Hello community,
here is the log from the commit of package gpg2.2005 for openSUSE:12.2:Update checked in at 2013-09-27 15:36:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/gpg2.2005 (Old)
and /work/SRC/openSUSE:12.2:Update/.gpg2.2005.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gpg2.2005"
Changes:
--------
New Changes file:
--- /dev/null 2013-09-21 22:50:09.852032506 +0200
+++ /work/SRC/openSUSE:12.2:Update/.gpg2.2005.new/gpg2.changes 2013-09-27 15:36:17.000000000 +0200
@@ -0,0 +1,614 @@
+-------------------------------------------------------------------
+Mon Sep 16 11:08:55 UTC 2013 - vcizek@suse.com
+
+- fix CVE-2013-4351 (bnc#840510)
+
+-------------------------------------------------------------------
+Mon May 13 13:08:03 UTC 2013 - vcizek@suse.com
+
+- security fixes:
+ * fix for CVE-2012-6085 (bnc#798465)
+ added gpg2-CVE-2012-6085.patch
+ * fix for bnc#780943
+ added gpg2-set_umask_before_open_outfile.patch
+
+-------------------------------------------------------------------
+Wed Apr 18 10:55:34 UTC 2012 - vcizek@suse.com
+
+- Mention some of the changes in Greg's version update
+
+-------------------------------------------------------------------
+Tue Mar 27 20:38:27 UTC 2012 - gregkh@opensuse.org
+
+- update to upstream 2.0.19
+ * GPG now accepts a space separated fingerprint as a user ID. This
+ allows to copy and paste the fingerprint from the key listing.
+ * GPG now uses the longest key ID available. Removed support for the
+ original HKP keyserver which is not anymore used by any site.
+ * Rebuild the trustdb after changing the option --min-cert-level.
+ * Ukrainian translation.
+ * Honor option --cert-digest-algo when creating a cert.
+ * Emit a DECRYPTION_INFO status line.
+ * Improved detection of JPEG files.
+
+-------------------------------------------------------------------
+Tue Dec 6 10:58:36 UTC 2011 - vcizek@suse.com
+
+- fixed licence to GPL-3.0+ (bnc#734878)
+
+-------------------------------------------------------------------
+Wed Nov 30 09:55:47 UTC 2011 - coolo@suse.com
+
+- add automake as buildrequire to avoid implicit dependency
+
+-------------------------------------------------------------------
+Sat Oct 1 15:53:04 UTC 2011 - crrodriguez@opensuse.org
+
+- Test suite hangs in qemu-arm, workaround.
+
+-------------------------------------------------------------------
+Wed Aug 31 10:00:35 UTC 2011 - puzel@suse.com
+
+- link with -pie
+
+-------------------------------------------------------------------
+Fri Aug 19 01:11:42 UTC 2011 - crrodriguez@opensuse.org
+
+- libcurl.m4 tests were broken, resulting in the usage
+ of a "fake" internal libcurl.
+
+-------------------------------------------------------------------
+Sat Aug 6 20:19:09 UTC 2011 - andreas.stieger@gmx.de
+
+- update to upstream 2.0.18
+ * Bug fix for newer versions of Libgcrypt.
+ * Support the SSH confirm flag and show SSH fingerprints in ssh
+ related pinentries.
+ * Improved dirmngr/gpgsm interaction for OCSP.
+ * Allow generation of card keys up to 4096 bit.
+- refresh patch gnupg-2.0.10-tmpdir.diff -> gnupg-2.0.18-tmpdir.diff
+- refresh patch gnupg-files-are-digests.patch -> gnupg-2.0.18-files-are-digests.patch
+
+-------------------------------------------------------------------
+Tue Mar 15 09:29:42 UTC 2011 - puzel@novell.com
+
+- update to gnupg-2.0.17
+ * Allow more hash algorithms with the OpenPGP v2 card.
+ * The gpg-agent now tests for a new gpg-agent.conf on a HUP.
+ * Fixed output of "gpgconf --check-options".
