Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gpgme for openSUSE:Factory checked in at 2021-07-16 22:12:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gpgme (Old) and /work/SRC/openSUSE:Factory/.gpgme.new.2632 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gpgme" Fri Jul 16 22:12:38 2021 rev:87 rq:905868 version:1.16.0 Changes: -------- --- /work/SRC/openSUSE:Factory/gpgme/gpgme.changes 2021-04-06 17:28:54.095064053 +0200 +++ /work/SRC/openSUSE:Factory/.gpgme.new.2632/gpgme.changes 2021-07-16 22:13:08.294662275 +0200 @@ -1,0 +2,17 @@ +Wed Jul 7 18:19:43 UTC 2021 - Andreas Stieger <[email protected]> + +- gpgme 1.16.0: + * New context flag "cert-expire" + * New data flags "io-buffer-size" and "sensitive" + * cpp,qt: Add support for trust signatures + * qt: Add support for flags in LDAP server options + * qt: Fix too high memory consumption due to QProcess + * qt: Do not set empty base DN as query of keyserver URL + * qt: Extend SignKeyJob to create signatures with expiration date + * python: New optional parameter filter_signatures for decrypt +- run all tests again +- add patches to fix tests: + * gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch + * gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch + +------------------------------------------------------------------- Old: ---- gpgme-1.15.1.tar.bz2 gpgme-1.15.1.tar.bz2.sig New: ---- gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch gpgme-1.16.0.tar.bz2 gpgme-1.16.0.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpgme.spec ++++++ --- /var/tmp/diff_new_pack.KstTC5/_old 2021-07-16 22:13:08.902657979 +0200 +++ /var/tmp/diff_new_pack.KstTC5/_new 2021-07-16 22:13:08.902657979 +0200 @@ -30,10 +30,10 @@ %endif %{!?python_module:%define python_module() python-%{**} python3-{**}} Name: gpgme%{psuffix} -Version: 1.15.1 +Version: 1.16.0 Release: 0 Summary: Programmatic library interface to GnuPG -License: LGPL-2.1-or-later AND GPL-3.0-or-later +License: GPL-3.0-or-later AND LGPL-2.1-or-later Group: Productivity/Security URL: https://www.gnupg.org/related_software/gpgme/ Source: ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-%{version}.tar.bz2 @@ -43,6 +43,8 @@ Source3: gpgme.keyring # used to have a fixed timestamp Source99: gpgme.changes +Patch0: gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch +Patch1: gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch BuildRequires: gcc-c++ BuildRequires: gpg2 >= 2.0.10 BuildRequires: libassuan-devel >= 2.4.2 @@ -147,6 +149,7 @@ This package contains the bindings to use the library from Python %{python_version} applications. %else + %package -n python2-gpg Summary: Python 2 bindings for GPGME, a library for accessing GnuPG Group: Development/Languages/Python @@ -204,10 +207,8 @@ %prep %setup -q -n gpgme-%{version} - -%ifarch %{ix86} -sed -i -e '/t-callbacks.py/d' lang/python/tests/Makefile.{am,in} -%endif +%patch0 -p1 +%patch1 -p1 %build build_timestamp=$(date -u +%{Y}-%{m}-%{dT}%{H}:%{M}+0000 -r %{SOURCE99}) @@ -263,7 +264,7 @@ %if !%{with qt} %files -%license COPYING COPYING.LESSER +%license COPYING COPYING.LESSER LICENSES %doc AUTHORS ChangeLog ChangeLog-2011 README NEWS THANKS TODO VERSION %{_bindir}/gpgme-tool %{_bindir}/gpgme-json @@ -272,9 +273,11 @@ %{_infodir}/gpgme* %files -n libgpgme11 +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libgpgme.so.* %files -n libgpgme-devel +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libgpgme.so %{_bindir}/gpgme-config %{_datadir}/aclocal/gpgme.m4 @@ -283,9 +286,11 @@ %{_libdir}/pkgconfig/gpgme-glib.pc %files -n libgpgmepp6 +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libgpgmepp.so.* %files -n libgpgmepp-devel +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libgpgmepp.so %{_includedir}/gpgme++ %dir %{_libdir}/cmake @@ -295,19 +300,23 @@ %if %{with python2} && ! 0%{?python_subpackage_only} %files -n python2-gpg +%license COPYING COPYING.LESSER LICENSES %{python_sitearch}/gpg* %endif %if %{with python3} || ( 0%{?python_subpackage_only} && %{with python2} ) %files %{python_files gpg} +%license COPYING COPYING.LESSER LICENSES %{python_sitearch}/gpg* %endif %if %{with qt} %files -n libqgpgme7 +%license COPYING COPYING.LESSER LICENSES %{_libdir}/libqgpgme.so.* %files -n libqgpgme-devel +%license COPYING COPYING.LESSER LICENSES %{_includedir}/qgpgme/ %{_includedir}/QGpgME/ %dir %{_libdir}/cmake ++++++ gpgme-1.16.0-Use-after-free-in-t-edit-sign-test.patch ++++++ >From 81a33ea5e1b86d586b956e893a5b25c4cd41c969 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ingo=20Kl=C3=B6cker?