Date: Sunday, January 27, 2013 @ 23:06:14 Author: bisson Revision: 176232
prevent keyring corruption when importing dodgy packets Added: gnupg/trunk/valid-keyblock-packet.patch Modified: gnupg/trunk/PKGBUILD -----------------------------+ PKGBUILD | 5 ++- valid-keyblock-packet.patch | 61 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 1 deletion(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2013-01-27 20:40:41 UTC (rev 176231) +++ PKGBUILD 2013-01-27 22:06:14 UTC (rev 176232) @@ -6,7 +6,7 @@ pkgname=gnupg pkgver=2.0.19 -pkgrel=4 +pkgrel=5 pkgdesc='Complete and free implementation of the OpenPGP standard' url='http://www.gnupg.org/' license=('GPL') @@ -17,9 +17,11 @@ makedepends=('curl' 'libldap' 'libusb-compat') depends=('bzip2' 'libksba' 'libgcrypt' 'pth' 'libassuan' 'readline' 'pinentry' 'dirmngr') source=("ftp://ftp.gnupg.org/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig} + 'valid-keyblock-packet.patch' 'protect-tool-env.patch') sha1sums=('190c09e6688f688fb0a5cf884d01e240d957ac1f' 'f6e6830610a8629b0aad69d789373bf8ca481733' + '474d827f1c2976bb107985047f61ac9096ae0953' '2ec97ba55ae47ff0d63bc813b8c64cb79cef11db') install=install @@ -31,6 +33,7 @@ build() { cd "${srcdir}/${pkgname}-${pkgver}" patch -p1 -i ../protect-tool-env.patch # FS#31900 + patch -p1 -i ../valid-keyblock-packet.patch ./configure --prefix=/usr --libexecdir=/usr/lib/gnupg make } Added: valid-keyblock-packet.patch =================================================================== --- valid-keyblock-packet.patch (rev 0) +++ valid-keyblock-packet.patch 2013-01-27 22:06:14 UTC (rev 176232) @@ -0,0 +1,61 @@ +From: Werner Koch <[email protected]> +Date: Thu, 20 Dec 2012 08:43:41 +0000 (+0100) +Subject: gpg: Import only packets which are allowed in a keyblock. +X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=498882296ffac7987c644aaf2a0aa108a2925471;hp=20c95ef258f8520283406239f7c6f4729341d463 + +gpg: Import only packets which are allowed in a keyblock. + +* g10/import.c (valid_keyblock_packet): New. +(read_block): Store only valid packets. +-- + +A corrupted key, which for example included a mangled public key +encrypted packet, used to corrupt the keyring. This change skips all +packets which are not allowed in a keyblock. + +GnuPG-bug-id: 1455 + +(cherry-picked from commit 3a4b96e665fa639772854058737ee3d54ba0694e) +--- + +diff --git a/g10/import.c b/g10/import.c +index ba2439d..ad112d6 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -347,6 +347,27 @@ import_print_stats (void *hd) + } + + ++/* Return true if PKTTYPE is valid in a keyblock. */ ++static int ++valid_keyblock_packet (int pkttype) ++{ ++ switch (pkttype) ++ { ++ case PKT_PUBLIC_KEY: ++ case PKT_PUBLIC_SUBKEY: ++ case PKT_SECRET_KEY: ++ case PKT_SECRET_SUBKEY: ++ case PKT_SIGNATURE: ++ case PKT_USER_ID: ++ case PKT_ATTRIBUTE: ++ case PKT_RING_TRUST: ++ return 1; ++ default: ++ return 0; ++ } ++} ++ ++ + /**************** + * Read the next keyblock from stream A. + * PENDING_PKT should be initialzed to NULL +@@ -424,7 +445,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ) + } + in_cert = 1; + default: +- if( in_cert ) { ++ if (in_cert && valid_keyblock_packet (pkt->pkttype)) { + if( !root ) + root = new_kbnode( pkt ); + else