+ * Fixed a bug where Scdaemon sends a signal to Gpg-agent running
+ in non-daemon mode.
+ * Fixed TTY management for pinentries and session variable update
+ problem.
+- drop gnupg-CVE-2010-2547.patch (in upstream)
+
+-------------------------------------------------------------------
+Fri Jan 7 13:24:17 CET 2011 - sbrabec@suse.cz
+
+- Removed obsolete BuildRequires of opensc-devel.
+
+-------------------------------------------------------------------
+Sun Oct 31 12:37:02 UTC 2010 - jengelh@medozas.de
+
+- Use %_smp_mflags
+
+-------------------------------------------------------------------
+Wed Jul 28 09:39:00 UTC 2010 - puzel@novell.com
+
+- gnupg-CVE-2010-2547.patch (bnc#625947)
+- renumber patches
+
+-------------------------------------------------------------------
+Mon Jul 19 21:49:40 UTC 2010 - puzel@novell.com
+
+- update to gnupg-2.0.16
+ * If the agent's --use-standard-socket option is active, all tools
+ try to start and daemonize the agent on the fly. In the past this
+ was only supported on W32; on non-W32 systems the new configure
+ option --use-standard-socket may now be used to use this feature by
+ default.
+ * The gpg-agent commands KILLAGENT and RELOADAGENT are now available
+ on all platforms.
+ * Minor bug fixes.
+- drop gnupg-2.0.14-s2kcount.patch (builds fine without it now)
+
+-------------------------------------------------------------------
+Mon Jun 7 09:40:32 UTC 2010 - adrian@suse.de
+
+- add special provides to make sure that obs signd gets correct gpg version
+
+-------------------------------------------------------------------
+Fri Apr 9 12:47:11 UTC 2010 - chris@computersalat.de
+
+- fix deps
+ o libassuan-devel >= 2.0.0
+ o pth / libpth-devel >= 1.3.7
+- added BuildReq libcurl-devel >= 7.10
+- removed BuildReq openldap2
+ is already solved by openldap2-devel
+- removed unrecognized configure options
+ --enable-external-hkp, --enable-shared, --enable-static-rnd
+
+-------------------------------------------------------------------
+Wed Apr 7 14:19:11 UTC 2010 - puzel@novell.com
+
+- add gnupg-dont-fail-with-seahorse-agent.patch (bnc#589994)
+
+-------------------------------------------------------------------
+Wed Mar 31 13:47:00 UTC 2010 - puzel@novell.com
+
+- update to gnupg-2.0.15
+ * New command --passwd for GPG.
+ * Fixes a regression in 2.0.14 which prevented unprotection of new
+ or changed gpg-agent passphrases.
+ * Make use of libassuan 2.0 which is available as a DSO.
+
+-------------------------------------------------------------------
+Mon Mar 22 15:09:24 UTC 2010 - puzel@novell.com
+
+- fix files-are-digests patch (bnc#469229)
+
+-------------------------------------------------------------------
+Wed Feb 17 13:29:18 CET 2010 - dimstar@opensuse.org
+
+- Update to version 2.0.14:
+ + The default for --include-cert is now to include all
+ certificates in the chain except for the root certificate.
+ + Numerical values may now be used as an alternative to the
+ debug-level keywords.
+ + The GPGSM --audit-log feature is now more complete.
+ + GPG now supports DNS lookups for SRV, PKA and CERT on W32.
+ + New GPGSM option --ignore-cert-extension.
+ + New and changed passphrases are now created with an iteration
+ count requiring about 100ms of CPU work.
+- Add gnupg-2.0.14-s2kcount.patch: use fixed s2k-count number
+ otherwise the gpg2 would want to consult gpg-agent which is not
+ yet installed in the mock chroot (Patch shamelessly stolen from
+ Fedora).
