[arch-commits] Commit in gnupg/repos (8 files)

Gaëtan Bisson bisson at archlinux.org
Mon Dec 2 19:12:02 UTC 2019


    Date: Monday, December 2, 2019 @ 19:12:01
  Author: bisson
Revision: 370220

db-move: moved gnupg from [testing] to [core] (x86_64)

Added:
  gnupg/repos/core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch
    (from rev 370219, gnupg/repos/testing-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch)
  gnupg/repos/core-x86_64/PKGBUILD
    (from rev 370219, gnupg/repos/testing-x86_64/PKGBUILD)
  gnupg/repos/core-x86_64/install
    (from rev 370219, gnupg/repos/testing-x86_64/install)
  gnupg/repos/core-x86_64/self-sigs-only.patch
    (from rev 370219, gnupg/repos/testing-x86_64/self-sigs-only.patch)
Deleted:
  gnupg/repos/core-x86_64/PKGBUILD
  gnupg/repos/core-x86_64/install
  gnupg/repos/core-x86_64/self-sigs-only.patch
  gnupg/repos/testing-x86_64/

----------------------------------------------------------------------+
 /PKGBUILD                                                            |   69 ++++++++
 /install                                                             |   31 +++
 /self-sigs-only.patch                                                |   56 ++++++
 core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch |   84 ++++++++++
 core-x86_64/PKGBUILD                                                 |   66 -------
 core-x86_64/install                                                  |   31 ---
 core-x86_64/self-sigs-only.patch                                     |   56 ------
 7 files changed, 240 insertions(+), 153 deletions(-)

Copied: gnupg/repos/core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch (from rev 370219, gnupg/repos/testing-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch)
===================================================================
--- core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch	                        (rev 0)
+++ core-x86_64/0001-gpg-Fix-double-free-with-anonymous-recipients.patch	2019-12-02 19:12:01 UTC (rev 370220)
@@ -0,0 +1,84 @@
+From 9ac182f376abf910a7b737b0e1ebd447eaa582f1 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk at gnupg.org>
+Date: Fri, 29 Nov 2019 17:44:12 +0100
+Subject: [PATCH GnuPG] gpg: Fix double free with anonymous recipients.
+
+* g10/pubkey-enc.c (get_session_key): Do not release SK.
+--
+
+Bug is in 2.2.18 only.
+
+The semantics of the enum_secret_keys function changed in master.
+When back porting this for 2.2.18 I missed this change and thus we ran
+into a double free.  The patches fixes the regression but is it clumsy.
+We need to change the enum_secret_keys interface to avoid such a
+surprising behaviour; this needs to be done in master first.
+
+Regression-due-to: 9a317557c58d2bdcc504b70c366b77f4cac71df7
+GnuPG-bug-id: 4762
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ g10/pubkey-enc.c | 8 ++++++--
+ g10/skclist.c    | 7 +++++--
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/g10/pubkey-enc.c b/g10/pubkey-enc.c
+index 71a48cc41..4e6f893f3 100644
+--- a/g10/pubkey-enc.c
++++ b/g10/pubkey-enc.c
+@@ -114,11 +114,11 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
+ 
+       for (;;)
+         {
+-          free_public_key (sk);
+           sk = xmalloc_clear (sizeof *sk);
+           rc = enum_secret_keys (ctrl, &enum_context, sk);
+           if (rc)
+             {
++              sk = NULL;  /* enum_secret_keys turns SK into a shallow copy! */
+               rc = GPG_ERR_NO_SECKEY;
+               break;
+             }
+@@ -148,10 +148,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
+             {
+               if (!opt.quiet)
+                 log_info (_("okay, we are the anonymous recipient.\n"));
++              sk = NULL;
+               break;
+             }
+           else if (gpg_err_code (rc) == GPG_ERR_FULLY_CANCELED)
+-            break; /* Don't try any more secret keys.  */
++            {
++              sk = NULL;
++              break; /* Don't try any more secret keys.  */
++            }
+         }
+       enum_secret_keys (ctrl, &enum_context, NULL);  /* free context */
+     }
+diff --git a/g10/skclist.c b/g10/skclist.c
+index 8817ee904..5a32b6a17 100644
+--- a/g10/skclist.c
++++ b/g10/skclist.c
+@@ -292,14 +292,17 @@ build_sk_list (ctrl_t ctrl,
+  * --default-key and --try-secret-key).  Use the following procedure:
+  *
+  *  1) Initialize a void pointer to NULL
+- *  2) Pass a reference to this pointer to this function (content)
+- *     and provide space for the secret key (sk)
++ *  2) Pass a reference to this pointer to this function (CONTEXT)
++ *     and provide space for the secret key (SK)
+  *  3) Call this function as long as it does not return an error (or
+  *     until you are done).  The error code GPG_ERR_EOF indicates the
+  *     end of the listing.
+  *  4) Call this function a last time with SK set to NULL,
+  *     so that can free it's context.
+  *
++ *  TAKE CARE: When the function returns SK belongs to CONTEXT and may
++ *  not be freed by the caller; neither on success nor on error.
++ *
+  * In pseudo-code:
+  *
+  *   void *ctx = NULL;
+-- 
+2.11.0
+

