Hello community, here is the log from the commit of package gpg2.2005 for openSUSE:12.2:Update checked in at 2013-09-27 15:36:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/gpg2.2005 (Old) and /work/SRC/openSUSE:12.2:Update/.gpg2.2005.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gpg2.2005" Changes: -------- New Changes file: --- /dev/null 2013-09-21 22:50:09.852032506 +0200 +++ /work/SRC/openSUSE:12.2:Update/.gpg2.2005.new/gpg2.changes 2013-09-27 15:36:17.000000000 +0200 @@ -0,0 +1,614 @@ +------------------------------------------------------------------- +Mon Sep 16 11:08:55 UTC 2013 - vci...@suse.com + +- fix CVE-2013-4351 (bnc#840510) + +------------------------------------------------------------------- +Mon May 13 13:08:03 UTC 2013 - vci...@suse.com + +- security fixes: + * fix for CVE-2012-6085 (bnc#798465) + added gpg2-CVE-2012-6085.patch + * fix for bnc#780943 + added gpg2-set_umask_before_open_outfile.patch + +------------------------------------------------------------------- +Wed Apr 18 10:55:34 UTC 2012 - vci...@suse.com + +- Mention some of the changes in Greg's version update + +------------------------------------------------------------------- +Tue Mar 27 20:38:27 UTC 2012 - gre...@opensuse.org + +- update to upstream 2.0.19 + * GPG now accepts a space separated fingerprint as a user ID. This + allows to copy and paste the fingerprint from the key listing. + * GPG now uses the longest key ID available. Removed support for the + original HKP keyserver which is not anymore used by any site. + * Rebuild the trustdb after changing the option --min-cert-level. + * Ukrainian translation. + * Honor option --cert-digest-algo when creating a cert. + * Emit a DECRYPTION_INFO status line. + * Improved detection of JPEG files. + +------------------------------------------------------------------- +Tue Dec 6 10:58:36 UTC 2011 - vci...@suse.com + +- fixed licence to GPL-3.0+ (bnc#734878) + +------------------------------------------------------------------- +Wed Nov 30 09:55:47 UTC 2011 - co...@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Sat Oct 1 15:53:04 UTC 2011 - crrodrig...@opensuse.org + +- Test suite hangs in qemu-arm, workaround. + +------------------------------------------------------------------- +Wed Aug 31 10:00:35 UTC 2011 - pu...@suse.com + +- link with -pie + +------------------------------------------------------------------- +Fri Aug 19 01:11:42 UTC 2011 - crrodrig...@opensuse.org + +- libcurl.m4 tests were broken, resulting in the usage + of a "fake" internal libcurl. + +------------------------------------------------------------------- +Sat Aug 6 20:19:09 UTC 2011 - andreas.stie...@gmx.de + +- update to upstream 2.0.18 + * Bug fix for newer versions of Libgcrypt. + * Support the SSH confirm flag and show SSH fingerprints in ssh + related pinentries. + * Improved dirmngr/gpgsm interaction for OCSP. + * Allow generation of card keys up to 4096 bit. +- refresh patch gnupg-2.0.10-tmpdir.diff -> gnupg-2.0.18-tmpdir.diff +- refresh patch gnupg-files-are-digests.patch -> gnupg-2.0.18-files-are-digests.patch + +------------------------------------------------------------------- +Tue Mar 15 09:29:42 UTC 2011 - pu...@novell.com + +- update to gnupg-2.0.17 + * Allow more hash algorithms with the OpenPGP v2 card. + * The gpg-agent now tests for a new gpg-agent.conf on a HUP. + * Fixed output of "gpgconf --check-options". + * Fixed a bug where Scdaemon sends a signal to Gpg-agent running + in non-daemon mode. + * Fixed TTY management for pinentries and session variable update + problem. +- drop gnupg-CVE-2010-2547.patch (in upstream) + +------------------------------------------------------------------- +Fri Jan 7 13:24:17 CET 2011 - sbra...