Date: Monday, December 9, 2019 @ 19:54:58 Author: bisson Revision: 370562
db-move: moved gnupg from [testing] to [core] (x86_64) Added: gnupg/repos/core-x86_64/PKGBUILD (from rev 370561, gnupg/repos/testing-x86_64/PKGBUILD) gnupg/repos/core-x86_64/install (from rev 370561, gnupg/repos/testing-x86_64/install) gnupg/repos/core-x86_64/self-sigs-only.patch (from rev 370561, gnupg/repos/testing-x86_64/self-sigs-only.patch) Deleted: gnupg/repos/core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch gnupg/repos/core-x86_64/PKGBUILD gnupg/repos/core-x86_64/install gnupg/repos/core-x86_64/self-sigs-only.patch gnupg/repos/testing-x86_64/ ----------------------------------------------------------------------+ /PKGBUILD | 66 +++++++ /install | 31 +++ /self-sigs-only.patch | 56 ++++++ core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch | 84 ---------- core-x86_64/PKGBUILD | 69 -------- core-x86_64/install | 31 --- core-x86_64/self-sigs-only.patch | 56 ------ 7 files changed, 153 insertions(+), 240 deletions(-) Deleted: core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch =================================================================== --- core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch 2019-12-09 16:05:43 UTC (rev 370561) +++ core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch 2019-12-09 19:54:58 UTC (rev 370562) @@ -1,84 +0,0 @@ -From 9ac182f376abf910a7b737b0e1ebd447eaa582f1 Mon Sep 17 00:00:00 2001 -From: Werner Koch <w...@gnupg.org> -Date: Fri, 29 Nov 2019 17:44:12 +0100 -Subject: [PATCH GnuPG] gpg: Fix double free with anonymous recipients. - -* g10/pubkey-enc.c (get_session_key): Do not release SK. --- - -Bug is in 2.2.18 only. - -The semantics of the enum_secret_keys function changed in master. -When back porting this for 2.2.18 I missed this change and thus we ran -into a double free. The patches fixes the regression but is it clumsy. -We need to change the enum_secret_keys interface to avoid such a -surprising behaviour; this needs to be done in master first. - -Regression-due-to: 9a317557c58d2bdcc504b70c366b77f4cac71df7 -GnuPG-bug-id: 4762 -Signed-off-by: Werner Koch <w...@gnupg.org> ---- - g10/pubkey-enc.c | 8 ++++++-- - g10/skclist.c | 7 +++++-- - 2 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/g10/pubkey-enc.c b/g10/pubkey-enc.c -index 71a48cc41..4e6f893f3 100644 ---- a/g10/pubkey-enc.c -+++ b/g10/pubkey-enc.c -@@ -114,11 +114,11 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek) - - for (;;) - { -- free_public_key (sk); - sk = xmalloc_clear (sizeof *sk); - rc = enum_secret_keys (ctrl, &enum_context, sk); - if (rc) - { -+ sk = NULL; /* enum_secret_keys turns SK into a shallow copy! */ - rc = GPG_ERR_NO_SECKEY; - break; - } -@@ -148,10 +148,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek) - { - if (!opt.quiet) - log_info (_("okay, we are the anonymous recipient.\n")); -+ sk = NULL; - break; - } - else if (gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED) -- break; /* Don't try any more secret keys. */ -+ { -+ sk = NULL; -+ break; /* Don't try any more secret keys. */ -+ } - } - enum_secret_keys (ctrl, &enum_context, NULL); /* free context */ - } -diff --git a/g10/skclist.c b/g10/skclist.c -index 8817ee904..5a32b6a17 100644 ---- a/g10/skclist.c -+++ b/g10/skclist.c -@@ -292,14 +292,17 @@ build_sk_list (ctrl_t ctrl, - * --default-key and --try-secret-key). Use the following procedure: - * - * 1) Initialize a void pointer to NULL -- * 2) Pass a reference to this pointer to this function (content) -- * and provide space for the secret key (sk) -+ * 2) Pass a reference to this pointer to this function (CONTEXT) -+ * and provide space for the secret key (SK) - * 3) Call this function as long as it does not return an error (or - * until you are done). The error code GPG_ERR_EOF indicates the - * end of the listing. - * 4) Call this function a last time with SK set to NULL, - * so that can free it's context. - * -+ * TAKE CARE: When the function returns SK belongs to CONTEXT and may -+ * not be freed by the caller; neither on success nor on error. -+ * - * In pseudo-code: - * - * void *ctx = NULL; --- -2.11.0 - Deleted: core-x86_64/PKGBUILD =================================================================== --- core-x86_64/PKGBUILD 2019-12-09 16:05:43 UTC (rev 370561) +++ core-x86_64/PKGBUILD 2019-12-09 19:54:58 UTC (rev 370562) @@ -1,69 +0,0 @@ -# Maintainer: Gaetan Bisson <bis...@archlinux.org> -# Contributor: Tobias Powalowski <tp...@archlinux.org> -# Contributor: Andreas Radke <andy...@archlinux.org> -# Contributor: Judd Vinet <jvi...@zeroflux.org> - -pkgname=gnupg -pkgver=2.2.18 -pkgrel=2 -pkgdesc='Complete and free implementation of the OpenPGP standard' -url='https://www.gnupg.org/' -license=('GPL') -arch=('x86_64') -checkdepends=('openssh') -makedepends=('libldap' 'libusb-compat' 'pcsclite') -depends=('npth' 'libgpg-error' 'libgcrypt' 'libksba' 'libassuan' - 'pinentry' 'bzip2' 'readline' 'gnutls' 'sqlite') -optdepends=('libldap: gpg2keys_ldap' - 'libusb-compat: scdaemon' - 'pcsclite: scdaemon') -validpgpkeys=('D8692123C4065DEA5E0F3AB5249B39D24F25E3B6' - '46CC730865BB5C78EBABADCF04376F3EE0856959' - '031EC2536E580D8EA286A9F22071B08A33BD3F06' - '5B80C5754298F0CB55D8ED6ABCEF7E294B092E28') -source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig} - '0001-gpg-Fix-double-free-with-anonymous-recipients.patch' - 'self-sigs-only.patch') -sha256sums=('30d37ce2ca55b2b9b61480b2a175a3b22066ab41cd3f84688448919b566dec0a' - 'SKIP' - 'f7f533c37354e1fbafd7c9db67f5b5792745f7b0a68a5132a09f241896942903' - '0130c43321c16f53ab2290833007212f8a26b1b73bd4edc2b2b1c9db2b2d0218') - -install=install - -prepare() { - cd "${srcdir}/${pkgname}-${pkgver}" - sed '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' -i tools/Makefile.in - patch -R -p1 -i ../self-sigs-only.patch - patch -p1 -i ../0001-gpg-Fix-double-free-with-anonymous-recipients.patch # FS#64663 -} - -build() { - cd "${srcdir}/${pkgname}-${pkgver}" - ./configure \ - --prefix=/usr \ - --sysconfdir=/etc \ - --sbindir=/usr/bin \ - --libexecdir=/usr/lib/gnupg \ - --enable-maintainer-mode \ - --enable-symcryptrun \ - - make -} - -check() { - cd "${srcdir}/${pkgname}-${pkgver}" - make check -} - -package() { - cd "${srcdir}/${pkgname}-${pkgver}" - make DESTDIR="${pkgdir}" install - ln -s gpg "${pkgdir}"/usr/bin/gpg2 - ln -s gpgv "${pkgdir}"/usr/bin/gpgv2 - - cd doc/examples/systemd-user - for i in *.*; do - install -Dm644 "$i" "${pkgdir}/usr/lib/systemd/user/$i" - done -} Copied: gnupg/repos/core-x86_64/PKGBUILD (from rev 370561, gnupg/repos/testing-x86_64/PKGBUILD) =================================================================== --- core-x86_64/PKGBUILD (rev 0) +++ core-x86_64/PKGBUILD 2019-12-09 19:54:58 UTC (rev 370562) @@ -0,0 +1,66 @@ +# Maintainer: Gaetan Bisson <bis...@archlinux.org> +# Contributor: Tobias Powalowski <tp...@archlinux.org> +# Contributor: Andreas Radke <andy...@archlinux.org> +# Contributor: Judd Vinet <jvi...