Hello community, here is the log from the commit of package gpg2 for openSUSE:Factory checked in at 2013-09-17 15:02:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gpg2 (Old) and /work/SRC/openSUSE:Factory/.gpg2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gpg2" Changes: -------- --- /work/SRC/openSUSE:Factory/gpg2/gpg2.changes 2013-08-21 13:45:39.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gpg2.new/gpg2.changes 2013-09-17 15:02:37.000000000 +0200 @@ -1,0 +2,5 @@ +Mon Sep 16 11:08:55 UTC 2013 - [email protected] + +- fix CVE-2013-4351 (bnc#840510) + +------------------------------------------------------------------- New: ---- gpg2-CVE-2013-4351.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpg2.spec ++++++ --- /var/tmp/diff_new_pack.CwZzc6/_old 2013-09-17 15:02:37.000000000 +0200 +++ /var/tmp/diff_new_pack.CwZzc6/_new 2013-09-17 15:02:37.000000000 +0200 @@ -64,6 +64,7 @@ Patch9: gnupg-detect_FIPS_mode.patch # PATCH-FIX-OPENSUSE [email protected] -- automake 1.13 already includes $SHELL Patch10: gnupg-2.0.20-automake113.diff +Patch11: gpg2-CVE-2013-4351.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -83,6 +84,7 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %build autoreconf -fi ++++++ gpg2-CVE-2013-4351.patch ++++++ commit 8f8f3984e82a025cf1384132a419f67f39c7e07d Author: Werner Koch <wk <at> gnupg.org> Date: Fri Mar 15 15:46:03 2013 +0100 gpg: Distinguish between missing and cleared key flags. * include/cipher.h (PUBKEY_USAGE_NONE): New. * g10/getkey.c (parse_key_usage): Set new flag. -- We do not want to use the default capabilities (derived from the algorithm) if any key flags are given in a signature. Thus if key flags are used in any way, the default key capabilities are never used. This allows to create a key with key flags set to all zero so it can't be used. This better reflects common sense. Modified g10/getkey.c Index: gnupg-2.0.9/g10/getkey.c =================================================================== --- gnupg-2.0.9.orig/g10/getkey.c 2013-09-16 16:51:02.752624501 +0200 +++ gnupg-2.0.9/g10/getkey.c 2013-09-16 16:54:20.955952692 +0200 @@ -1457,13 +1457,19 @@ parse_key_usage(PKT_signature *sig) if(flags) key_usage |= PUBKEY_USAGE_UNKNOWN; + + if (!key_usage) + key_usage |= PUBKEY_USAGE_NONE; } + else if (p) /* Key flags of length zero. */ + key_usage |= PUBKEY_USAGE_NONE; /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a capability that we do not handle. This serves to distinguish between a zero key usage which we handle as the default capabilities for that algorithm, and a usage that we do not - handle. */ + handle. Likewise we use PUBKEY_USAGE_NONE to indicate that + key_flags have been given but they do not specify any usage. */ return key_usage; } Index: gnupg-2.0.9/include/cipher.h =================================================================== --- gnupg-2.0.9.orig/include/cipher.h 2013-09-16 16:51:02.752624501 +0200 +++ gnupg-2.0.9/include/cipher.h 2013-09-16 16:56:27.028429026 +0200 @@ -62,6 +62,11 @@ #define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys. */ #define PUBKEY_USAGE_AUTH GCRY_PK_USAGE_AUTH /* Good for authentication. */ #define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN /* Unknown usage flag. */ +#define PUBKEY_USAGE_NONE 256 /* No usage given. */ +#if (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \ + | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256 +# error Please choose another value for PUBKEY_USAGE_NONE +#endif #define DIGEST_ALGO_MD5 /* 1 */ GCRY_MD_MD5 #define DIGEST_ALGO_SHA1 /* 2 */ GCRY_MD_SHA1 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