+
+-------------------------------------------------------------------
+Thu Jan 28 14:15:24 UTC 2010 - puzel@novell.com
+
+- fix build for older distributions
+
+-------------------------------------------------------------------
+Wed Jan 27 16:30:41 UTC 2010 - puzel@novell.com
+
+- port files-are-digests patch from gpg1 (bnc#469229)
+
+-------------------------------------------------------------------
+Tue Dec 15 20:56:35 CET 2009 - jengelh@medozas.de
+
+- enable parallel building
+- SPARC needs large PIE model
+
+-------------------------------------------------------------------
+Sun Dec 6 08:52:32 UTC 2009 - coolo@novell.com
+
+- change -lang require to recommended
+
+-------------------------------------------------------------------
+Fri Nov 13 14:37:58 UTC 2009 - puzel@novell.com
+
+- update to gnupg-2.0.13
+ * GPG now generates 2048 bit RSA keys by default. The default hash
+ algorithm preferences has changed to prefer SHA-256 over SHA-1.
+ 2048 bit DSA keys are now generated to use a 256 bit hash algorithm
+ * The envvars XMODIFIERS, GTK_IM_MODULE and QT_IM_MODULE are now
++++ 417 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.2:Update/.gpg2.2005.new/gpg2.changes
New:
----
gnupg-2.0.18-files-are-digests.patch
gnupg-2.0.18-tmpdir.diff
gnupg-2.0.19.tar.bz2
gnupg-2.0.4-install_tools.diff
gnupg-2.0.9-RSA_ES.patch
gnupg-2.0.9-langinfo.patch
gnupg-broken-curl-test.patch
gnupg-dont-fail-with-seahorse-agent.patch
gpg2-CVE-2012-6085.patch
gpg2-CVE-2013-4351.patch
gpg2-set_umask_before_open_outfile.patch
gpg2.changes
gpg2.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gpg2.spec ++++++
#
# spec file for package gpg2
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: gpg2
Version: 2.0.19
Release: 0
BuildRequires: automake
BuildRequires: expect
BuildRequires: fdupes
BuildRequires: libadns-devel
BuildRequires: libassuan-devel >= 2.0.0
BuildRequires: libcurl-devel >= 7.10
BuildRequires: libgcrypt-devel >= 1.4.0
BuildRequires: libgpg-error-devel >= 1.7
BuildRequires: libksba-devel >= 1.0.7
BuildRequires: libusb-devel
BuildRequires: openldap2-devel
BuildRequires: readline-devel
BuildRequires: zlib-devel
%if 0%{?suse_version} >= 1120
BuildRequires: libpth-devel >= 1.3.7
%else
BuildRequires: pth >= 1.3.7
%endif
Url: http://www.gnupg.org/aegypten2/
PreReq: %install_info_prereq
Requires: dirmngr
Requires: pinentry
Recommends: %name-lang = %{version}
Provides: gnupg = %{version}
Provides: gpg = 1.4.9
Provides: newpg
# special feature needed for OBS signd
Provides: gpg2_signd_support
Obsoletes: gpg < 1.4.9
Summary: GnuPG 2
License: GPL-3.0+
Group: Productivity/Networking/Security
Source: gnupg-%{version}.tar.bz2
Patch1: gnupg-2.0.18-tmpdir.diff
Patch2: gnupg-2.0.4-install_tools.diff
Patch3: gnupg-2.0.9-RSA_ES.patch
Patch4: gnupg-2.0.9-langinfo.patch
Patch5: gnupg-2.0.18-files-are-digests.patch
Patch6: gnupg-dont-fail-with-seahorse-agent.patch
Patch7: gnupg-broken-curl-test.patch
Patch8: gpg2-CVE-2012-6085.patch
Patch9: gpg2-set_umask_before_open_outfile.patch
Patch10: gpg2-CVE-2013-4351.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
GnuPG 2 is the successor of "GnuPG" or GPG. It provides: GPGSM,
gpg-agent, and a keybox library.