@suse.cz + +- Removed obsolete BuildRequires of opensc-devel. + +------------------------------------------------------------------- +Sun Oct 31 12:37:02 UTC 2010 - jeng...@medozas.de + +- Use %_smp_mflags + +------------------------------------------------------------------- +Wed Jul 28 09:39:00 UTC 2010 - pu...@novell.com + +- gnupg-CVE-2010-2547.patch (bnc#625947) +- renumber patches + +------------------------------------------------------------------- +Mon Jul 19 21:49:40 UTC 2010 - pu...@novell.com + +- update to gnupg-2.0.16 + * If the agent's --use-standard-socket option is active, all tools + try to start and daemonize the agent on the fly. In the past this + was only supported on W32; on non-W32 systems the new configure + option --use-standard-socket may now be used to use this feature by + default. + * The gpg-agent commands KILLAGENT and RELOADAGENT are now available + on all platforms. + * Minor bug fixes. +- drop gnupg-2.0.14-s2kcount.patch (builds fine without it now) + +------------------------------------------------------------------- +Mon Jun 7 09:40:32 UTC 2010 - adr...@suse.de + +- add special provides to make sure that obs signd gets correct gpg version + +------------------------------------------------------------------- +Fri Apr 9 12:47:11 UTC 2010 - ch...@computersalat.de + +- fix deps + o libassuan-devel >= 2.0.0 + o pth / libpth-devel >= 1.3.7 +- added BuildReq libcurl-devel >= 7.10 +- removed BuildReq openldap2 + is already solved by openldap2-devel +- removed unrecognized configure options + --enable-external-hkp, --enable-shared, --enable-static-rnd + +------------------------------------------------------------------- +Wed Apr 7 14:19:11 UTC 2010 - pu...@novell.com + +- add gnupg-dont-fail-with-seahorse-agent.patch (bnc#589994) + +------------------------------------------------------------------- +Wed Mar 31 13:47:00 UTC 2010 - pu...@novell.com + +- update to gnupg-2.0.15 + * New command --passwd for GPG. + * Fixes a regression in 2.0.14 which prevented unprotection of new + or changed gpg-agent passphrases. + * Make use of libassuan 2.0 which is available as a DSO. + +------------------------------------------------------------------- +Mon Mar 22 15:09:24 UTC 2010 - pu...@novell.com + +- fix files-are-digests patch (bnc#469229) + +------------------------------------------------------------------- +Wed Feb 17 13:29:18 CET 2010 - dims...@opensuse.org + +- Update to version 2.0.14: + + The default for --include-cert is now to include all + certificates in the chain except for the root certificate. + + Numerical values may now be used as an alternative to the + debug-level keywords. + + The GPGSM --audit-log feature is now more complete. + + GPG now supports DNS lookups for SRV, PKA and CERT on W32. + + New GPGSM option --ignore-cert-extension. + + New and changed passphrases are now created with an iteration + count requiring about 100ms of CPU work. +- Add gnupg-2.0.14-s2kcount.patch: use fixed s2k-count number + otherwise the gpg2 would want to consult gpg-agent which is not + yet installed in the mock chroot (Patch shamelessly stolen from + Fedora). + +------------------------------------------------------------------- +Thu Jan 28 14:15:24 UTC 2010 - pu...@novell.com + +- fix build for older distributions + +------------------------------------------------------------------- +Wed Jan 27 16:30:41 UTC 2010 - pu...