From be1a8efbc36c2c23d0b7ff26191fb36d02dc4ebf224959e3e732e1e5d017e545 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADt=C4=9Bzslav=20=C4=8C=C3=AD=C5=BEek?=
 <vcizek@suse.com>
Date: Sat, 5 Oct 2013 15:00:23 +0000
Subject: [PATCH] Accepting request 202365 from
 home:AndreasStieger:branches:Base:System

update to 2.0.22 [bnc#844175] [CVE-2013-4402]

OBS-URL: https://build.opensuse.org/request/show/202365
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=65
---
 gnupg-2.0.21.tar.bz2     |   3 --
 gnupg-2.0.21.tar.bz2.sig | Bin 287 -> 0 bytes
 gnupg-2.0.22.tar.bz2     |   3 ++
 gnupg-2.0.22.tar.bz2.sig | Bin 0 -> 287 bytes
 gnupg-2.0.9-RSA_ES.patch |  30 ++++++++++----------
 gpg2-CVE-2013-4351.patch |  60 ---------------------------------------
 gpg2.changes             |  11 +++++++
 gpg2.spec                |   4 +--
 8 files changed, 30 insertions(+), 81 deletions(-)
 delete mode 100644 gnupg-2.0.21.tar.bz2
 delete mode 100644 gnupg-2.0.21.tar.bz2.sig
 create mode 100644 gnupg-2.0.22.tar.bz2
 create mode 100644 gnupg-2.0.22.tar.bz2.sig
 delete mode 100644 gpg2-CVE-2013-4351.patch

diff --git a/gnupg-2.0.21.tar.bz2 b/gnupg-2.0.21.tar.bz2
deleted file mode 100644
index d5090d0..0000000
--- a/gnupg-2.0.21.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:00df8902c7cef4d2440d36ca2a45985853eb36c34a4163bc995c3578030eeef5
-size 4300604
diff --git a/gnupg-2.0.21.tar.bz2.sig b/gnupg-2.0.21.tar.bz2.sig
deleted file mode 100644
index 4776f67262f29250fd8c2bc821bfdccdeb2bb7b936bad5691424a4824eb7e102..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 287
zcmV+)0pR|L0UQJX0SEvF1p-nM4TS&-2@oWkInqxh<F=Li2mqjY0ma<VRcjlFfEX@k
zX)!nHD+$Ht;;}vDjxIh8iY;$OD*M@U-|W93PeaP%GF|*wC%u;_+_Xd`_09Mgc^+MJ
z{eDU-)GDV8+DQ}NW~?1=(TM{tcq2|JA&Kum_fsEO{Vb(WEjt@NIIWx7bIGi`Eic7O
zI*YJN6j1Y9N^OY*9ulB<jmjttyV2BdjUa`)@wASw6<VzrG=QS|m_fZiTc*k(PQ7Gn
zSmvW#0KyHHRZk;R^2HaogJp<aHRr@JcA_`$Y-|(%O|EHH|BapRXD%?cfVo`%k`m0{
lRpxkt7B`_ty!KLPKCW#qx?Gt~dt6ZI22{t$4<M_Wb%)5cfQ<kE

diff --git a/gnupg-2.0.22.tar.bz2 b/gnupg-2.0.22.tar.bz2
new file mode 100644
index 0000000..348852d
--- /dev/null
+++ b/gnupg-2.0.22.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:437d0ab259854359fc48aa8795af80cff4975e559c111c92c03d0bc91408e251
+size 4277117
diff --git a/gnupg-2.0.22.tar.bz2.sig b/gnupg-2.0.22.tar.bz2.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..462c9be97c54ddf5ba789f4e16d7b00da55f72a74565211df7dbec828e6bf0de
GIT binary patch
literal 287
zcmV+)0pR|L0UQJX0SEvF1p-n}0aySE2@oWkInqxh<F;Pd2mU*9qw0#eTynnLtRj^c
zl0A%tE;aCw%Ks7T(3xp|u9=tsJc0K9%M+Ax<B}WVCmpy`AA=ER6mo<E3L$ew{AdTk
zAqpUppo_uy706$DMwDhm`@HZx)R?gtl?<DcENZp@Dg!{XkWRUduqeHi_ZbPWB50mX
z^JUeqh1m#8E`%wyAkNYpTBE&p!7c>XGay<S$rhQ3MY89#x|}YXdNYmF>Hgmoi>_AS
zY;Mh~+<R(nJChb<ov52}V8DVjuxxq|2zc#!9fm(#@_K=q79Xhv^FY<1HIZQ`Qd-MS
lVM*K$*Jjc?UL@jV*%4xf@SdLRAbImdrl`J2MH*L{9h@IVg3tf}

