[arch-commits] Commit in gnupg/trunk (5 files)
Gaetan Bisson
bisson at archlinux.org
Tue Dec 16 19:46:15 UTC 2014
Date: Tuesday, December 16, 2014 @ 20:46:15
Author: bisson
Revision: 227658
upstream update
Modified:
gnupg/trunk/PKGBUILD
Deleted:
gnupg/trunk/hash-ecdsa.patch
gnupg/trunk/oid2str-overflow.patch
gnupg/trunk/refresh-keys.patch
gnupg/trunk/subpacket-off.patch
------------------------+
PKGBUILD | 24 ----
hash-ecdsa.patch | 48 ---------
oid2str-overflow.patch | 72 --------------
refresh-keys.patch | 238 -----------------------------------------------
subpacket-off.patch | 38 -------
5 files changed, 4 insertions(+), 416 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-12-16 17:00:13 UTC (rev 227657)
+++ PKGBUILD 2014-12-16 19:46:15 UTC (rev 227658)
@@ -5,8 +5,8 @@
# Contributor: Judd Vinet <jvinet at zeroflux.org>
pkgname=gnupg
-pkgver=2.1.0
-pkgrel=7
+pkgver=2.1.1
+pkgrel=1
pkgdesc='Complete and free implementation of the OpenPGP standard'
url='http://www.gnupg.org/'
license=('GPL')
@@ -16,16 +16,8 @@
makedepends=('libldap' 'libusb-compat')
depends=('npth' 'libgpg-error' 'libgcrypt' 'libksba' 'libassuan'
'pinentry' 'bzip2' 'readline' 'gnutls')
-source=("ftp://ftp.gnupg.org/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig}
- 'oid2str-overflow.patch'
- 'subpacket-off.patch'
- 'refresh-keys.patch'
- 'hash-ecdsa.patch')
-sha1sums=('2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33' 'SKIP'
- '774f7fe541428f45ee145c763cf5634264e3bc69'
- '1a86b834904c7d18d932ad1bb44d3642990d3cbd'
- '246bea8776882f4c0293685482558f6ead1cf902'
- 'b9bd644276aa1c1a3fcaed82e65eecccfd1f36ed')
+source=("ftp://ftp.gnupg.org/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig})
+sha1sums=('3d11fd150cf86f842d077437edb119a775c7325d' 'SKIP')
install=install
@@ -33,14 +25,6 @@
provides=('dirmngr' "gnupg2=${pkgver}")
replaces=('dirmngr' 'gnupg2')
-prepare() {
- cd "${srcdir}/${pkgname}-${pkgver}"
- patch -p1 -i ../oid2str-overflow.patch
- patch -p1 -i ../subpacket-off.patch
- patch -p1 -i ../refresh-keys.patch
- patch -p1 -i ../hash-ecdsa.patch
-}
-
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
./configure \
Deleted: hash-ecdsa.patch
===================================================================
--- hash-ecdsa.patch 2014-12-16 17:00:13 UTC (rev 227657)
+++ hash-ecdsa.patch 2014-12-16 19:46:15 UTC (rev 227658)
@@ -1,48 +0,0 @@
-From: Werner Koch <wk at gnupg.org>
-Date: Wed, 19 Nov 2014 09:34:32 +0000 (+0100)
-Subject: gpg: Fix hash detection for ECDSA.
-X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=f80c2dd78d522f12b2c7afbd5c0763a97d87d2bd;hp=cd2c6f36fe5d1d1d45546f5168aead5cbe6487e0
-
-gpg: Fix hash detection for ECDSA.
-
-* g10/sign.c (sign_file): Use DSA or ECDSA and not DSA|EdDSA.
---
-
-This error was introduced with
-commit b7f8dec6325f1c80640f878ed3080bbc194fbc78
-while separating EdDSA from ECDSA.
-
-Found due to a related bug report from Brian Minton.
