Hello community, here is the log from the commit of package gnome-keyring for openSUSE:Factory checked in at 2016-08-25 09:51:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gnome-keyring (Old) and /work/SRC/openSUSE:Factory/.gnome-keyring.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnome-keyring" Changes: -------- --- /work/SRC/openSUSE:Factory/gnome-keyring/gnome-keyring.changes 2016-03-29 14:50:10.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gnome-keyring.new/gnome-keyring.changes 2016-08-25 09:51:26.000000000 +0200 @@ -1,0 +2,17 @@ +Sat Aug 20 14:32:13 UTC 2016 - [email protected] + +- Merge + bnc#903966-SEGV-in-gnome-keyring-daemon-caused-by-calling-free-on-static-string.patch + into gnome-keyring-896818-reduce-head-msg-length.patch: + bsc#903966 is just a regression caused by bsc#896818 anyway + (bsc#896818, bsc#903966, bgo#770170). + +------------------------------------------------------------------- +Thu May 5 01:43:01 CEST 2016 - [email protected] + +- Rebase gnome-keyring-bsc932232-use-non-fips-md5.patch for + version 3.20.0 (bsc#932232, bsc#966229, bsc#966225). +- Drop gnome-keyring-bsc961271-secmem-mismatch.patch (fixed + upstream). + +------------------------------------------------------------------- @@ -7,0 +25,8 @@ +Thu Mar 3 01:35:32 CET 2016 - [email protected] + +- Update gnome-keyring-bsc932232-use-non-fips-md5.patch + (bsc#966229, bsc#966225). Fixes inability to decrypt private ssh + keys and corruption in stored keyrings. Fix by Michal Koutny + <[email protected]>. + +------------------------------------------------------------------- @@ -30,0 +56,13 @@ +Tue Jan 12 23:24:31 CET 2016 - [email protected] + +- Add gnome-keyring-bsc961271-secmem-mismatch.patch (bsc#961271). + This fixes a crash caused by mixed calls to egg_secure_free() + and gcry_free(). + +------------------------------------------------------------------- +Thu Nov 26 02:57:11 CET 2015 - [email protected] + +- Add gnome-keyring-bsc932232-use-libgcrypt-allocators.patch and + gnome-keyring-bsc932232-use-non-fips-md5.patch (bsc#932232). + +------------------------------------------------------------------- @@ -137,0 +176,8 @@ +Fri Nov 7 09:30:13 UTC 2014 - [email protected] + +- Add + bnc#903966-SEGV-in-gnome-keyring-daemon-caused-by-calling-free-on-static-string.patch + Fixed SEGV in gnome-keyring-daemon caused by calling free() on + static string (bnc#903966). + +------------------------------------------------------------------- @@ -145,0 +192,7 @@ +Mon Sep 22 18:51:55 UTC 2014 - [email protected] + +- Add gnome-keyring-896818-reduce-head-msg-length.patch: + Make the head message shorter. The patch makes sense but no need + to be upstream (bnc#896818). + +------------------------------------------------------------------- @@ -613 +666 @@ - autostart, that only works with gnome-session + autostart, that only works with gnome-session. @@ -1344,2 +1397,2 @@ - + When auto activating the gnome-keyring DBus service, check for an - already running daemon + + When auto activating the gnome-keyring DBus service, check for + an already running daemon @@ -1445,2 +1498,2 @@ - + Overhaul the secure memory allocator to have memory guards, - and also be more sparing with secure memory + + Overhaul the secure memory allocator to have memory guards, and + also be more sparing with secure memory @@ -1513,2 +1566,2 @@ - + Fix initialization problems which prevented SSH agent from setting - environment variables properly + + Fix initialization problems which prevented SSH agent from + setting environment variables properly @@ -1527,3 +1580,3 @@ - + Close open file descriptors before starting daemon from PAM module. - + Don't try and unlock keyring from PAM if daemon isn't - running + + Close open file descriptors before starting daemon from PAM + module. + + Don't try and unlock keyring from PAM if daemon isn't running @@ -1641,2 +1694,2 @@ - + Use 'Change' instead of 'Create' when prompting the user for - a password to change keyring password. + + Use 'Change' instead of 'Create' when prompting the user for a + password to change keyring password. @@ -1673 +1726,2 @@ - + Add gconf schema for noting the user's configured PKCS#11 modules. + + Add gconf schema for noting the user's configured PKCS#11 + modules. @@ -1688 +1742,2 @@ - and id_dsa. Also load public portions of keys when needed ie: *.pub + and id_dsa. Also load public portions of keys when needed ie: + *.pub @@ -1698 +1753,2 @@ - + Add --disable-acl-prompts option to disable all ACL prompting [Colin Walters] + + Add --disable-acl-prompts option to disable all ACL prompting + [Colin Walters] @@ -1850,2 +1906,2 @@ -- Updated to 2.19.91 to incorporate needed fixes for Novell bugs: 298975, - 299730, 299621, 304189 +- Updated to 2.19.91 to incorporate needed fixes for Novell bugs: + 298975, 299730, 299621, 304189 @@ -1853,11 +1909,12 @@ -- In the PAM module we now support starting gnome-keyring-daemon when -- the user's session actually starts, rather than during password validation. -- This makes us more solid and sane with GDM and well behaved PAM using -- applications. [Chris Rivera] -- In the PAM module check that the socket is owned by the same user, before -- sending the login password there. -- Don't read from /dev/random when not needed. This makes startup faster -- in many cases, as it won't block for entropy. -- Get around more optimizations that cancel out wiping of strings in -- memory before freeing. -- Fix problem where keyrings are created in wrong directory [Nathaniel McCallum] +- In the PAM module we now support starting gnome-keyring-daemon + when the user's session actually starts, rather than during + password validation. This makes us more solid and sane with GDM + and well behaved PAM using applications. [Chris Rivera] +- In the PAM module check that the socket is owned by the same + user, before sending the login password there. +- Don't read from /dev/random when not needed. This makes startup + faster in many cases, as it won't block for entropy. +- Get around more optimizations that cancel out wiping of strings + in memory before freeing. +- Fix problem where keyrings are created in wrong directory + [Nathaniel McCallum] @@ -1924,2 +1981,2 @@ - * Fix endless loop when creating a keyring and a file by that name - already exists. + * Fix endless loop when creating a keyring and a file by that + name already exists. @@ -1927 +1984,2 @@ - * Fix crasher when doing find operation with NULL attribute string. + * Fix crasher when doing find operation with NULL attribute + string. @@ -1933,5 +1991,6 @@ - * Added GNOME_KEYRING_ITEM_APPLICATION_SECRET which allows an item - to be for a single application only with strict access controls. - * New function gnome_keyring_item_get_info_full(_sync) which allow - retrieval of item meta data without the secret, thus not incurring - an ACL prompt. + * Added GNOME_KEYRING_ITEM_APPLICATION_SECRET which allows an + item to be for a single application only with strict access + controls. + * New function gnome_keyring_item_get_info_full(_sync) which + allow retrieval of item meta data without the secret, thus not + incurring an ACL prompt. New: ---- gnome-keyring-896818-reduce-head-msg-length.patch gnome-keyring-bsc932232-use-libgcrypt-allocators.patch gnome-keyring-bsc932232-use-non-fips-md5.