%lang_package
%prep
%setup -q -n gnupg-%version
%patch1 -p1
%patch2
%patch3 -p1
%patch4
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%build
autoreconf -fi
# build PIEs (position independent executables) for address space randomisation:
%ifarch s390x %sparc
# s390x needs to use the large PIE model (at least for gpg.c):
PIE="-fPIE"
%else
PIE="-fpie"
%endif
export CFLAGS="%{optflags} ${PIE}"
export LDFLAGS=-pie
%configure \
--libexecdir=%{_libdir} \
--docdir=%{_docdir}/%{name} \
--with-agent-pgm=%{_prefix}/bin/gpg-agent \
--with-pinentry-pgm=%{_prefix}/bin/pinentry \
--with-dirmngr-pgm=%{_prefix}/bin/dirmngr \
--with-scdaemon-pgm=%{_prefix}/bin/scdaemon \
--enable-ldap \
--enable-gpgsm=yes \
--enable-gpg \
--with-gnu-ld
make %{?_smp_mflags}
%install
%makeinstall
mkdir -p $RPM_BUILD_ROOT/etc/gnupg/
# bnc#391347
install -m 644 doc/examples/gpgconf.conf $RPM_BUILD_ROOT/etc/gnupg
# delete to prevent fdupes from creating cross-partition hardlink
rm -rf $RPM_BUILD_ROOT/usr/share/doc/packages/gpg2/examples/gpgconf.conf
rm $RPM_BUILD_ROOT/usr/share/info/dir
# compat symlinks
ln -sf gpg2 $RPM_BUILD_ROOT/usr/bin/gpg
ln -sf gpgv2 $RPM_BUILD_ROOT/usr/bin/gpgv
ln -sf gpg2.1 $RPM_BUILD_ROOT/usr/share/man/man1/gpg.1
ln -sf gpgv2.1 $RPM_BUILD_ROOT/usr/share/man/man1/gpgv.1
# fix rpmlint invalid-lc-messages-dir:
rm -rf $RPM_BUILD_ROOT/%_datadir/locale/en@{bold,}quot
# additional files to documentation directory
install -m 644 AUTHORS COPYING ChangeLog NEWS THANKS TODO doc/FAQ $RPM_BUILD_ROOT/%{_docdir}/%{name}
%find_lang gnupg2
%if 0%{?suse_version} > 1020
%fdupes %buildroot
%endif
%check
%if ! 0%{?qemu_user_space_build}
make check
$RPM_BUILD_ROOT/usr/bin/gpgsplit -v -p pubsplit- --uncompress version >= 4) {
+ log_bug("files-are-digests doesn't work with v4 sigs\n");
+ }
rc = do_sign( sk, sig, md, hash_for (sk) );
gcry_md_close (md);
@@ -723,6 +727,8 @@ sign_file( strlist_t filenames, int deta
SK_LIST sk_rover = NULL;
int multifile = 0;
u32 duration=0;
+ int sigclass = 0x00;
+ u32 timestamp = 0;
pfx = new_progress_context ();
afx = new_armor_context ();
@@ -739,7 +745,16 @@ sign_file( strlist_t filenames, int deta
fname = NULL;
if( fname && filenames->next && (!detached || encryptflag) )
- log_bug("multiple files can only be detached signed");
+ log_bug("multiple files can only be detached signed\n");
+
+ if (opt.files_are_digests && (multifile || !fname))
+ log_bug("files-are-digests only works with one file\n");
+ if (opt.files_are_digests && !detached)
+ log_bug("files-are-digests can only write detached signatures\n");
+ if (opt.files_are_digests && !opt.def_digest_algo)
+ log_bug("files-are-digests needs --digest-algo\n");
+ if (opt.files_are_digests && opt.textmode)
+ log_bug("files-are-digests doesn't work with --textmode\n");
if(encryptflag==2
&& (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
@@ -767,7 +782,7 @@ sign_file( strlist_t filenames, int deta
goto leave;
/* prepare iobufs */
- if( multifile ) /* have list of filenames */
+ if( multifile || opt.files_are_digests) /* have list of filenames */
inp = NULL; /* we do it later */