= <[email protected]> Date: Sat, 26 Jun 2021 18:02:47 +0200 Subject: [PATCH] core: Fix use-after-free issue in test * tests/gpg/t-edit-sign.c (sign_key, verify_key_signature): New. (main): Factored out signing and verifying the result. -- Factoring the two steps of the test into different functions fixes the use-after-free issue that was caused by accidentaly using a variable of the first step in the second step. GnuPG-bug-id: 5509 --- tests/gpg/t-edit-sign.c | 54 ++++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/tests/gpg/t-edit-sign.c b/tests/gpg/t-edit-sign.c index 2f983622..e0494c54 100644 --- a/tests/gpg/t-edit-sign.c +++ b/tests/gpg/t-edit-sign.c @@ -107,31 +107,19 @@ interact_fnc (void *opaque, const char *status, const char *args, int fd) } -int -main (int argc, char **argv) +void +sign_key (const char *key_fpr, const char *signer_fpr) { gpgme_ctx_t ctx; gpgme_error_t err; gpgme_data_t out = NULL; - const char *signer_fpr = "A0FF4590BB6122EDEF6E3C542D727CC768697734"; /* Alpha Test */ gpgme_key_t signing_key = NULL; - const char *key_fpr = "D695676BDCEDCC2CDD6152BCFE180B1DA9E3B0B2"; /* Bravo Test */ gpgme_key_t key = NULL; - gpgme_key_t signed_key = NULL; - gpgme_user_id_t signed_uid = NULL; - gpgme_key_sig_t key_sig = NULL; char *agent_info; - int mode; - - (void)argc; - (void)argv; - - init_gpgme (GPGME_PROTOCOL_OpenPGP); err = gpgme_new (&ctx); fail_if_err (err); - /* Sign the key */ agent_info = getenv("GPG_AGENT_INFO"); if (!(agent_info && strchr (agent_info, ':'))) gpgme_set_passphrase_cb (ctx, passphrase_cb, 0); @@ -159,8 +147,23 @@ main (int argc, char **argv) gpgme_data_release (out); gpgme_key_unref (key); gpgme_key_unref (signing_key); + gpgme_release (ctx); +} + + +void +verify_key_signature (const char *key_fpr, const char *signer_keyid) +{ + gpgme_ctx_t ctx; + gpgme_error_t err; + gpgme_key_t signed_key = NULL; + gpgme_user_id_t signed_uid = NULL; + gpgme_key_sig_t key_sig = NULL; + int mode; + + err = gpgme_new (&ctx); + fail_if_err (err); - /* Verify the key signature */ mode = gpgme_get_keylist_mode (ctx); mode |= GPGME_KEYLIST_MODE_SIGS; err = gpgme_set_keylist_mode (ctx, mode); @@ -168,7 +171,7 @@ main (int argc, char **argv) err = gpgme_get_key (ctx, key_fpr, &signed_key, 0); fail_if_err (err); - signed_uid = key->uids; + signed_uid = signed_key->uids; if (!signed_uid) { fprintf (stderr, "Signed key has no user IDs\n"); @@ -180,7 +183,7 @@ main (int argc, char **argv) exit (1); } key_sig = signed_uid->signatures->next; - if (strcmp ("2D727CC768697734", key_sig->keyid)) + if (strcmp (signer_keyid, key_sig->keyid)) { fprintf (stderr, "Unexpected key ID in second user ID sig: %s\n", key_sig->keyid); @@ -196,6 +199,23 @@ main (int argc, char **argv) gpgme_key_unref (signed_key); gpgme_release (ctx); +} + + +int +main (int argc, char **argv) +{ + const char *signer_fpr = "A0FF4590BB6122EDEF6E3C542D727CC768697734"; /* Alpha Test */ + const char *signer_keyid = signer_fpr + strlen(signer_fpr) - 16; + const char *key_fpr = "D695676BDCEDCC2CDD6152BCFE180B1DA9E3B0B2"; /* Bravo Test */ + + (void)argc; + (void)argv; + + init_gpgme (GPGME_PROTOCOL_OpenPGP); + + sign_key (key_fpr, signer_fpr); + verify_key_signature (key_fpr, signer_keyid); return 0; } -- 2.32.0 ++++++ gpgme-1.16.0-t-various-testSignKeyWithExpiration-32-bit.patch ++++++ >From 6a79e90dedc19877ae1c520fed875b57089a5425 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ingo=20Kl=C3=B6cker?= <[email protected]> Date: Thu, 8 Jul 2021 11:54:06 +0200 Subject: [PATCH] Make sure expiration time is interpreted as unsigned number * lang/qt/tests/t-various.cpp (testSignKeyWithExpiration): Convert expiration time to uint_least32_t. -- This fixes the test on 32-bit systems where time_t (the return type of expirationTime()) is a signed 32-bit integer type. GnuPG-bug-id: 5522 --- lang/qt/tests/t-various.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lang/qt/tests/t-various.cpp b/lang/qt/tests/t-various.cpp index 8563b681..72a2487a 100644 --- a/lang/qt/tests/t-various.cpp +++ b/lang/qt/tests/t-various.cpp @@ -355,7 +355,7 @@ private Q_SLOTS: target.update(); const auto keySignature = target.userID(0).signature(target.userID(0).numSignatures() - 1); QVERIFY(!keySignature.neverExpires()); - const auto expirationDate = QDateTime::fromSecsSinceEpoch(keySignature.expirationTime()).date(); + const auto expirationDate = QDateTime::fromSecsSinceEpoch(uint_least32_t(keySignature.expirationTime())).date(); QCOMPARE(expirationDate, QDate(2106, 2, 6)); // expiration date is capped at 2106-02-06 } -- 2.11.0 ++++++ gpgme-1.15.1.tar.bz2 -> gpgme-1.16.0.tar.bz2 ++++++ ++++ 5129 lines of diff (skipped)