-
-Signed-off-by: Werner Koch <wk at gnupg.org>
----
-
-diff --git a/g10/sign.c b/g10/sign.c
-index e7d4a68..2e62f04 100644
---- a/g10/sign.c
-+++ b/g10/sign.c
-@@ -899,13 +899,12 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
- for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next )
- {
- if (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_DSA
-- || (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_EDDSA
-- && !openpgp_oid_is_ed25519 (sk_rover->pk->pkey[1])))
-+ || sk_rover->pk->pubkey_algo == PUBKEY_ALGO_ECDSA)
- {
- int temp_hashlen = (gcry_mpi_get_nbits
- (sk_rover->pk->pkey[1]));
-
-- if (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_EDDSA)
-+ if (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_ECDSA)
- temp_hashlen = ecdsa_qbits_from_Q (temp_hashlen);
- temp_hashlen = (temp_hashlen+7)/8;
-
-@@ -915,7 +914,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
- if (hint.digest_length<temp_hashlen)
- hint.digest_length=temp_hashlen;
- }
-- /* FIXME: need toall gpg-agent */
-+ /* FIXME: need to check gpg-agent for this. */
- /* else if (sk_rover->pk->is_protected */
- /* && sk_rover->pk->protect.s2k.mode == 1002) */
- /* smartcard = 1; */
Deleted: oid2str-overflow.patch
===================================================================
--- oid2str-overflow.patch 2014-12-16 17:00:13 UTC (rev 227657)
+++ oid2str-overflow.patch 2014-12-16 19:46:15 UTC (rev 227658)
@@ -1,72 +0,0 @@
-From: Werner Koch <wk at gnupg.org>
-Date: Tue, 25 Nov 2014 10:58:56 +0000 (+0100)
-Subject: Fix buffer overflow in openpgp_oid_to_str.
-X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da;hp=28dafd4714a9b01d3a6f1e6e5919bf6f909987c7
-
-Fix buffer overflow in openpgp_oid_to_str.
-
-* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow.
-
-* common/t-openpgp-oid.c (BADOID): New.
-(test_openpgp_oid_to_str): Add test cases.
---
-
-The code has an obvious error by not considering invalid encoding for
-arc-2. A first byte of 0x80 can be used to make a value of less then
-80 and we then subtract 80 from that value as required by the OID
-encoding rules. Due to the unsigned integer this results in a pretty
-long value which won't fit anymore into the allocated buffer.
-
-The fix is obvious. Also added a few simple test cases. Note that we
-keep on using sprintf instead of snprintf because managing the
-remaining length of the buffer would probably be more error prone than
-assuring that the buffer is large enough. Getting rid of sprintf
-altogether by using direct conversion along with membuf_t like code
-might be possible.
-
-Reported-by: Hanno Böck
-Signed-off-by: Werner Koch <wk at gnupg.org>
-
-Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7
----
-
-diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c
-index 010c23f..d3d1f2a 100644
---- a/common/openpgp-oid.c
-+++ b/common/openpgp-oid.c
-@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a)
- val <<= 7;
- val |= buf[n] & 0x7f;
- }
-+ if (val < 80)
-+ goto badoid;
- val -= 80;
- sprintf (p, "2.%lu", val);
- p += strlen (p);
-diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c
-index 79e5a70..5cd778d 100644
---- a/common/t-openpgp-oid.c
-+++ b/common/t-openpgp-oid.c
-@@ -32,6 +32,9 @@
- } while(0)
-
-
-+#define BADOID "1.3.6.1.4.1.11591.2.12242973"
-+
-+
- static void
- test_openpgp_oid_from_str (void)
- {
-@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void)
- { "1.3.132.0.35",
- { 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }},
-
-+ { BADOID,
-+ { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }},
-+
-+ { BADOID,
-+ { 1, 0x80 }},
-+
- { NULL }};
- gcry_mpi_t a;
- int idx;
Deleted: refresh-keys.patch
===================================================================
--- refresh-keys.patch 2014-12-16 17:00:13 UTC (rev 227657)
+++ refresh-keys.patch 2014-12-16 19:46:15 UTC (rev 227658)
@@ -1,238 +0,0 @@
-From eecbed004ca1e9ca23c3892c3a5e6dd174ddf93b Mon Sep 17 00:00:00 2001
-From: Werner Koch <wk at gnupg.org>
-Date: Wed, 12 Nov 2014 12:14:32 +0100
-Subject: [PATCH] gpg: Fix regression in --refresh-keys
-
-* g10/keyserver.c (keyserver_get): Factor all code out to ...