Deleted: core-x86_64/PKGBUILD
===================================================================
--- core-x86_64/PKGBUILD	2019-12-02 19:11:57 UTC (rev 370219)
+++ core-x86_64/PKGBUILD	2019-12-02 19:12:01 UTC (rev 370220)
@@ -1,66 +0,0 @@
-# Maintainer: Gaetan Bisson <bisson at archlinux.org>
-# Contributor: Tobias Powalowski <tpowa at archlinux.org>
-# Contributor: Andreas Radke <andyrtr at archlinux.org>
-# Contributor: Judd Vinet <jvinet at zeroflux.org>
-
-pkgname=gnupg
-pkgver=2.2.18
-pkgrel=1
-pkgdesc='Complete and free implementation of the OpenPGP standard'
-url='https://www.gnupg.org/'
-license=('GPL')
-arch=('x86_64')
-checkdepends=('openssh')
-makedepends=('libldap' 'libusb-compat' 'pcsclite')
-depends=('npth' 'libgpg-error' 'libgcrypt' 'libksba' 'libassuan'
-         'pinentry' 'bzip2' 'readline' 'gnutls' 'sqlite')
-optdepends=('libldap: gpg2keys_ldap'
-            'libusb-compat: scdaemon'
-            'pcsclite: scdaemon')
-validpgpkeys=('D8692123C4065DEA5E0F3AB5249B39D24F25E3B6'
-              '46CC730865BB5C78EBABADCF04376F3EE0856959'
-              '031EC2536E580D8EA286A9F22071B08A33BD3F06'
-              '5B80C5754298F0CB55D8ED6ABCEF7E294B092E28')
-source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig}
-        'self-sigs-only.patch')
-sha256sums=('30d37ce2ca55b2b9b61480b2a175a3b22066ab41cd3f84688448919b566dec0a'
-            'SKIP'
-            '0130c43321c16f53ab2290833007212f8a26b1b73bd4edc2b2b1c9db2b2d0218')
-
-install=install
-
-prepare() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-	sed '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' -i tools/Makefile.in
-	patch -R -p1 -i ../self-sigs-only.patch
-}
-
-build() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-	./configure \
-		--prefix=/usr \
-		--sysconfdir=/etc \
-		--sbindir=/usr/bin \
-		--libexecdir=/usr/lib/gnupg \
-		--enable-maintainer-mode \
-		--enable-symcryptrun \
-
-	make
-}
-
-check() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-	make check
-}
-
-package() {
-	cd "${srcdir}/${pkgname}-${pkgver}"
-	make DESTDIR="${pkgdir}" install
-	ln -s gpg "${pkgdir}"/usr/bin/gpg2
-	ln -s gpgv "${pkgdir}"/usr/bin/gpgv2
-
-	cd doc/examples/systemd-user
-	for i in *.*; do
-		install -Dm644 "$i" "${pkgdir}/usr/lib/systemd/user/$i"
-	done
-}

