Hello community, here is the log from the commit of package gpg2 checked in at Mon Aug 7 11:34:09 CEST 2006. -------- --- gpg2/gpg2.changes 2006-02-23 17:07:36.000000000 +0100 +++ gpg2/gpg2.changes 2006-08-07 11:10:03.000000000 +0200 @@ -1,0 +2,5 @@ +Mon Aug 7 11:06:19 CEST 2006 - pnemec@suse.cz + +- fixed security fix with large uid CVE-2006-3746 [#195569] + +------------------------------------------------------------------- New: ---- gnupg-1.9.18-cap_large_uid.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpg2.spec ++++++ --- /var/tmp/diff_new_pack.DWYw8Y/_old 2006-08-07 11:32:37.000000000 +0200 +++ /var/tmp/diff_new_pack.DWYw8Y/_new 2006-08-07 11:32:37.000000000 +0200 @@ -22,7 +22,7 @@ Obsoletes: newpg Summary: GnuPG 2 Version: 1.9.18 -Release: 7 +Release: 17 %define pthversion 2.0.4 Source: gnupg-%{version}.tar.bz2 Source1: pth-%pthversion.tar.bz2 @@ -33,6 +33,7 @@ Patch5: gnupg-%{version}-ccid-driver-fix.diff Patch6: gnupg-%{version}-tmpdir.diff Patch7: gnupg-%{version}-signature.patch +Patch8: gnupg-%{version}-cap_large_uid.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -56,6 +57,7 @@ %patch5 %patch6 %patch7 +%patch8 %build export CFLAGS="$RPM_OPT_FLAGS" @@ -112,6 +114,8 @@ /usr/share/gnupg %changelog -n gpg2 +* Mon Aug 07 2006 - pnemec@suse.cz +- fixed security fix with large uid CVE-2006-3746 [#195569] * Thu Feb 23 2006 - pnemec@suse.cz - fixed signature security problem CVE-2006-0455 (bugzilla#150742) * Thu Feb 02 2006 - pnemec@suse.cz ++++++ gnupg-1.9.18-cap_large_uid.patch ++++++ --- g10/parse-packet.c +++ g10/parse-packet.c @@ -2024,6 +2024,15 @@ parse_comment( iobuf_t inp, int pkttype, unsigned long pktlen, PACKET *packet ) { byte *p; + /* Cap comment packet at a reasonable value to avoid an integer + overflow in the malloc below. Comment packets are actually not + anymore define my OpenPGP and we even stopped to use our + private comment packet. */ + if (pktlen>65536) { + log_error ("packet(%d) too large\n", pkttype); + /*iobuf_skip_rest (inp, pktlen, 0);*/ + return GPG_ERR_INV_PACKET; + } packet->pkt.comment = xmalloc (sizeof *packet->pkt.comment + pktlen - 1); packet->pkt.comment->len = pktlen; @@ -2277,6 +2286,9 @@ if ( sesmark[i] != iobuf_get_noeof(inp) ) goto skipit; } + if (pktlen > 4096) + goto skipit; /* Definitely too large. We skip it to avoid an + overflow in the malloc. */ if ( list_mode ) puts ("- gpg control packet"); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...