-(keyserver_get_chunk): new. Extimate line length.
-(keyserver_get): Split up requests into chunks.
---
-
-Note that refreshing all keys still requires way to much memory
-because we build an in-memory list of all keys first. It is required
-to first get a list of all keys to avoid conflicts while updating the
-key store in the process of receiving keys. A better strategy would
-be a background process and tracking the last update in the key store.
-
-GnuPG-bug-id: 1755
-Signed-off-by: Werner Koch <wk at gnupg.org>
----
- g10/call-dirmngr.c | 2 +-
- g10/keyserver.c | 107 ++++++++++++++++++++++++++++++++++++++++++----------
- 2 files changed, 89 insertions(+), 20 deletions(-)
-
-diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c
-index 5bddbbe..71f5324 100644
---- a/g10/call-dirmngr.c
-+++ b/g10/call-dirmngr.c
-@@ -429,7 +429,7 @@ ks_get_data_cb (void *opaque, const void *data, size_t datalen)
- error an error code is returned and NULL stored at R_FP.
-
- The pattern may only use search specification which a keyserver can
-- use to retriev keys. Because we know the format of the pattern we
-+ use to retrieve keys. Because we know the format of the pattern we
- don't need to escape the patterns before sending them to the
- server.
-
-diff --git a/g10/keyserver.c b/g10/keyserver.c
-index 1b2e128..5bc1eba 100644
---- a/g10/keyserver.c
-+++ b/g10/keyserver.c
-@@ -1567,17 +1567,16 @@ keyserver_search (ctrl_t ctrl, strlist_t tokens)
- return err;
- }
-
--
--
--/* Retrieve a key from a keyserver. The search pattern are in
-- (DESC,NDESC). Allowed search modes are keyid, fingerprint, and
-- exact searches. KEYSERVER gives an optional override keyserver. If
-- (R_FPR,R_FPRLEN) are not NULL, the may retrun the fingerprint of
-- one imported key. */
-+/* Helper for keyserver_get. Here we only receive a chunk of the
-+ description to be processed in one batch. This is required due to
-+ the limited number of patterns the dirmngr interface (KS_GET) can
-+ grok and to limit the amount of temporary required memory. */
- static gpg_error_t
--keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
-- struct keyserver_spec *keyserver,
-- unsigned char **r_fpr, size_t *r_fprlen)
-+keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
-+ int *r_ndesc_used,
-+ void *stats_handle,
-+ struct keyserver_spec *keyserver,
-+ unsigned char **r_fpr, size_t *r_fprlen)
-
- {
- gpg_error_t err = 0;
-@@ -1585,12 +1584,26 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
- int idx, npat;
- estream_t datastream;
- char *source = NULL;
-+ size_t linelen; /* Estimated linelen for KS_GET. */
-+ size_t n;
-+
-+#define MAX_KS_GET_LINELEN 950 /* Somewhat lower than the real limit. */
-+
-+ *r_ndesc_used = 0;
-
- /* Create an array filled with a search pattern for each key. The
- array is delimited by a NULL entry. */
- pattern = xtrycalloc (ndesc+1, sizeof *pattern);
- if (!pattern)
- return gpg_error_from_syserror ();
-+
-+ /* Note that we break the loop as soon as our estimation of the to