else {
inp = iobuf_open(fname);
@@ -900,7 +915,7 @@ sign_file( strlist_t filenames, int deta
gcry_md_enable (mfx.md, hash_for(sk));
}
- if( !multifile )
+ if( !multifile && !opt.files_are_digests )
iobuf_push_filter( inp, md_filter, &mfx );
if( detached && !encryptflag && !RFC1991 )
@@ -955,6 +970,8 @@ sign_file( strlist_t filenames, int deta
write_status_begin_signing (mfx.md);
+ sigclass = opt.textmode && !outfile? 0x01 : 0x00;
+
/* Setup the inner packet. */
if( detached ) {
if( multifile ) {
@@ -995,6 +1012,45 @@ sign_file( strlist_t filenames, int deta
if( opt.verbose )
putc( '\n', stderr );
}
+ else if (opt.files_are_digests) {
+ byte *mdb, ts[5];
+ size_t mdlen;
+ const char *fp;
+ int c, d;
+
+ gcry_md_final(mfx.md);
+ /* this assumes gcry_md_read returns the same buffer */
+ mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
+ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
+ if (strlen(fname) != mdlen * 2 + 11)
+ log_bug("digests must be %d + @ + 5 bytes\n", mdlen);
+ d = -1;
+ for (fp = fname ; *fp; ) {
+ c = *fp++;
+ if (c >= '0' && c <= '9')
+ c -= '0';
+ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
+ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
+ else
+ log_bug("filename is not hex\n");
+ if (d >= 0) {
+ *mdb++ = d << 4 | c;
+ c = -1;
+ if (--mdlen == 0) {
+ mdb = ts;
+ if (*fp++ != '@')
+ log_bug("missing time separator\n");
+ }
+ }
+ d = c;
+ }
+ sigclass = ts[0];
+ if (sigclass != 0x00 && sigclass != 0x01)
+ log_bug("bad cipher class\n");
+ timestamp = buffer_to_u32(ts + 1);
+ }
else {
/* read, so that the filter can calculate the digest */
while( iobuf_get(inp) != -1 )
@@ -1012,8 +1068,8 @@ sign_file( strlist_t filenames, int deta
/* write the signatures */
rc = write_signature_packets (sk_list, out, mfx.md,
- opt.textmode && !outfile? 0x01 : 0x00,
- 0, duration, detached ? 'D':'S');
+ sigclass,
+ timestamp, duration, detached ? 'D':'S');
if( rc )
goto leave;
++++++ gnupg-2.0.18-tmpdir.diff ++++++
diff -rup gnupg-2.0.18.orig/agent/gpg-agent.c gnupg-2.0.18/agent/gpg-agent.c
--- gnupg-2.0.18.orig/agent/gpg-agent.c 2011-08-04 10:57:02.000000000 +0100
+++ gnupg-2.0.18/agent/gpg-agent.c 2011-08-06 21:01:32.000000000 +0100
@@ -1002,6 +1002,10 @@ main (int argc, char **argv )
gnupg_fd_t fd_ssh;
pid_t pid;
+ char *tmp1, *tmp;
+ char *tmp2 = "gpg-XXXXXX/S.gpg-agent";
+ size_t len;
+
/* Remove the DISPLAY variable so that a pinentry does not
default to a specific display. There is still a default
display when gpg-agent was started using --display or a
@@ -1013,13 +1017,23 @@ main (int argc, char **argv )
unsetenv ("DISPLAY");
#endif
+ if ((tmp1 = getenv("TMPDIR")) == NULL)
+ tmp1 = "/tmp";
+
+ len = strlen(tmp1) + strlen(tmp2) + 10;
+ tmp = malloc(len);
+
+ snprintf(tmp, len, "%s%s%s", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2);
/* Create the sockets. */
socket_name = create_socket_name
- ("S.gpg-agent", "/tmp/gpg-XXXXXX/S.gpg-agent");
- if (opt.ssh_support)
+ ("S.gpg-agent", tmp);
+ if (opt.ssh_support) {
+ snprintf(tmp, len, "%s%s%s.ssh", tmp1, tmp1 && strlen(tmp1) > 0 ? "/" : "", tmp2);