Copied: gnupg/repos/core-x86_64/PKGBUILD (from rev 370219, gnupg/repos/testing-x86_64/PKGBUILD)
===================================================================
--- core-x86_64/PKGBUILD	                        (rev 0)
+++ core-x86_64/PKGBUILD	2019-12-02 19:12:01 UTC (rev 370220)
@@ -0,0 +1,69 @@
+# Maintainer: Gaetan Bisson <bisson at archlinux.org>
+# Contributor: Tobias Powalowski <tpowa at archlinux.org>
+# Contributor: Andreas Radke <andyrtr at archlinux.org>
+# Contributor: Judd Vinet <jvinet at zeroflux.org>
+
+pkgname=gnupg
+pkgver=2.2.18
+pkgrel=2
+pkgdesc='Complete and free implementation of the OpenPGP standard'
+url='https://www.gnupg.org/'
+license=('GPL')
+arch=('x86_64')
+checkdepends=('openssh')
+makedepends=('libldap' 'libusb-compat' 'pcsclite')
+depends=('npth' 'libgpg-error' 'libgcrypt' 'libksba' 'libassuan'
+         'pinentry' 'bzip2' 'readline' 'gnutls' 'sqlite')
+optdepends=('libldap: gpg2keys_ldap'
+            'libusb-compat: scdaemon'
+            'pcsclite: scdaemon')
+validpgpkeys=('D8692123C4065DEA5E0F3AB5249B39D24F25E3B6'
+              '46CC730865BB5C78EBABADCF04376F3EE0856959'
+              '031EC2536E580D8EA286A9F22071B08A33BD3F06'
+              '5B80C5754298F0CB55D8ED6ABCEF7E294B092E28')
+source=("https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2"{,.sig}
+        '0001-gpg-Fix-double-free-with-anonymous-recipients.patch'
+        'self-sigs-only.patch')
+sha256sums=('30d37ce2ca55b2b9b61480b2a175a3b22066ab41cd3f84688448919b566dec0a'
+            'SKIP'
+            'f7f533c37354e1fbafd7c9db67f5b5792745f7b0a68a5132a09f241896942903'
+            '0130c43321c16f53ab2290833007212f8a26b1b73bd4edc2b2b1c9db2b2d0218')
+
+install=install
+
+prepare() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	sed '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' -i tools/Makefile.in
+	patch -R -p1 -i ../self-sigs-only.patch
+	patch -p1 -i ../0001-gpg-Fix-double-free-with-anonymous-recipients.patch # FS#64663
+}
+
+build() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	./configure \
+		--prefix=/usr \
+		--sysconfdir=/etc \
+		--sbindir=/usr/bin \
+		--libexecdir=/usr/lib/gnupg \
+		--enable-maintainer-mode \
+		--enable-symcryptrun \
+
+	make
+}
+
+check() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	make check
+}
+
+package() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	make DESTDIR="${pkgdir}" install
+	ln -s gpg "${pkgdir}"/usr/bin/gpg2
+	ln -s gpgv "${pkgdir}"/usr/bin/gpgv2
+
+	cd doc/examples/systemd-user
+	for i in *.*; do
+		install -Dm644 "$i" "${pkgdir}/usr/lib/systemd/user/$i"
+	done
+}

Deleted: core-x86_64/install
===================================================================
--- core-x86_64/install	2019-12-02 19:11:57 UTC (rev 370219)
+++ core-x86_64/install	2019-12-02 19:12:01 UTC (rev 370220)
@@ -1,31 +0,0 @@
-_global_units() {
-	_units=(dirmngr.socket gpg-agent.socket gpg-agent-{browser,extra,ssh}.socket)
-	_dir=/etc/systemd/user/sockets.target.wants
-
-	case $1 in
-		enable)
-			mkdir -p $_dir
-			for _u in "${_units[@]}"; do
-				ln -sf /usr/lib/systemd/user/$_u $_dir/$_u
-			done
-			;;
-		disable)
-			for _u in "${_units[@]}"; do
-				rm -f $_dir/$_u
-			done
-			rmdir -p --ignore-fail-on-non-empty $_dir
-			;;
-	esac
-}
-
-post_install() {
-	# See FS#42798 and FS#47371
-	dirmngr </dev/null &>/dev/null
-
-	# Let systemd supervise daemons by default
-	_global_units enable
-}
-
-pre_remove() {
-	_global_units disable
-}

Copied: gnupg/repos/core-x86_64/install (from rev 370219, gnupg/repos/testing-x86_64/install)
===================================================================
--- core-x86_64/install	                        (rev 0)
+++ core-x86_64/install	2019-12-02 19:12:01 UTC (rev 370220)
@@ -0,0 +1,31 @@
+_global_units() {
+	_units=(dirmngr.socket gpg-agent.socket gpg-agent-{browser,extra,ssh}.socket)
+	_dir=/etc/systemd/user/sockets.target.wants
+
+	case $1 in
+		enable)
+			mkdir -p $_dir
+			for _u in "${_units[@]}"; do
+				ln -sf /usr/lib/systemd/user/$_u $_dir/$_u
+			done
+			;;
+		disable)
+			for _u in "${_units[@]}"; do
+				rm -f $_dir/$_u
+			done
+			rmdir -p --ignore-fail-on-non-empty $_dir
+			;;
+	esac
+}
+
+post_install() {
+	# See FS#42798 and FS#47371
+	dirmngr </dev/null &>/dev/null
+
+	# Let systemd supervise daemons by default
+	_global_units enable
+}
+
+pre_remove() {
+	_global_units disable
+}