-+ be used line length reaches the limit. But we do this only if we
-+ have processed at leas one search requests so that an overlong
-+ single request will be rejected only later by gpg_dirmngr_ks_get
-+ but we are sure that R_NDESC_USED has been updated. This avoids
-+ a possible indefinite loop. */
-+ linelen = 9; /* "KS_GET --" */
- for (npat=idx=0; idx < ndesc; idx++)
- {
- int quiet = 0;
-@@ -1598,7 +1611,12 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
- if (desc[idx].mode == KEYDB_SEARCH_MODE_FPR20
- || desc[idx].mode == KEYDB_SEARCH_MODE_FPR16)
- {
-- pattern[npat] = xtrymalloc (2+2*20+1);
-+ n = 1+2+2*20;
-+ if (idx && linelen + n > MAX_KS_GET_LINELEN)
-+ break; /* Declare end of this chunk. */
-+ linelen += n;
-+
-+ pattern[npat] = xtrymalloc (n);
- if (!pattern[npat])
- err = gpg_error_from_syserror ();
- else
-@@ -1612,6 +1630,11 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
- }
- else if(desc[idx].mode == KEYDB_SEARCH_MODE_LONG_KID)
- {
-+ n = 1+2+16;
-+ if (idx && linelen + n > MAX_KS_GET_LINELEN)
-+ break; /* Declare end of this chunk. */
-+ linelen += n;
-+
- pattern[npat] = xtryasprintf ("0x%08lX%08lX",
- (ulong)desc[idx].u.kid[0],
- (ulong)desc[idx].u.kid[1]);
-@@ -1622,6 +1645,11 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
- }
- else if(desc[idx].mode == KEYDB_SEARCH_MODE_SHORT_KID)
- {
-+ n = 1+2+8;
-+ if (idx && linelen + n > MAX_KS_GET_LINELEN)
-+ break; /* Declare end of this chunk. */
-+ linelen += n;
-+
- pattern[npat] = xtryasprintf ("0x%08lX", (ulong)desc[idx].u.kid[1]);
- if (!pattern[npat])
- err = gpg_error_from_syserror ();
-@@ -1630,11 +1658,17 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
- }
- else if(desc[idx].mode == KEYDB_SEARCH_MODE_EXACT)
- {
-- /* The Dirmngr uses also classify_user_id to detect the type
-+ /* The Dirmngr also uses classify_user_id to detect the type
- of the search string. By adding the '=' prefix we force
- Dirmngr's KS_GET to consider this an exact search string.
- (In gpg 1.4 and gpg 2.0 the keyserver helpers used the
- KS_GETNAME command to indicate this.) */
-+
-+ n = 1+1+strlen (desc[idx].u.name);
-+ if (idx && linelen + n > MAX_KS_GET_LINELEN)
-+ break; /* Declare end of this chunk. */
-+ linelen += n;
-+
- pattern[npat] = strconcat ("=", desc[idx].u.name, NULL);
- if (!pattern[npat])
- err = gpg_error_from_syserror ();
-@@ -1669,6 +1703,9 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
- }
- }
-
-+ /* Remember now many of search items were considered. Note that
-+ this is different from NPAT. */
-+ *r_ndesc_used = idx;
-
- err = gpg_dirmngr_ks_get (ctrl, pattern, &datastream, &source);
- for (idx=0; idx < npat; idx++)
-@@ -1679,11 +1716,8 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
-
- if (!err)
- {
-- void *stats_handle;
- struct ks_retrieval_screener_arg_s screenerarg;
-
-- stats_handle = import_new_stats_handle();
--
- /* FIXME: Check whether this comment should be moved to dirmngr.