socket_name_ssh = create_socket_name
- ("S.gpg-agent.ssh", "/tmp/gpg-XXXXXX/S.gpg-agent.ssh");
+ ("S.gpg-agent.ssh", tmp);
+ }
+ free(tmp);
fd = create_server_socket (socket_name, 0, &socket_nonce);
if (opt.ssh_support)
++++++ gnupg-2.0.4-install_tools.diff ++++++
Index: tools/Makefile.am
===================================================================
--- tools/Makefile.am.orig
+++ tools/Makefile.am
@@ -32,8 +32,8 @@ sbin_SCRIPTS = addgnupghome applygnupgde
bin_SCRIPTS = gpgsm-gencert.sh
if HAVE_USTAR
-# bin_SCRIPTS += gpg-zip
-noinst_SCRIPTS = gpg-zip
+bin_SCRIPTS += gpg-zip
+#noinst_SCRIPTS = gpg-zip
endif
if BUILD_SYMCRYPTRUN
@@ -51,14 +51,14 @@ endif
bin_PROGRAMS = gpgconf gpg-connect-agent gpgkey2ssh ${symcryptrun} ${gpgtar}
if !HAVE_W32_SYSTEM
-bin_PROGRAMS += watchgnupg gpgparsemail
+bin_PROGRAMS += watchgnupg gpgparsemail gpgsplit
endif
if !DISABLE_REGEX
libexec_PROGRAMS = gpg-check-pattern
endif
-noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert gpgsplit
+noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert
common_libs = $(libcommon) ../jnlib/libjnlib.a ../gl/libgnu.a
pwquery_libs = ../common/libsimple-pwquery.a
++++++ gnupg-2.0.9-RSA_ES.patch ++++++
# adds back support for deprecated RSA_E, RSA_S algorithms
Index: gnupg-2.0.13/g10/misc.c
===================================================================
--- gnupg-2.0.13.orig/g10/misc.c 2009-07-16 08:22:45.000000000 +0200
+++ gnupg-2.0.13/g10/misc.c 2009-11-13 13:19:39.000000000 +0100
@@ -1308,6 +1308,8 @@ pubkey_get_npkey( int algo )
if (algo == GCRY_PK_ELG_E)
algo = GCRY_PK_ELG;
+ if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
+ algo = GCRY_PK_RSA;
if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NPKEY, NULL, &n))
n = 0;
return n;
@@ -1321,6 +1323,8 @@ pubkey_get_nskey( int algo )
if (algo == GCRY_PK_ELG_E)
algo = GCRY_PK_ELG;
+ if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
+ algo = GCRY_PK_RSA;
if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSKEY, NULL, &n ))
n = 0;
return n;
@@ -1334,6 +1338,8 @@ pubkey_get_nsig( int algo )
if (algo == GCRY_PK_ELG_E)
algo = GCRY_PK_ELG;
+ if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
+ algo = GCRY_PK_RSA;
if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NSIGN, NULL, &n))
n = 0;
return n;
@@ -1347,6 +1353,8 @@ pubkey_get_nenc( int algo )
if (algo == GCRY_PK_ELG_E)
algo = GCRY_PK_ELG;
+ if (algo == GCRY_PK_RSA_E || algo == GCRY_PK_RSA_S)
+ algo = GCRY_PK_RSA;
if (gcry_pk_algo_info( algo, GCRYCTL_GET_ALGO_NENCR, NULL, &n ))
n = 0;
return n;
++++++ gnupg-2.0.9-langinfo.patch ++++++
# fix [bnc#305725] - non latin characters displayed incorrectly by pinentry
Index: jnlib/utf8conv.c
===================================================================
--- jnlib/utf8conv.c.orig 2008-11-04 15:39:06.000000000 +0100
+++ jnlib/utf8conv.c 2009-06-18 11:42:36.000000000 +0200
@@ -203,6 +203,7 @@ set_native_charset (const char *newset)
#else /*!HAVE_W32_SYSTEM*/
#ifdef HAVE_LANGINFO_CODESET
+ setlocale(LC_ALL, "");
newset = nl_langinfo (CODESET);
