gcry (algo),
+                          GCRYCTL_GET_ALGO_NSIGN, NULL, &n))
     n = 0;
-   return n;
-@@ -1365,6 +1371,8 @@ pubkey_get_nenc( int algo )
+@@ -1393,6 +1399,8 @@ pubkey_get_nenc( int algo )
 
   if (algo == GCRY_PK_ELG_E)
     algo = GCRY_PK_ELG;
 +  if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
 +    algo = GCRY_PK_RSA;
-   if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NENCR, NULL, &n ))
+   if (gcry_pk_algo_info (map_pk_openpgp_to_gcry (algo),
+                          GCRYCTL_GET_ALGO_NENCR, NULL, &n ))
     n = 0;
-   return n;
--- a/gpg2-CVE-2013-4351.patch
+++ b/gpg2-CVE-2013-4351.patch
@ -1,60 +0,0 @@
-commit 8f8f3984e82a025cf1384132a419f67f39c7e07d 
-Author: Werner Koch <wk <at> gnupg.org>
-Date:   Fri Mar 15 15:46:03 2013 +0100
-
-    gpg: Distinguish between missing and cleared key flags.
-
-    * include/cipher.h (PUBKEY_USAGE_NONE): New.
-    * g10/getkey.c (parse_key_usage): Set new flag.
-    --
-
-    We do not want to use the default capabilities (derived from the
-    algorithm) if any key flags are given in a signature.  Thus if key
-    flags are used in any way, the default key capabilities are never
-    used.
-
-    This allows to create a key with key flags set to all zero so it can't
-    be used.  This better reflects common sense.
-
-	Modified g10/getkey.c
-Index: gnupg-2.0.9/g10/getkey.c
-===================================================================
--- gnupg-2.0.9.orig/g10/getkey.c	2013-09-16 16:51:02.752624501 +0200
-+++ gnupg-2.0.9/g10/getkey.c	2013-09-16 16:54:20.955952692 +0200
-@@ -1457,13 +1457,19 @@ parse_key_usage(PKT_signature *sig)
- 
-       if(flags)
- 	key_usage |= PUBKEY_USAGE_UNKNOWN;
-+
-+      if (!key_usage)
-+	key_usage |= PUBKEY_USAGE_NONE;
-     }
-+  else if (p) /* Key flags of length zero.  */
-+    key_usage |= PUBKEY_USAGE_NONE;
- 
-   /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
-      capability that we do not handle.  This serves to distinguish
-      between a zero key usage which we handle as the default
-      capabilities for that algorithm, and a usage that we do not
-     handle. */
-+     handle.  Likewise we use PUBKEY_USAGE_NONE to indicate that
-+     key_flags have been given but they do not specify any usage.  */
- 
-   return key_usage;
- }
-Index: gnupg-2.0.9/include/cipher.h
-===================================================================
--- gnupg-2.0.9.orig/include/cipher.h	2013-09-16 16:51:02.752624501 +0200
-+++ gnupg-2.0.9/include/cipher.h	2013-09-16 16:56:27.028429026 +0200
-@@ -62,6 +62,11 @@
- #define PUBKEY_USAGE_CERT    GCRY_PK_USAGE_CERT  /* Also good to certify keys. */
- #define PUBKEY_USAGE_AUTH    GCRY_PK_USAGE_AUTH  /* Good for authentication. */
- #define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN  /* Unknown usage flag. */
-+#define PUBKEY_USAGE_NONE    256                 /* No usage given. */
-+#if  (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \
-+      | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256
-+# error Please choose another value for PUBKEY_USAGE_NONE
-+#endif
- 
- #define DIGEST_ALGO_MD5       /*  1 */ GCRY_MD_MD5
- #define DIGEST_ALGO_SHA1      /*  2 */ GCRY_MD_SHA1
--- a/gpg2.changes
+++ b/gpg2.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Sat Oct  5 11:44:42 UTC 2013 - andreas.stieger@gmx.de
+
+- update to 2.0.22 [bnc#844175]
+  * Fixed possible infinite recursion in the compressed packet
+    parser. [CVE-2013-4402]
+  * Improved support for some card readers.
+  * Prepared building with the forthcoming Libgcrypt 1.6.
+  * Protect against rogue keyservers sending secret keys.
+- remove gpg2-CVE-2013-4351.patch, committed upstream
+
 -------------------------------------------------------------------
 Mon Sep 16 11:08:55 UTC 2013 - vcizek@suse.com

--- a/gpg2.spec
+++ b/gpg2.spec
@ -17,7 +17,7 @@


 Name:           gpg2
-Version:        2.0.21
+Version:        2.0.22
 Release:        0
 BuildRequires:  automake >= 1.10
 BuildRequires:  expect
@ -64,7 +64,6 @@ Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
 # PATCH-FIX-OPENSUSE coolo@suse.de -- automake 1.13 already includes $SHELL
 Patch10:        gnupg-2.0.20-automake113.diff
-Patch11:        gpg2-CVE-2013-4351.patch

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

@ -84,7 +83,6 @@ gpg-agent, and a keybox library.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
-%patch11 -p1

 %build
 autoreconf -fi