literal 0
HcmV?d00001

diff --git a/gnupg-2.0.9-RSA_ES.patch b/gnupg-2.0.9-RSA_ES.patch
index 656254a..e66e23b 100644
--- a/gnupg-2.0.9-RSA_ES.patch
+++ b/gnupg-2.0.9-RSA_ES.patch
@@ -3,43 +3,43 @@
 # g10/misc.c |    8 ++++++++
 # 1 file changed, 8 insertions(+)
 #
-Index: gnupg-2.0.20/g10/misc.c
+Index: gnupg-2.0.22/g10/misc.c
 ===================================================================
---- gnupg-2.0.20.orig/g10/misc.c	2013-05-10 13:55:47.000000000 +0100
-+++ gnupg-2.0.20/g10/misc.c	2013-05-10 19:57:18.000000000 +0100
-@@ -1326,6 +1326,8 @@ pubkey_get_npkey( int algo )
+--- gnupg-2.0.22.orig/g10/misc.c	2013-10-04 16:54:48.000000000 +0100
++++ gnupg-2.0.22/g10/misc.c	2013-10-05 12:39:16.000000000 +0100
+@@ -1333,6 +1333,8 @@ pubkey_get_npkey( int algo )
  
    if (algo == GCRY_PK_ELG_E)
      algo = GCRY_PK_ELG;
 +  if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
 +    algo = GCRY_PK_RSA;
-   if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NPKEY, NULL, &n))
+   if (gcry_pk_algo_info (map_pk_openpgp_to_gcry (algo),
+                          GCRYCTL_GET_ALGO_NPKEY, NULL, &n))
      n = 0;
-   return n;
-@@ -1339,6 +1341,8 @@ pubkey_get_nskey( int algo )
+@@ -1353,6 +1355,8 @@ pubkey_get_nskey( int algo )
  
    if (algo == GCRY_PK_ELG_E)
      algo = GCRY_PK_ELG;
 +  if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
 +    algo = GCRY_PK_RSA;
-   if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSKEY, NULL, &n ))
+   if (gcry_pk_algo_info (map_pk_openpgp_to_gcry (algo),
+                          GCRYCTL_GET_ALGO_NSKEY, NULL, &n ))
      n = 0;
-   return n;
-@@ -1352,6 +1356,8 @@ pubkey_get_nsig( int algo )
+@@ -1373,6 +1377,8 @@ pubkey_get_nsig( int algo )
  
    if (algo == GCRY_PK_ELG_E)
      algo = GCRY_PK_ELG;
 +  if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
 +    algo = GCRY_PK_RSA;
-   if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSIGN, NULL, &n))
+   if (gcry_pk_algo_info (map_pk_openpgp_to_gcry (algo),
+                          GCRYCTL_GET_ALGO_NSIGN, NULL, &n))
      n = 0;
-   return n;
-@@ -1365,6 +1371,8 @@ pubkey_get_nenc( int algo )
+@@ -1393,6 +1399,8 @@ pubkey_get_nenc( int algo )
  