#else /*!HAVE_LANGINFO_CODESET*/
/* Try to get the used charset from environment variables. */
++++++ gnupg-broken-curl-test.patch ++++++
diff --git a/m4/libcurl.m4 b/m4/libcurl.m4
index 7d1dbd3..92cf801 100644
--- a/m4/libcurl.m4
+++ b/m4/libcurl.m4
@@ -68,13 +68,7 @@ AC_DEFUN([LIBCURL_CHECK_CONFIG],
_libcurl_try_link=yes
- if test -d "$_libcurl_with" ; then
- LIBCURL_CPPFLAGS="-I$withval/include"
- _libcurl_ldflags="-L$withval/lib"
- AC_PATH_PROG([_libcurl_config],["$withval/bin/curl-config"])
- else
AC_PATH_PROG([_libcurl_config],[curl-config])
- fi
if test x$_libcurl_config != "x" ; then
AC_CACHE_CHECK([for the version of libcurl],
++++++ gnupg-dont-fail-with-seahorse-agent.patch ++++++
---
g10/passphrase.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: gnupg-2.0.15/g10/passphrase.c
===================================================================
--- gnupg-2.0.15.orig/g10/passphrase.c 2010-01-11 15:11:17.000000000 +0100
+++ gnupg-2.0.15/g10/passphrase.c 2010-04-07 16:06:49.000000000 +0200
@@ -72,7 +72,7 @@ encode_s2k_iterations (int iterations)
{
/* Don't print an error if an older agent is used. */
if (err && gpg_err_code (err) != GPG_ERR_ASS_PARAMETER)
- log_error (_("problem with the agent: %s\n"), gpg_strerror (err));
+ log_info (_("problem with the agent: %s\n"), gpg_strerror (err));
/* Default to 65536 which we used up to 2.0.13. */
return 96;
}
++++++ gpg2-CVE-2012-6085.patch ++++++
commit 498882296ffac7987c644aaf2a0aa108a2925471
Author: Werner Koch
Date: Thu Dec 20 09:43:41 2012 +0100
gpg: Import only packets which are allowed in a keyblock.
* g10/import.c (valid_keyblock_packet): New.
(read_block): Store only valid packets.
--
A corrupted key, which for example included a mangled public key
encrypted packet, used to corrupt the keyring. This change skips all
packets which are not allowed in a keyblock.
GnuPG-bug-id: 1455
(cherry-picked from commit 3a4b96e665fa639772854058737ee3d54ba0694e)
diff --git a/g10/import.c b/g10/import.c
index ba2439d..ad112d6 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -347,6 +347,27 @@ import_print_stats (void *hd)
}
+/* Return true if PKTTYPE is valid in a keyblock. */
+static int
+valid_keyblock_packet (int pkttype)
+{
+ switch (pkttype)
+ {
+ case PKT_PUBLIC_KEY:
+ case PKT_PUBLIC_SUBKEY:
+ case PKT_SECRET_KEY:
+ case PKT_SECRET_SUBKEY:
+ case PKT_SIGNATURE:
+ case PKT_USER_ID:
+ case PKT_ATTRIBUTE:
+ case PKT_RING_TRUST:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+
/****************
* Read the next keyblock from stream A.
* PENDING_PKT should be initialzed to NULL
@@ -424,7 +445,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root )
}
in_cert = 1;
default:
- if( in_cert ) {
+ if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
if( !root )
root = new_kbnode( pkt );
else
++++++ gpg2-CVE-2013-4351.patch ++++++
commit 8f8f3984e82a025cf1384132a419f67f39c7e07d
Author: Werner Koch
Date: Fri Mar 15 15:46:03 2013 +0100
gpg: Distinguish between missing and cleared key flags.
* include/cipher.h (PUBKEY_USAGE_NONE): New.
* g10/getkey.c (parse_key_usage): Set new flag.