@zeroflux.org> + +pkgname=gnupg +pkgver=2.2.19 +pkgrel=1 +pkgdesc='Complete and free implementation of the OpenPGP standard' +url='https://www.gnupg.org/' +license=('GPL') +arch=('x86_64') +checkdepends=('openssh') +makedepends=('libldap' 'libusb-compat' 'pcsclite') +depends=('npth' 'libgpg-error' 'libgcrypt' 'libksba' 'libassuan' + 'pinentry' 'bzip2' 'readline' 'gnutls' 'sqlite') +optdepends=('libldap: gpg2keys_ldap' + 'libusb-compat: scdaemon' + 'pcsclite: scdaemon') +validpgpkeys=('D8692123C4065DEA5E0F3AB5249B39D24F25E3B6' + '46CC730865BB5C78EBABADCF04376F3EE0856959' + '031EC2536E580D8EA286A9F22071B08A33BD3F06' + '5B80C5754298F0CB55D8ED6ABCEF7E294B092E28') +source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig} + 'self-sigs-only.patch') +sha256sums=('242554c0e06f3a83c420b052f750b65ead711cc3fddddb5e7274fcdbb4e9dec0' + 'SKIP' + '0130c43321c16f53ab2290833007212f8a26b1b73bd4edc2b2b1c9db2b2d0218') + +install=install + +prepare() { + cd "${srcdir}/${pkgname}-${pkgver}" + sed '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' -i tools/Makefile.in + patch -R -p1 -i ../self-sigs-only.patch +} + +build() { + cd "${srcdir}/${pkgname}-${pkgver}" + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --sbindir=/usr/bin \ + --libexecdir=/usr/lib/gnupg \ + --enable-maintainer-mode \ + --enable-symcryptrun \ + + make +} + +check() { + cd "${srcdir}/${pkgname}-${pkgver}" + make check +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + make DESTDIR="${pkgdir}" install + ln -s gpg "${pkgdir}"/usr/bin/gpg2 + ln -s gpgv "${pkgdir}"/usr/bin/gpgv2 + + cd doc/examples/systemd-user + for i in *.*; do + install -Dm644 "$i" "${pkgdir}/usr/lib/systemd/user/$i" + done +} Deleted: core-x86_64/install =================================================================== --- core-x86_64/install 2019-12-09 16:05:43 UTC (rev 370561) +++ core-x86_64/install 2019-12-09 19:54:58 UTC (rev 370562) @@ -1,31 +0,0 @@ -_global_units() { - _units=(dirmngr.socket gpg-agent.socket gpg-agent-{browser,extra,ssh}.socket) - _dir=/etc/systemd/user/sockets.target.wants - - case $1 in - enable) - mkdir -p $_dir - for _u in "${_units[@]}"; do - ln -sf /usr/lib/systemd/user/$_u $_dir/$_u - done - ;; - disable) - for _u in "${_units[@]}"; do - rm -f $_dir/$_u - done - rmdir -p --ignore-fail-on-non-empty $_dir - ;; - esac -} - -post_install() { - # See FS#42798 and FS#47371 - dirmngr </dev/null &>/dev/null - - # Let systemd supervise daemons by default - _global_units enable -} - -pre_remove() { - _global_units disable -} Copied: gnupg/repos/core-x86_64/install (from rev 370561, gnupg/repos/testing-x86_64/install) =================================================================== --- core-x86_64/install (rev 0) +++ core-x86_64/install 2019-12-09 19:54:58 UTC (rev 370562) @@ -0,0 +1,31 @@ +_global_units() { + _units=(dirmngr.socket gpg-agent.socket gpg-agent-{browser,extra,ssh}.socket) + _dir=/etc/systemd/user/sockets.target.wants + + case $1 in + enable) + mkdir -p $_dir + for _u in "${_units[@]}"; do + ln -sf /usr/lib/systemd/user/$_u $_dir/$_u + done + ;; + disable) + for _u in "${_units[@]}"; do + rm -f $_dir/$_u + done + rmdir -p --ignore-fail-on-non-empty $_dir + ;; + esac +} + +post_install() { + # See FS#42798 and FS#47371 + dirmngr </dev/null &>/dev/null + + # Let systemd supervise daemons by default + _global_units enable +} + +pre_remove() { + _global_units disable +} Deleted: core-x86_64/self-sigs-only.patch =================================================================== --- core-x86_64/self-sigs-only.patch 2019-12-09 16:05:43 UTC (rev 370561) +++ core-x86_64/self-sigs-only.patch 2019-12-09 19:54:58 UTC (rev 370562) @@ -1,56 +0,0 @@ -From: Werner Koch <w...@gnupg.org> -Date: Thu, 4 Jul 2019 13:45:39 +0000 (+0200) -Subject: gpg: Add "self-sigs-only" and "import-clean" to the keyserver options. -X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=23c978640812d123eaffd4108744bdfcf48f7c93 - -gpg: Add "self-sigs-only" and "import-clean" to the keyserver options. - -* g10/gpg.c (main): Change default. --- - -Due to the DoS attack on the keyeservers we do not anymore default to -import key signatures. That makes the keyserver unsuable for getting -keys for the WoT but it still allows to retriev keys - even if that -takes long to download the large keyblocks. - -To revert to the old behavior add - - keyserver-optiions no-self-sigs-only,no-import-clean - -to gpg.conf. - -GnuPG-bug-id: 4607 -Signed-off-by: Werner Koch <w...