@novell.com + +- port files-are-digests patch from gpg1 (bnc#469229) + +------------------------------------------------------------------- +Tue Dec 15 20:56:35 CET 2009 - jeng...@medozas.de + +- enable parallel building +- SPARC needs large PIE model + +------------------------------------------------------------------- +Sun Dec 6 08:52:32 UTC 2009 - co...@novell.com + +- change -lang require to recommended + +------------------------------------------------------------------- +Fri Nov 13 14:37:58 UTC 2009 - pu...@novell.com + +- update to gnupg-2.0.13 + * GPG now generates 2048 bit RSA keys by default. The default hash + algorithm preferences has changed to prefer SHA-256 over SHA-1. + 2048 bit DSA keys are now generated to use a 256 bit hash algorithm + * The envvars XMODIFIERS, GTK_IM_MODULE and QT_IM_MODULE are now ++++ 417 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.gpg2.2005.new/gpg2.changes New: ---- gnupg-2.0.18-files-are-digests.patch gnupg-2.0.18-tmpdir.diff gnupg-2.0.19.tar.bz2 gnupg-2.0.4-install_tools.diff gnupg-2.0.9-RSA_ES.patch gnupg-2.0.9-langinfo.patch gnupg-broken-curl-test.patch gnupg-dont-fail-with-seahorse-agent.patch gpg2-CVE-2012-6085.patch gpg2-CVE-2013-4351.patch gpg2-set_umask_before_open_outfile.patch gpg2.changes gpg2.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpg2.spec ++++++ # # spec file for package gpg2 # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: gpg2 Version: 2.0.19 Release: 0 BuildRequires: automake BuildRequires: expect BuildRequires: fdupes BuildRequires: libadns-devel BuildRequires: libassuan-devel >= 2.0.0 BuildRequires: libcurl-devel >= 7.10 BuildRequires: libgcrypt-devel >= 1.4.0 BuildRequires: libgpg-error-devel >= 1.7 BuildRequires: libksba-devel >= 1.0.7 BuildRequires: libusb-devel BuildRequires: openldap2-devel BuildRequires: readline-devel BuildRequires: zlib-devel %if 0%{?suse_version} >= 1120 BuildRequires: libpth-devel >= 1.3.7 %else BuildRequires: pth >= 1.3.7 %endif Url: http://www.gnupg.org/aegypten2/ PreReq: %install_info_prereq Requires: dirmngr Requires: pinentry Recommends: %name-lang = %{version} Provides: gnupg = %{version} Provides: gpg = 1.4.9 Provides: newpg # special feature needed for OBS signd Provides: gpg2_signd_support Obsoletes: gpg < 1.4.9 Summary: GnuPG 2 License: GPL-3.0+ Group: Productivity/Networking/Security Source: gnupg-%{version}.tar.bz2 Patch1: gnupg-2.0.18-tmpdir.diff Patch2: gnupg-2.0.4-install_tools.diff Patch3: gnupg-2.0.9-RSA_ES.patch Patch4: gnupg-2.0.9-langinfo.patch Patch5: gnupg-2.0.18-files-are-digests.patch Patch6: gnupg-dont-fail-with-seahorse-agent.patch Patch7: gnupg-broken-curl-test.patch Patch8: gpg2-CVE-2012-6085.patch Patch9: gpg2-set_umask_before_open_outfile.patch Patch10: gpg2-CVE-2013-4351.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description GnuPG 2 is the successor of "GnuPG" or GPG. It provides: GPGSM, gpg-agent, and a keybox library. %lang_package %prep %setup -q -n gnupg-%version %patch1 -p1 %patch2 %patch3 -p1 %patch4 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %build autoreconf -fi # build PIEs (position independent executables) for address space randomisation: %ifarch s390x %sparc # s390x needs to use the large PIE model (at least for gpg.c): PIE="-fPIE" %else PIE="-fpie" %endif export CFLAGS="%{optflags} ${PIE}" export LDFLAGS=-pie %configure \ --libexecdir=%{_libdir} \ --docdir=%{_docdir}/%{name} \ --with-agent-pgm=%{_prefix}/bin/gpg-agent \ --with-pinentry-pgm=%{_prefix}/bin/pinentry \ --with-dirmngr-pgm=%{_prefix}/bin/dirmngr \ --with-scdaemon-pgm=%{_prefix}/bin/scdaemon \ --enable-ldap \ --enable-gpgsm=yes \ --enable-gpg \ --with-gnu-ld make %{?