--
We do not want to use the default capabilities (derived from the
algorithm) if any key flags are given in a signature. Thus if key
flags are used in any way, the default key capabilities are never
used.
This allows to create a key with key flags set to all zero so it can't
be used. This better reflects common sense.
Modified g10/getkey.c
Index: gnupg-2.0.9/g10/getkey.c
===================================================================
--- gnupg-2.0.9.orig/g10/getkey.c 2013-09-16 16:51:02.752624501 +0200
+++ gnupg-2.0.9/g10/getkey.c 2013-09-16 16:54:20.955952692 +0200
@@ -1457,13 +1457,19 @@ parse_key_usage(PKT_signature *sig)
if(flags)
key_usage |= PUBKEY_USAGE_UNKNOWN;
+
+ if (!key_usage)
+ key_usage |= PUBKEY_USAGE_NONE;
}
+ else if (p) /* Key flags of length zero. */
+ key_usage |= PUBKEY_USAGE_NONE;
/* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
capability that we do not handle. This serves to distinguish
between a zero key usage which we handle as the default
capabilities for that algorithm, and a usage that we do not
- handle. */
+ handle. Likewise we use PUBKEY_USAGE_NONE to indicate that
+ key_flags have been given but they do not specify any usage. */
return key_usage;
}
Index: gnupg-2.0.9/include/cipher.h
===================================================================
--- gnupg-2.0.9.orig/include/cipher.h 2013-09-16 16:51:02.752624501 +0200
+++ gnupg-2.0.9/include/cipher.h 2013-09-16 16:56:27.028429026 +0200
@@ -62,6 +62,11 @@
#define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys. */
#define PUBKEY_USAGE_AUTH GCRY_PK_USAGE_AUTH /* Good for authentication. */
#define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN /* Unknown usage flag. */
+#define PUBKEY_USAGE_NONE 256 /* No usage given. */
+#if (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \
+ | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256
+# error Please choose another value for PUBKEY_USAGE_NONE
+#endif
#define DIGEST_ALGO_MD5 /* 1 */ GCRY_MD_MD5
#define DIGEST_ALGO_SHA1 /* 2 */ GCRY_MD_SHA1
++++++ gpg2-set_umask_before_open_outfile.patch ++++++
Index: gnupg-2.0.20/g10/plaintext.c
===================================================================
--- gnupg-2.0.20.orig/g10/plaintext.c 2013-05-13 14:26:49.290737159 +0200
+++ gnupg-2.0.20/g10/plaintext.c 2013-05-13 14:43:21.740575875 +0200
@@ -25,6 +25,7 @@
#include
#include
#include
+#include
#ifdef HAVE_DOSISH_SYSTEM
#include /* for setmode() */
#endif
@@ -39,6 +40,9 @@
#include "status.h"
#include "i18n.h"
+/* define safe permissions for creating plaintext files */
+#define GPG_SAFE_PERMS (S_IRUSR | S_IWUSR)
+#define GPG_SAFE_UMASK (0777 & ~GPG_SAFE_PERMS)
/****************
* Handle a plaintext packet. If MFX is not NULL, update the MDs
@@ -140,10 +144,15 @@ handle_plaintext( PKT_plaintext *pt, md_
log_error(_("error creating `%s': %s\n"), fname, strerror(errno) );
goto leave;
}
- else if( !(fp = fopen(fname,"wb")) ) {
- rc = gpg_error_from_syserror ();
- log_error(_("error creating `%s': %s\n"), fname, strerror(errno) );
- goto leave;
+ else {
+ mode_t saved_umask = umask(GPG_SAFE_UMASK);
+ if( !(fp = fopen(fname,"wb")) ) {
+ rc = gpg_error_from_syserror ();
+ log_error(_("error creating `%s': %s\n"), fname, strerror(errno) );
+ umask(saved_umask);
+ goto leave;
+ }
+ umask(saved_umask);
}
#else /* __riscos__ */
/* If no output filename was given, i.e. we constructed it,
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org