@gnupg.org> ---- - -diff --git a/doc/gpg.texi b/doc/gpg.texi -index 8feab8218..9513a4e0f 100644 ---- a/doc/gpg.texi -+++ b/doc/gpg.texi -@@ -1917,6 +1917,11 @@ are available for all keyserver types, some common options are: - - @end table - -+The default list of options is: "self-sigs-only, import-clean, -+repair-keys, repair-pks-subkey-bug, export-attributes, -+honor-pka-record". -+ -+ - @item --completes-needed @var{n} - @opindex compliant-needed - Number of completely trusted users to introduce a new -diff --git a/g10/gpg.c b/g10/gpg.c -index 66e47dde5..0bbe72394 100644 ---- a/g10/gpg.c -+++ b/g10/gpg.c -@@ -2424,7 +2424,9 @@ main (int argc, char **argv) - opt.import_options = IMPORT_REPAIR_KEYS; - opt.export_options = EXPORT_ATTRIBUTES; - opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS -- | IMPORT_REPAIR_PKS_SUBKEY_BUG); -+ | IMPORT_REPAIR_PKS_SUBKEY_BUG -+ | IMPORT_SELF_SIGS_ONLY -+ | IMPORT_CLEAN); - opt.keyserver_options.export_options = EXPORT_ATTRIBUTES; - opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD; - opt.verify_options = (LIST_SHOW_UID_VALIDITY Copied: gnupg/repos/core-x86_64/self-sigs-only.patch (from rev 370561, gnupg/repos/testing-x86_64/self-sigs-only.patch) =================================================================== --- core-x86_64/self-sigs-only.patch (rev 0) +++ core-x86_64/self-sigs-only.patch 2019-12-09 19:54:58 UTC (rev 370562) @@ -0,0 +1,56 @@ +From: Werner Koch <w...@gnupg.org> +Date: Thu, 4 Jul 2019 13:45:39 +0000 (+0200) +Subject: gpg: Add "self-sigs-only" and "import-clean" to the keyserver options. +X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=23c978640812d123eaffd4108744bdfcf48f7c93 + +gpg: Add "self-sigs-only" and "import-clean" to the keyserver options. + +* g10/gpg.c (main): Change default. +-- + +Due to the DoS attack on the keyeservers we do not anymore default to +import key signatures. That makes the keyserver unsuable for getting +keys for the WoT but it still allows to retriev keys - even if that +takes long to download the large keyblocks. + +To revert to the old behavior add + + keyserver-optiions no-self-sigs-only,no-import-clean + +to gpg.conf. + +GnuPG-bug-id: 4607 +Signed-off-by: Werner Koch <w...@gnupg.org> +--- + +diff --git a/doc/gpg.texi b/doc/gpg.texi +index 8feab8218..9513a4e0f 100644 +--- a/doc/gpg.texi ++++ b/doc/gpg.texi +@@ -1917,6 +1917,11 @@ are available for all keyserver types, some common options are: + + @end table + ++The default list of options is: "self-sigs-only, import-clean, ++repair-keys, repair-pks-subkey-bug, export-attributes, ++honor-pka-record". ++ ++ + @item --completes-needed @var{n} + @opindex compliant-needed + Number of completely trusted users to introduce a new +diff --git a/g10/gpg.c b/g10/gpg.c +index 66e47dde5..0bbe72394 100644 +--- a/g10/gpg.c ++++ b/g10/gpg.c +@@ -2424,7 +2424,9 @@ main (int argc, char **argv) + opt.import_options = IMPORT_REPAIR_KEYS; + opt.export_options = EXPORT_ATTRIBUTES; + opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS +- | IMPORT_REPAIR_PKS_SUBKEY_BUG); ++ | IMPORT_REPAIR_PKS_SUBKEY_BUG ++ | IMPORT_SELF_SIGS_ONLY ++ | IMPORT_CLEAN); + opt.keyserver_options.export_options = EXPORT_ATTRIBUTES; + opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD; + opt.verify_options = (LIST_SHOW_UID_VALIDITY