_smp_mflags} %install %makeinstall mkdir -p $RPM_BUILD_ROOT/etc/gnupg/ # bnc#391347 install -m 644 doc/examples/gpgconf.conf $RPM_BUILD_ROOT/etc/gnupg # delete to prevent fdupes from creating cross-partition hardlink rm -rf $RPM_BUILD_ROOT/usr/share/doc/packages/gpg2/examples/gpgconf.conf rm $RPM_BUILD_ROOT/usr/share/info/dir # compat symlinks ln -sf gpg2 $RPM_BUILD_ROOT/usr/bin/gpg ln -sf gpgv2 $RPM_BUILD_ROOT/usr/bin/gpgv ln -sf gpg2.1 $RPM_BUILD_ROOT/usr/share/man/man1/gpg.1 ln -sf gpgv2.1 $RPM_BUILD_ROOT/usr/share/man/man1/gpgv.1 # fix rpmlint invalid-lc-messages-dir: rm -rf $RPM_BUILD_ROOT/%_datadir/locale/en@{bold,}quot # additional files to documentation directory install -m 644 AUTHORS COPYING ChangeLog NEWS THANKS TODO doc/FAQ $RPM_BUILD_ROOT/%{_docdir}/%{name} %find_lang gnupg2 %if 0%{?suse_version} > 1020 %fdupes %buildroot %endif %check %if ! 0%{?qemu_user_space_build} make check $RPM_BUILD_ROOT/usr/bin/gpgsplit -v -p pubsplit- --uncompress <tests/openpgp/pubring.gpg $RPM_BUILD_ROOT/usr/bin/gpgsplit -v -p secsplit- --secret-to-public --uncompress <tests/openpgp/secring.gpg %endif %post %install_info --info-dir=%{_infodir} %{_infodir}/gnupg.info.gz %postun %install_info_delete --info-dir=%{_infodir} %{_infodir}/gnupg.info.gz %files lang -f gnupg2.lang %files %defattr(-,root,root) %doc %{_infodir}/gnupg* %doc %{_mandir}/*/*.gz %doc %{_docdir}/%{name} %{_bindir}/* %{_libdir}/[^d]* %{_sbindir}/addgnupghome %{_sbindir}/applygnupgdefaults %{_datadir}/gnupg %dir %{_sysconfdir}/gnupg %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf %changelog ++++++ gnupg-2.0.18-files-are-digests.patch ++++++ diff -rup gnupg-2.0.18.orig/g10/gpg.c gnupg-2.0.18/g10/gpg.c --- gnupg-2.0.18.orig/g10/gpg.c 2011-07-22 13:00:44.000000000 +0100 +++ gnupg-2.0.18/g10/gpg.c 2011-08-06 21:07:32.000000000 +0100 @@ -341,6 +341,7 @@ enum cmd_and_opt_values oTTYtype, oLCctype, oLCmessages, + oFilesAreDigests, oXauthority, oGroup, oUnGroup, @@ -706,6 +707,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_s (oPersonalDigestPreferences, "personal-digest-preferences","@"), ARGPARSE_s_s (oPersonalCompressPreferences, "personal-compress-preferences", "@"), + ARGPARSE_s_n (oFilesAreDigests, "files-are-digests", "@"), /* Aliases. I constantly mistype these, and assume other people do as well. */ @@ -1996,6 +1998,7 @@ main (int argc, char **argv) opt.def_sig_expire="0"; opt.def_cert_expire="0"; set_homedir ( default_homedir () ); + opt.files_are_digests=0; opt.passphrase_repeat=1; /* Check whether we have a config file on the command line. */ @@ -2484,6 +2487,7 @@ main (int argc, char **argv) case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; case oForceV3Sigs: opt.force_v3_sigs = 1; break; case oNoForceV3Sigs: opt.force_v3_sigs = 0; break; + case oFilesAreDigests: opt.files_are_digests = 1; break; case oForceV4Certs: opt.force_v4_certs = 1; break; case oNoForceV4Certs: opt.force_v4_certs = 0; break; case oForceMDC: opt.force_mdc = 1; break; Only in gnupg-2.0.18/g10: gpg.c.orig diff -rup gnupg-2.0.18.orig/g10/options.h gnupg-2.0.18/g10/options.h --- gnupg-2.0.18.orig/g10/options.h 2011-07-22 13:00:44.000000000 +0100 +++ gnupg-2.0.18/g10/options.h 2011-08-06 21:07:32.000000000 +0100 @@ -194,6 +194,7 @@ struct int no_auto_check_trustdb; int preserve_permissions; int no_homedir_creation; + int files_are_digests; struct groupitem *grouplist; int mangle_dos_filenames; int enable_progress_filter; diff -rup gnupg-2.0.18.orig/g10/sign.c gnupg-2.0.18/g10/sign.c --- gnupg-2.0.18.orig/g10/sign.c 2011-07-22 13:00:44.000000000 +0100 +++ gnupg-2.0.18/g10/sign.c 