Deleted: core-x86_64/self-sigs-only.patch
===================================================================
--- core-x86_64/self-sigs-only.patch	2019-12-02 19:11:57 UTC (rev 370219)
+++ core-x86_64/self-sigs-only.patch	2019-12-02 19:12:01 UTC (rev 370220)
@@ -1,56 +0,0 @@
-From: Werner Koch <wk at gnupg.org>
-Date: Thu, 4 Jul 2019 13:45:39 +0000 (+0200)
-Subject: gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
-X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=23c978640812d123eaffd4108744bdfcf48f7c93
-
-gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
-
-* g10/gpg.c (main): Change default.
---
-
-Due to the DoS attack on the keyeservers we do not anymore default to
-import key signatures.  That makes the keyserver unsuable for getting
-keys for the WoT but it still allows to retriev keys - even if that
-takes long to download the large keyblocks.
-
-To revert to the old behavior add
-
-  keyserver-optiions  no-self-sigs-only,no-import-clean
-
-to gpg.conf.
-
-GnuPG-bug-id: 4607
-Signed-off-by: Werner Koch <wk at gnupg.org>
----
-
-diff --git a/doc/gpg.texi b/doc/gpg.texi
-index 8feab8218..9513a4e0f 100644
---- a/doc/gpg.texi
-+++ b/doc/gpg.texi
-@@ -1917,6 +1917,11 @@ are available for all keyserver types, some common options are:
- 
- @end table
- 
-+The default list of options is: "self-sigs-only, import-clean,
-+repair-keys, repair-pks-subkey-bug, export-attributes,
-+honor-pka-record".
-+
-+
- @item --completes-needed @var{n}
- @opindex compliant-needed
- Number of completely trusted users to introduce a new
-diff --git a/g10/gpg.c b/g10/gpg.c
-index 66e47dde5..0bbe72394 100644
---- a/g10/gpg.c
-+++ b/g10/gpg.c
-@@ -2424,7 +2424,9 @@ main (int argc, char **argv)
-     opt.import_options = IMPORT_REPAIR_KEYS;
-     opt.export_options = EXPORT_ATTRIBUTES;
-     opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
--					    | IMPORT_REPAIR_PKS_SUBKEY_BUG);
-+					    | IMPORT_REPAIR_PKS_SUBKEY_BUG
-+                                            | IMPORT_SELF_SIGS_ONLY
-+                                            | IMPORT_CLEAN);
-     opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
-     opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
-     opt.verify_options = (LIST_SHOW_UID_VALIDITY

Copied: gnupg/repos/core-x86_64/self-sigs-only.patch (from rev 370219, gnupg/repos/testing-x86_64/self-sigs-only.patch)
===================================================================
--- core-x86_64/self-sigs-only.patch	                        (rev 0)
+++ core-x86_64/self-sigs-only.patch	2019-12-02 19:12:01 UTC (rev 370220)
@@ -0,0 +1,56 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 4 Jul 2019 13:45:39 +0000 (+0200)
+Subject: gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
+X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=23c978640812d123eaffd4108744bdfcf48f7c93
+
+gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.
+
+* g10/gpg.c (main): Change default.
+--
+
+Due to the DoS attack on the keyeservers we do not anymore default to
+import key signatures.  That makes the keyserver unsuable for getting
+keys for the WoT but it still allows to retriev keys - even if that
+takes long to download the large keyblocks.
+
+To revert to the old behavior add
+
+  keyserver-optiions  no-self-sigs-only,no-import-clean
+
+to gpg.conf.
+
+GnuPG-bug-id: 4607
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index 8feab8218..9513a4e0f 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -1917,6 +1917,11 @@ are available for all keyserver types, some common options are:
+ 
+ @end table
+ 
++The default list of options is: "self-sigs-only, import-clean,
++repair-keys, repair-pks-subkey-bug, export-attributes,
++honor-pka-record".
++
++
+ @item --completes-needed @var{n}
+ @opindex compliant-needed
+ Number of completely trusted users to introduce a new
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 66e47dde5..0bbe72394 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -2424,7 +2424,9 @@ main (int argc, char **argv)
+     opt.import_options = IMPORT_REPAIR_KEYS;
+     opt.export_options = EXPORT_ATTRIBUTES;
+     opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
+-					    | IMPORT_REPAIR_PKS_SUBKEY_BUG);
++					    | IMPORT_REPAIR_PKS_SUBKEY_BUG
++                                            | IMPORT_SELF_SIGS_ONLY
++                                            | IMPORT_CLEAN);
+     opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
+     opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
+     opt.verify_options = (LIST_SHOW_UID_VALIDITY



More information about the arch-commits mailing list