    if (algo == GCRY_PK_ELG_E)
      algo = GCRY_PK_ELG;
 +  if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
 +    algo = GCRY_PK_RSA;
-   if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NENCR, NULL, &n ))
+   if (gcry_pk_algo_info (map_pk_openpgp_to_gcry (algo),
+                          GCRYCTL_GET_ALGO_NENCR, NULL, &n ))
      n = 0;
-   return n;
diff --git a/gpg2-CVE-2013-4351.patch b/gpg2-CVE-2013-4351.patch
deleted file mode 100644
index ec1b1bc..0000000
--- a/gpg2-CVE-2013-4351.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-commit 8f8f3984e82a025cf1384132a419f67f39c7e07d 
-Author: Werner Koch <wk <at> gnupg.org>
-Date:   Fri Mar 15 15:46:03 2013 +0100
-
-    gpg: Distinguish between missing and cleared key flags.
-
-    * include/cipher.h (PUBKEY_USAGE_NONE): New.
-    * g10/getkey.c (parse_key_usage): Set new flag.
-    --
-
-    We do not want to use the default capabilities (derived from the
-    algorithm) if any key flags are given in a signature.  Thus if key
-    flags are used in any way, the default key capabilities are never
-    used.
-
-    This allows to create a key with key flags set to all zero so it can't
-    be used.  This better reflects common sense.
-
-	Modified g10/getkey.c
-Index: gnupg-2.0.9/g10/getkey.c
-===================================================================
---- gnupg-2.0.9.orig/g10/getkey.c	2013-09-16 16:51:02.752624501 +0200
-+++ gnupg-2.0.9/g10/getkey.c	2013-09-16 16:54:20.955952692 +0200
-@@ -1457,13 +1457,19 @@ parse_key_usage(PKT_signature *sig)
- 
-       if(flags)
- 	key_usage |= PUBKEY_USAGE_UNKNOWN;
-+
-+      if (!key_usage)
-+	key_usage |= PUBKEY_USAGE_NONE;
-     }
-+  else if (p) /* Key flags of length zero.  */
-+    key_usage |= PUBKEY_USAGE_NONE;
- 
-   /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
-      capability that we do not handle.  This serves to distinguish
-      between a zero key usage which we handle as the default
-      capabilities for that algorithm, and a usage that we do not
--     handle. */
-+     handle.  Likewise we use PUBKEY_USAGE_NONE to indicate that
-+     key_flags have been given but they do not specify any usage.  */
- 
-   return key_usage;
- }
-Index: gnupg-2.0.9/include/cipher.h
-===================================================================
---- gnupg-2.0.9.orig/include/cipher.h	2013-09-16 16:51:02.752624501 +0200
-+++ gnupg-2.0.9/include/cipher.h	2013-09-16 16:56:27.028429026 +0200
-@@ -62,6 +62,11 @@
- #define PUBKEY_USAGE_CERT    GCRY_PK_USAGE_CERT  /* Also good to certify keys. */
- #define PUBKEY_USAGE_AUTH    GCRY_PK_USAGE_AUTH  /* Good for authentication. */
- #define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN  /* Unknown usage flag. */
-+#define PUBKEY_USAGE_NONE    256                 /* No usage given. */
-+#if  (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \
-+      | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256
-+# error Please choose another value for PUBKEY_USAGE_NONE
-+#endif
- 
- #define DIGEST_ALGO_MD5       /*  1 */ GCRY_MD_MD5
- #define DIGEST_ALGO_SHA1      /*  2 */ GCRY_MD_SHA1
diff --git a/gpg2.changes b/gpg2.changes
index 1545167..4b061f3 100644
--- a/gpg2.changes
+++ b/gpg2.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Sat Oct  5 11:44:42 UTC 2013 - andreas.stieger@gmx.de
+
+- update to 2.0.22 [bnc#844175]
+  * Fixed possible infinite recursion in the compressed packet
+    parser. [CVE-2013-4402]
+  * Improved support for some card readers.
+  * Prepared building with the forthcoming Libgcrypt 1.6.
+  * Protect against rogue keyservers sending secret keys.
+- remove gpg2-CVE-2013-4351.patch, committed upstream
+
 -------------------------------------------------------------------
 Mon Sep 16 11:08:55 UTC 2013 - vcizek@suse.com
 
diff --git a/gpg2.spec b/gpg2.spec
index b44bf64..7361834 100644
--- a/gpg2.spec
+++ b/gpg2.spec
@@ -17,7 +17,7 @@
 
 
 Name:           gpg2
-Version:        2.0.21
+Version:        2.0.22
 Release:        0
 BuildRequires:  automake >= 1.10
 BuildRequires:  expect
@@ -64,7 +64,6 @@ Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
 # PATCH-FIX-OPENSUSE coolo@suse.de -- automake 1.13 already includes $SHELL
 Patch10:        gnupg-2.0.20-automake113.diff
-Patch11:        gpg2-CVE-2013-4351.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -84,7 +83,6 @@ gpg-agent, and a keybox library.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
-%patch11 -p1
 
 %build
 autoreconf -fi