2011-08-06 21:07:32.000000000 +0100 @@ -665,8 +665,12 @@ write_signature_packets (SK_LIST sk_list mk_notation_policy_etc (sig, NULL, sk); } + if (!opt.files_are_digests) { hash_sigversion_to_magic (md, sig); gcry_md_final (md); + } else if (sig->version >= 4) { + log_bug("files-are-digests doesn't work with v4 sigs\n"); + } rc = do_sign( sk, sig, md, hash_for (sk) ); gcry_md_close (md); @@ -723,6 +727,8 @@ sign_file( strlist_t filenames, int deta SK_LIST sk_rover = NULL; int multifile = 0; u32 duration=0; + int sigclass = 0x00; + u32 timestamp = 0; pfx = new_progress_context (); afx = new_armor_context (); @@ -739,7 +745,16 @@ sign_file( strlist_t filenames, int deta fname = NULL; if( fname && filenames->next && (!detached || encryptflag) ) - log_bug("multiple files can only be detached signed"); + log_bug("multiple files can only be detached signed\n"); + + if (opt.files_are_digests && (multifile || !fname)) + log_bug("files-are-digests only works with one file\n"); + if (opt.files_are_digests && !detached) + log_bug("files-are-digests can only write detached signatures\n"); + if (opt.files_are_digests && !opt.def_digest_algo) + log_bug("files-are-digests needs --digest-algo\n"); + if (opt.files_are_digests && opt.textmode) + log_bug("files-are-digests doesn't work with --textmode\n"); if(encryptflag==2 && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) @@ -767,7 +782,7 @@ sign_file( strlist_t filenames, int deta goto leave; /* prepare iobufs */ - if( multifile ) /* have list of filenames */ + if( multifile || opt.files_are_digests) /* have list of filenames */ inp = NULL; /* we do it later */ else { inp = iobuf_open(fname); @@ -900,7 +915,7 @@ sign_file( strlist_t filenames, int deta gcry_md_enable (mfx.md, hash_for(sk)); } - if( !multifile ) + if( !multifile && !opt.files_are_digests ) iobuf_push_filter( inp, md_filter, &mfx ); if( detached && !encryptflag && !RFC1991 ) @@ -955,6 +970,8 @@ sign_file( strlist_t filenames, int deta write_status_begin_signing (mfx.md); + sigclass = opt.textmode && !outfile? 0x01 : 0x00; + /* Setup the inner packet. */ if( detached ) { if( multifile ) { @@ -995,6 +1012,45 @@ sign_file( strlist_t filenames, int deta if( opt.verbose ) putc( '\n', stderr ); } + else if (opt.files_are_digests) { + byte *mdb, ts[5]; + size_t mdlen; + const char *fp; + int c, d; + + gcry_md_final(mfx.md); + /* this assumes gcry_md_read returns the same buffer */ + mdb = gcry_md_read(mfx.md, opt.def_digest_algo); + mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo); + if (strlen(fname) != mdlen * 2 + 11) + log_bug("digests must be %d + @ + 5 bytes\n", mdlen); + d = -1; + for (fp = fname ; *fp; ) { + c = *fp++; + if (c >= '0' && c <= '9') + c -= '0'; + else if (c >= 'a' && c <= 'f') + c -= 'a' - 10; + else if (c >= 'A' && c <= 'F') + c -= 'A' - 10; + else + log_bug("filename is not hex\n"); + if (d >= 0) { + *mdb++ = d << 4 | c; + c = -1; + if (--mdlen == 0) { + mdb = ts; + if (*fp++ != '@') + log_bug("missing time separator\n"); + } + } + d = c; + } + sigclass = ts[0]; + if (sigclass != 0x00 && sigclass != 0x01) + log_bug("bad cipher class\n"); + timestamp = buffer_to_u32(ts + 1); + } else { /* read, so that the filter can calculate the digest */ while( iobuf_get(inp) != -1 ) @@ -1012,8 +1068,8 @@ sign_file( strlist_t filenames, int deta /* write the signatures */ rc = write_signature_packets (sk_list, out, mfx.md, - opt.textmode && !outfile? 0x01 : 0x00, - 0, duration, detached ? 'D':'S'); + sigclass, + timestamp, duration, detached ? 