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gnome-keyring.spec ++++++ --- /var/tmp/diff_new_pack.EtA9lF/_old 2016-08-25 09:51:27.000000000 +0200 +++ /var/tmp/diff_new_pack.EtA9lF/_new 2016-08-25 09:51:27.000000000 +0200 @@ -25,8 +25,14 @@ Group: System/GUI/GNOME Source: http://download.gnome.org/sources/gnome-keyring/3.20/%{name}-%{version}.tar.xz Source99: baselibs.conf -# PATCH-FIX-OPENSUSE gnome-keyring-pam-auth-prompt-password.patch bnc466732 bgo560488 [email protected] -- Make the pam module prompt the password in auth, so we can use pam-config. This is a workaround until bnc#477488 is implemented. +# PATCH-FIX-OPENSUSE gnome-keyring-pam-auth-prompt-password.patch bnc#466732 bgo#560488 [email protected] -- Make the pam module prompt the password in auth, so we can use pam-config. This is a workaround until bnc#477488 is implemented. Patch0: gnome-keyring-pam-auth-prompt-password.patch +# PATCH-FIX-UPSTREAM gnome-keyring-896818-reduce-head-msg-length.patch bnc#896818 bnc#903966 bgo#770170 [email protected] -- Make the head message shorter. +Patch1: gnome-keyring-896818-reduce-head-msg-length.patch +# PATCH-FIX-SLE gnome-keyring-bsc932232-use-libgcrypt-allocators.patch bsc#932232 [email protected] +Patch3: gnome-keyring-bsc932232-use-libgcrypt-allocators.patch +# PATCH-FIX-SLE gnome-keyring-bsc932232-use-non-fips-md5.patch bsc#932232 [email protected] +Patch4: gnome-keyring-bsc932232-use-non-fips-md5.patch BuildRequires: ca-certificates BuildRequires: desktop-file-utils BuildRequires: fdupes @@ -112,6 +118,11 @@ %setup -q translation-update-upstream %patch0 -p1 +%patch1 -p1 +%if ! 0%{?is_opensuse} +%patch3 -p1 +%patch4 -p1 +%endif %build %configure\ ++++++ gnome-keyring-896818-reduce-head-msg-length.patch ++++++ >From 360b5fd80cd0cf1311bef8abce84a76ec3588d79 Mon Sep 17 00:00:00 2001 From: Felix Zhang <[email protected]> Date: Sat, 20 Aug 2016 22:23:30 +0800 Subject: [PATCH] shorten unlock keyring dialog title --- pkcs11/wrap-layer/gkm-wrap-prompt.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkcs11/wrap-layer/gkm-wrap-prompt.c b/pkcs11/wrap-layer/gkm-wrap-prompt.c index 3d3d4f5..5d0548a 100644 --- a/pkcs11/wrap-layer/gkm-wrap-prompt.c +++ b/pkcs11/wrap-layer/gkm-wrap-prompt.c @@ -615,9 +615,8 @@ setup_unlock_keyring_other (GkmWrapPrompt *self, gcr_prompt_set_title (prompt, _("Unlock Keyring")); - text = g_markup_printf_escaped (_("Enter password for keyring '%s' to unlock"), label); + text = _("Enter password to unlock"); gcr_prompt_set_message (prompt, text); - g_free (text); text = g_markup_printf_escaped (_("An application wants access to the keyring '%s', but it is locked"), label); gcr_prompt_set_description (prompt, text); -- 2.6.6 ++++++ gnome-keyring-bsc932232-use-libgcrypt-allocators.patch ++++++ diff --git a/egg/egg-libgcrypt.c b/egg/egg-libgcrypt.c index 3d8f95b..6059242 100644 --- a/egg/egg-libgcrypt.c +++ b/egg/egg-libgcrypt.c @@ -105,11 +105,6 @@ egg_libgcrypt_initialize (void) gcry_set_log_handler (log_handler, NULL); gcry_set_outofcore_handler (no_mem_handler, NULL); gcry_set_fatalerror_handler (fatal_handler, NULL); - gcry_set_allocation_handler ((gcry_handler_alloc_t)g_malloc, - (gcry_handler_alloc_t)egg_secure_alloc, - egg_secure_check, - (gcry_handler_realloc_t)egg_secure_realloc, - egg_secure_free); gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); } ++++++ gnome-keyring-bsc932232-use-non-fips-md5.patch ++++++ diff --git a/egg/egg-openssl.c b/egg/egg-openssl.c index c8dc3d9..201e12f 100644 --- a/egg/egg-openssl.c +++ b/egg/egg-openssl.c @@ -225,7 +225,7 @@ egg_openssl_decrypt_block (const gchar *dekinfo, g_return_val_if_fail (ivlen >= 8, FALSE); /* IV is already set from the DEK info */ - if (!egg_symkey_generate_simple (algo, GCRY_MD_MD5, password, + if (!egg_symkey_generate_simple (algo, GCRY_MD_SHA1, password, n_password, iv, 8, 1, &key, NULL)) { g_free (iv); return NULL; @@ -288,7 +288,7 @@ egg_openssl_encrypt_block (const gchar *dekinfo, g_return_val_if_fail (ivlen >= 8, NULL); /* IV is already set from the DEK info */ - if (!egg_symkey_generate_simple (algo, GCRY_MD_MD5, password, + if (!egg_symkey_generate_simple (algo, GCRY_MD_SHA1, password, n_password, iv, 8, 1, &key, NULL)) g_return_val_if_reached (NULL); diff --git a/pkcs11/secret-store/dump-keyring0-format.c b/pkcs11/secret-store/dump-keyring0-format.c index