-
- Slurp up all the key data. In the future, it might be nice
-@@ -1697,15 +1731,12 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
- keyservers. */
-
- screenerarg.desc = desc;
-- screenerarg.ndesc = ndesc;
-+ screenerarg.ndesc = *r_ndesc_used;
- import_keys_es_stream (ctrl, datastream, stats_handle,
- r_fpr, r_fprlen,
- (opt.keyserver_options.import_options
- | IMPORT_NO_SECKEY),
- keyserver_retrieval_screener, &screenerarg);
--
-- import_print_stats (stats_handle);
-- import_release_stats_handle (stats_handle);
- }
- es_fclose (datastream);
- xfree (source);
-@@ -1714,6 +1745,44 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
- }
-
-
-+/* Retrieve a key from a keyserver. The search pattern are in
-+ (DESC,NDESC). Allowed search modes are keyid, fingerprint, and
-+ exact searches. KEYSERVER gives an optional override keyserver. If
-+ (R_FPR,R_FPRLEN) are not NULL, they may return the fingerprint of a
-+ single imported key. */
-+static gpg_error_t
-+keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc,
-+ struct keyserver_spec *keyserver,
-+ unsigned char **r_fpr, size_t *r_fprlen)
-+{
-+ gpg_error_t err;
-+ void *stats_handle;
-+ int ndesc_used;
-+ int any_good = 0;
-+
-+ stats_handle = import_new_stats_handle();
-+
-+ for (;;)
-+ {
-+ err = keyserver_get_chunk (ctrl, desc, ndesc, &ndesc_used, stats_handle,
-+ keyserver, r_fpr, r_fprlen);
-+ if (!err)
-+ any_good = 1;
-+ if (err || ndesc_used >= ndesc)
-+ break; /* Error or all processed. */
-+ /* Prepare for the next chunk. */
-+ desc += ndesc_used;
-+ ndesc -= ndesc_used;
-+ }
-+
-+ if (any_good)
-+ import_print_stats (stats_handle);
-+
-+ import_release_stats_handle (stats_handle);
-+ return err;
-+}
-+
-+
- /* Send all keys specified by KEYSPECS to the KEYSERVERS. */
- static gpg_error_t
- keyserver_put (ctrl_t ctrl, strlist_t keyspecs,
---
-1.7.10.4
-
Deleted: subpacket-off.patch
===================================================================
--- subpacket-off.patch 2014-12-16 17:00:13 UTC (rev 227657)
+++ subpacket-off.patch 2014-12-16 19:46:15 UTC (rev 227658)
@@ -1,38 +0,0 @@
-From: Werner Koch <wk at gnupg.org>
-Date: Mon, 24 Nov 2014 16:28:25 +0000 (+0100)
-Subject: gpg: Fix off-by-one read in the attribute subpacket parser.
-X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=0988764397f99db4efef1eabcdb8072d6159af76;hp=b716e6a69919b89c7887d6c7c9b97e58d18fdf95
-
-gpg: Fix off-by-one read in the attribute subpacket parser.
-
-* g10/parse-packet.c (parse_attribute_subpkts): Check that the
-attribute packet is large enough for the subpacket type.
---
-
-Reported-by: Hanno Böck
-Signed-off-by: Werner Koch <wk at gnupg.org>
----
-
-diff --git a/g10/parse-packet.c b/g10/parse-packet.c
-index e0370aa..f75e21c 100644
---- a/g10/parse-packet.c
-+++ b/g10/parse-packet.c
-@@ -2359,8 +2359,16 @@ parse_attribute_subpkts (PKT_user_id * uid)
- if (buflen < n)
- goto too_short;
-
-- attribs =
-- xrealloc (attribs, (count + 1) * sizeof (struct user_attribute));
-+ if (!n)
-+ {
-+ /* Too short to encode the subpacket type. */
-+ if (opt.verbose)
-+ log_info ("attribute subpacket too short\n");
-+ break;
-+ }
-+
-+ attribs = xrealloc (attribs,
-+ (count + 1) * sizeof (struct user_attribute));
- memset (&attribs[count], 0, sizeof (struct user_attribute));
-
- type = *buffer;
More information about the arch-commits
mailing list