'D':'S'); if( rc ) goto leave; ++++++ gnupg-2.0.18-tmpdir.diff ++++++ diff -rup gnupg-2.0.18.orig/agent/gpg-agent.c gnupg-2.0.18/agent/gpg-agent.c --- gnupg-2.0.18.orig/agent/gpg-agent.c 2011-08-04 10:57:02.000000000 +0100 +++ gnupg-2.0.18/agent/gpg-agent.c 2011-08-06 21:01:32.000000000 +0100 @@ -1002,6 +1002,10 @@ main (int argc, char **argv ) gnupg_fd_t fd_ssh; pid_t pid; + char *tmp1, *tmp; + char *tmp2 = "gpg-XXXXXX/S.gpg-agent"; + size_t len; + /* Remove the DISPLAY variable so that a pinentry does not default to a specific display. There is still a default display when gpg-agent was started using --display or a @@ -1013,13 +1017,23 @@ main (int argc, char **argv ) unsetenv ("DISPLAY"); #endif + if ((tmp1 = getenv("TMPDIR")) == NULL) + tmp1 = "/tmp"; + + len = strlen(tmp1) + strlen(tmp2) + 10; + tmp = malloc(len); + + snprintf(tmp, len, "%s%s%s", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2); /* Create the sockets. */ socket_name = create_socket_name - ("S.gpg-agent", "/tmp/gpg-XXXXXX/S.gpg-agent"); - if (opt.ssh_support) + ("S.gpg-agent", tmp); + if (opt.ssh_support) { + snprintf(tmp, len, "%s%s%s.ssh", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2); socket_name_ssh = create_socket_name - ("S.gpg-agent.ssh", "/tmp/gpg-XXXXXX/S.gpg-agent.ssh"); + ("S.gpg-agent.ssh", tmp); + } + free(tmp); fd = create_server_socket (socket_name, 0, &socket_nonce); if (opt.ssh_support) ++++++ gnupg-2.0.4-install_tools.diff ++++++ Index: tools/Makefile.am =================================================================== --- tools/Makefile.am.orig +++ tools/Makefile.am @@ -32,8 +32,8 @@ sbin_SCRIPTS = addgnupghome applygnupgde bin_SCRIPTS = gpgsm-gencert.sh if HAVE_USTAR -# bin_SCRIPTS += gpg-zip -noinst_SCRIPTS = gpg-zip +bin_SCRIPTS += gpg-zip +#noinst_SCRIPTS = gpg-zip endif if BUILD_SYMCRYPTRUN @@ -51,14 +51,14 @@ endif bin_PROGRAMS = gpgconf gpg-connect-agent gpgkey2ssh ${symcryptrun} ${gpgtar} if !HAVE_W32_SYSTEM -bin_PROGRAMS += watchgnupg gpgparsemail +bin_PROGRAMS += watchgnupg gpgparsemail gpgsplit endif if !DISABLE_REGEX libexec_PROGRAMS = gpg-check-pattern endif -noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert gpgsplit +noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert common_libs = $(libcommon) ../jnlib/libjnlib.a ../gl/libgnu.a pwquery_libs = ../common/libsimple-pwquery.a ++++++ gnupg-2.0.9-RSA_ES.patch ++++++ # adds back support for deprecated RSA_E, RSA_S algorithms Index: gnupg-2.0.13/g10/misc.c =================================================================== --- gnupg-2.0.13.orig/g10/misc.c 2009-07-16 08:22:45.000000000 +0200 +++ gnupg-2.0.13/g10/misc.c 2009-11-13 13:19:39.000000000 +0100 @@ -1308,6 +1308,8 @@ pubkey_get_npkey( int algo ) if (algo == GCRY_PK_ELG_E) algo = GCRY_PK_ELG; + if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S) + algo = GCRY_PK_RSA; if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NPKEY, NULL, &n)) n = 0; return n; @@ -1321,6 +1323,8 @@ pubkey_get_nskey( int algo ) if (algo == GCRY_PK_ELG_E) algo = GCRY_PK_ELG; + if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S) + algo = GCRY_PK_RSA; if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSKEY, NULL, &n )) n = 0; return n; @@ -1334,6 +1338,8 @@ pubkey_get_nsig( int algo ) if (algo == GCRY_PK_ELG_E) algo = GCRY_PK_ELG; + if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S) + algo = GCRY_PK_RSA; if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSIGN, NULL, &n)) n = 0; return n; @@ -1347,6 +1353,8 @@ pubkey_get_nenc( int algo ) if (algo == GCRY_PK_ELG_E) algo = GCRY_PK_ELG; + if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S) + algo = GCRY_PK_RSA; if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NENCR, NULL, &n )) n = 0; return n; ++++++ gnupg-2.0.9-langinfo.patch ++++++ # fix [bnc#305725] - non latin characters displayed incorrectly by pinentry Index: jnlib/utf8conv.c =================================================================== --- jnlib/utf8conv.c.orig 2008-11-04 15:39:06.000000000 +0100 +++ jnlib/utf8conv.c 2009-06-18 11:42:36.000000000 +0200 @@ -203,6 +203,7 @@ set_native_charset (const char *newset) #else /*!HAVE_W32_SYSTEM*/ #ifdef HAVE_LANGINFO_CODESET + setlocale(LC_ALL, ""); newset = nl_langinfo (CODESET); #else /*!HAVE_LANGINFO_CODESET*/ /* Try to get the used charset from environment variables. */ ++++++ gnupg-broken-curl-test.patch ++++++ diff --git a/m4/libcurl.m4 b/m4/libcurl.m4 index 7d1dbd3..92cf801 100644 --- a/m4/libcurl.m4 +++ b/m4/libcurl.m4 @@ -68,13 +68,7 @@ AC_DEFUN([LIBCURL_CHECK_CONFIG], _libcurl_try_link=yes - if test -d "$_libcurl_with" ; then - LIBCURL_CPPFLAGS="-I$withval/include" - _libcurl_ldflags="-L$withval/lib" - AC_PATH_PROG([_libcurl_config],["$withval/bin/curl-config"]) - else AC_PATH_PROG([_libcurl_config],[curl-config]) - fi if test x$_libcurl_config != "x" ; then AC_CACHE_CHECK([for the version of libcurl], ++++++ gnupg-dont-fail-with-seahorse-agent.patch ++++++ --- g10/passphrase.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: gnupg-2.0.15/g10/passphrase.c =================================================================== --- gnupg-2.0.15.orig/g10/passphrase.c 2010-01-11 15:11:17.000000000 +0100 +++ gnupg-2.0.15/g10/passphrase.c 2010-04-07 16:06:49.000000000 +0200 @@ -72,7 +72,7 @@ encode_s2k_iterations (int iterations) { /* Don't print an error if an older agent is used. */ if (err && gpg_err_code (err) != GPG_ERR_ASS_PARAMETER) - log_error (_("problem with the agent: %s\n"), gpg_strerror (err)); + log_info (_("problem with the agent: %s\n"), gpg_strerror (err)); /* Default to 65536 which we used up to 2.0.13. */ return 96; } ++++++ gpg2-CVE-2012-6085.patch ++++++ commit 498882296ffac7987c644aaf2a0aa108a2925471 Author: Werner Koch <w...@gnupg.org> Date: Thu Dec 20 09:43:41 2012 +0100 gpg: Import only packets which are allowed in a keyblock. * g10/import.c (valid_keyblock_packet): New. (read_block): Store only valid packets. -- A corrupted key, which for example included a mangled public key encrypted packet, used to corrupt the keyring. This change skips all packets which are not allowed in a keyblock. GnuPG-bug-id: 1455 (cherry-picked from commit 3a4b96e665fa639772854058737ee3d54ba0694e) diff --git a/g10/import.c b/g10/import.c index ba2439d..ad112d6 100644 --- a/g10/import.c +++ b/g10/import.c @@ -347,6 +347,27 @@ import_print_stats (void *hd) } +/* Return true if PKTTYPE is valid in a keyblock. */ +static int +valid_keyblock_packet (int pkttype) +{ + switch (pkttype) + { + case PKT_PUBLIC_KEY: + case PKT_PUBLIC_SUBKEY: + case PKT_SECRET_KEY: + case PKT_SECRET_SUBKEY: + case PKT_SIGNATURE: + case PKT_USER_ID: + case PKT_ATTRIBUTE: + case PKT_RING_TRUST: + return 1; + default: + return 0; + } +} + + /**************** * Read the next keyblock from stream A. * PENDING_PKT should be initialzed to NULL @@ -424,7 +445,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ) } in_cert = 1; default: - if( in_cert ) { + if (in_cert && valid_keyblock_packet (pkt->pkttype)) { if( !root ) root = new_kbnode( pkt ); else ++++++ gpg2-CVE-2013-4351.patch ++++++ commit 8f8f3984e82a025cf1384132a419f67f39c7e07d Author: Werner Koch <wk <at> gnupg.org> Date: Fri Mar 15 15:46:03 2013 +0100 gpg: Distinguish between missing and cleared key