a459cd3..7ab9118 100644 --- a/pkcs11/secret-store/dump-keyring0-format.c +++ b/pkcs11/secret-store/dump-keyring0-format.c @@ -557,12 +557,16 @@ static gboolean verify_decrypted_buffer (Buffer *buffer) { guchar digest[16]; + GChecksum *cs; + gsize cs_len = sizeof (digest); /* In case the world changes on us... */ - g_return_val_if_fail (gcry_md_get_algo_dlen (GCRY_MD_MD5) == sizeof (digest), 0); + g_return_val_if_fail (g_checksum_type_get_length (G_CHECKSUM_MD5) == sizeof (digest), 0); - gcry_md_hash_buffer (GCRY_MD_MD5, (void*)digest, - (guchar*)buffer->buf + 16, buffer->len - 16); + cs = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (cs, (const guchar *) buffer->buf + 16, buffer->len - 16); + g_checksum_get_digest (cs, digest, &cs_len); + g_checksum_free (cs); return memcmp (buffer->buf, digest, 16) == 0; } diff --git a/pkcs11/secret-store/gkm-secret-binary.c b/pkcs11/secret-store/gkm-secret-binary.c index 9d7a1c7..4091f95 100644 --- a/pkcs11/secret-store/gkm-secret-binary.c +++ b/pkcs11/secret-store/gkm-secret-binary.c @@ -437,12 +437,16 @@ static gboolean verify_decrypted_buffer (EggBuffer *buffer) { guchar digest[16]; + GChecksum *cs; + gsize cs_len = sizeof (digest); /* In case the world changes on us... */ - g_return_val_if_fail (gcry_md_get_algo_dlen (GCRY_MD_MD5) == sizeof (digest), 0); + g_return_val_if_fail (g_checksum_type_get_length (G_CHECKSUM_MD5) == sizeof (digest), 0); - gcry_md_hash_buffer (GCRY_MD_MD5, (void*)digest, - (guchar*)buffer->buf + 16, buffer->len - 16); + cs = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (cs, (const guchar *) buffer->buf + 16, buffer->len - 16); + g_checksum_get_digest (cs, digest, &cs_len); + g_checksum_free (cs); return memcmp (buffer->buf, digest, 16) == 0; } @@ -574,12 +578,14 @@ gkm_secret_binary_write (GkmSecretCollection *collection, GkmSecretData *sdata, gint lock_timeout; guchar salt[8]; guint flags = 0; + GChecksum *cs; + gsize cs_len; int i; g_return_val_if_fail (GKM_IS_SECRET_COLLECTION (collection), GKM_DATA_FAILURE); g_return_val_if_fail (GKM_IS_SECRET_DATA (sdata), GKM_DATA_LOCKED); g_return_val_if_fail (data && n_data, GKM_DATA_FAILURE); - g_return_val_if_fail (gcry_md_get_algo_dlen (GCRY_MD_MD5) == sizeof (digest), GKM_DATA_FAILURE); + g_return_val_if_fail (g_checksum_type_get_length (G_CHECKSUM_MD5) == sizeof (digest), GKM_DATA_FAILURE); obj = GKM_SECRET_OBJECT (collection); @@ -636,8 +642,11 @@ gkm_secret_binary_write (GkmSecretCollection *collection, GkmSecretData *sdata, while (to_encrypt.len % 16 != 0) egg_buffer_add_byte (&to_encrypt, 0); - gcry_md_hash_buffer (GCRY_MD_MD5, (void*)digest, - (guchar*)to_encrypt.buf + 16, to_encrypt.len - 16); + cs = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (cs, (const guchar *) to_encrypt.buf + 16, to_encrypt.len - 16); + g_checksum_get_digest (cs, digest, &cs_len); + g_checksum_free (cs); + memcpy (to_encrypt.buf, digest, 16); /* If no master password is set, we shouldn't be writing binary... */ diff --git a/pkcs11/secret-store/gkm-secret-fields.c b/pkcs11/secret-store/gkm-secret-fields.c index 9cf7417..c5a83c8 100644 --- a/pkcs11/secret-store/gkm-secret-fields.c +++ b/pkcs11/secret-store/gkm-secret-fields.c @@ -110,12 +110,18 @@ static gchar* compat_hash_value_as_string (const gchar *value) { guchar digest[16]; + GChecksum *cs; + gsize cs_len = sizeof (digest); if (!value) return NULL; - g_assert (gcry_md_get_algo_dlen (GCRY_MD_MD5) == sizeof (digest)); - gcry_md_hash_buffer (GCRY_MD_MD5, (void*)digest, value, strlen (value)); + g_assert (g_checksum_type_get_length (G_CHECKSUM_MD5) == sizeof (digest)); + + cs = g_checksum_new (G_CHECKSUM_MD5); + g_checksum_update (cs, (const guchar *) value, strlen (value)); + g_checksum_get_digest (cs, digest, &cs_len); + g_checksum_free (cs); /* The old keyring code used lower case hex */ return egg_hex_encode_full (digest, sizeof (digest), FALSE, '\0', 0);