flags. * include/cipher.h (PUBKEY_USAGE_NONE): New. * g10/getkey.c (parse_key_usage): Set new flag. -- We do not want to use the default capabilities (derived from the algorithm) if any key flags are given in a signature. Thus if key flags are used in any way, the default key capabilities are never used. This allows to create a key with key flags set to all zero so it can't be used. This better reflects common sense. Modified g10/getkey.c Index: gnupg-2.0.9/g10/getkey.c =================================================================== --- gnupg-2.0.9.orig/g10/getkey.c 2013-09-16 16:51:02.752624501 +0200 +++ gnupg-2.0.9/g10/getkey.c 2013-09-16 16:54:20.955952692 +0200 @@ -1457,13 +1457,19 @@ parse_key_usage(PKT_signature *sig) if(flags) key_usage |= PUBKEY_USAGE_UNKNOWN; + + if (!key_usage) + key_usage |= PUBKEY_USAGE_NONE; } + else if (p) /* Key flags of length zero. */ + key_usage |= PUBKEY_USAGE_NONE; /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a capability that we do not handle. This serves to distinguish between a zero key usage which we handle as the default capabilities for that algorithm, and a usage that we do not - handle. */ + handle. Likewise we use PUBKEY_USAGE_NONE to indicate that + key_flags have been given but they do not specify any usage. */ return key_usage; } Index: gnupg-2.0.9/include/cipher.h =================================================================== --- gnupg-2.0.9.orig/include/cipher.h 2013-09-16 16:51:02.752624501 +0200 +++ gnupg-2.0.9/include/cipher.h 2013-09-16 16:56:27.028429026 +0200 @@ -62,6 +62,11 @@ #define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys. */ #define PUBKEY_USAGE_AUTH GCRY_PK_USAGE_AUTH /* Good for authentication. */ #define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN /* Unknown usage flag. */ +#define PUBKEY_USAGE_NONE 256 /* No usage given. */ +#if (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \ + | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256 +# error Please choose another value for PUBKEY_USAGE_NONE +#endif #define DIGEST_ALGO_MD5 /* 1 */ GCRY_MD_MD5 #define DIGEST_ALGO_SHA1 /* 2 */ GCRY_MD_SHA1 ++++++ gpg2-set_umask_before_open_outfile.patch ++++++ Index: gnupg-2.0.20/g10/plaintext.c =================================================================== --- gnupg-2.0.20.orig/g10/plaintext.c 2013-05-13 14:26:49.290737159 +0200 +++ gnupg-2.0.20/g10/plaintext.c 2013-05-13 14:43:21.740575875 +0200 @@ -25,6 +25,7 @@ #include <errno.h> #include <assert.h> #include <sys/types.h> +#include <sys/stat.h> #ifdef HAVE_DOSISH_SYSTEM #include <fcntl.h> /* for setmode() */ #endif @@ -39,6 +40,9 @@ #include "status.h" #include "i18n.h" +/* define safe permissions for creating plaintext files */ +#define GPG_SAFE_PERMS (S_IRUSR | S_IWUSR) +#define GPG_SAFE_UMASK (0777 & ~GPG_SAFE_PERMS) /**************** * Handle a plaintext packet. If MFX is not NULL, update the MDs @@ -140,10 +144,15 @@ handle_plaintext( PKT_plaintext *pt, md_ log_error(_("error creating `%s': %s\n"), fname, strerror(errno) ); goto leave; } - else if( !(fp = fopen(fname,"wb")) ) { - rc = gpg_error_from_syserror (); - log_error(_("error creating `%s': %s\n"), fname, strerror(errno) ); - goto leave; + else { + mode_t saved_umask = umask(GPG_SAFE_UMASK); + if( !(fp = fopen(fname,"wb")) ) { + rc = gpg_error_from_syserror (); + log_error(_("error creating `%s': %s\n"), fname, strerror(errno) ); + umask(saved_umask); + goto leave; + } + umask(saved_umask); } #else /* __riscos__ */ /* If no output filename was given, i.e. we constructed it, -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
