Hello community, here is the log from the commit of package gpg checked in at Thu Aug 3 00:31:53 CEST 2006. -------- --- gpg/gpg.changes 2006-06-26 18:08:03.000000000 +0200 +++ gpg/gpg.changes 2006-08-02 20:19:58.000000000 +0200 @@ -1,0 +2,14 @@ +Wed Aug 2 20:19:39 CEST 2006 - kssingvo@suse.de + +- update to version 1.4.5: + * Reverted check for valid standard handles under Windows. + * More DSA2 tweaks. + * Fixed a problem uploading certain keys to the smart card. + * Fixed 2 more possible memory allocation attacks. They are + similar to the problem we fixed with 1.4.4. This bug can easily + be be exploted for a DoS; remote code execution is not entirely + impossible. + * Added Norwegian translation. +- added patch to sign signatures stored in files + +------------------------------------------------------------------- Old: ---- gnupg-1.4.4.tar.bz2 gnupg-1.4.4.tar.bz2.sig New: ---- gnupg-1.4.5-files_are_digests.patch gnupg-1.4.5.tar.bz2 gnupg-1.4.5.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpg.spec ++++++ --- /var/tmp/diff_new_pack.FabwPL/_old 2006-08-03 00:31:09.000000000 +0200 +++ /var/tmp/diff_new_pack.FabwPL/_new 2006-08-03 00:31:09.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package gpg (Version 1.4.4) +# spec file for package gpg (Version 1.4.5) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,9 +12,8 @@ Name: gpg BuildRequires: openldap2 openldap2-devel -Version: 1.4.4 +Version: 1.4.5 Release: 1 -%define pversion 1.2.5 License: GPL Group: Productivity/Security %if %suse_version > 811 @@ -26,11 +25,12 @@ Source: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2 Source3: README.SuSE Source4: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig -Patch1: gnupg-%{pversion}.return.diff +Patch1: gnupg-1.2.5.return.diff Patch2: gpg-encrypt-to-opt.diff Patch3: gnupg-1.4.4.photoviewer.patch -Patch4: gnupg-%{pversion}.ppc64-auto.diff -Patch5: gnupg-%{pversion}.use-agent.diff +Patch4: gnupg-1.2.5.ppc64-auto.diff +Patch5: gnupg-1.2.5.use-agent.diff +Patch6: gnupg-1.4.5-files_are_digests.patch URL: http://www.gnupg.de Prefix: /usr BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -59,6 +59,7 @@ %patch3 -p1 %patch4 -p1 -b .auto %patch5 -p1 +%patch6 -p1 chmod a+x checks/verify.test #chown 0:0 -R * # Needed for CVS version @@ -171,6 +172,17 @@ %endif %changelog -n gpg +* Wed Aug 02 2006 - kssingvo@suse.de +- update to version 1.4.5: + * Reverted check for valid standard handles under Windows. + * More DSA2 tweaks. + * Fixed a problem uploading certain keys to the smart card. + * Fixed 2 more possible memory allocation attacks. They are + similar to the problem we fixed with 1.4.4. This bug can easily + be be exploted for a DoS; remote code execution is not entirely + impossible. + * Added Norwegian translation. +- added patch to sign signatures stored in files * Mon Jun 26 2006 - kssingvo@suse.de - upgrade to 1.4.4 (mainly bugfix version) - removed already present (security) bugfixes ++++++ gnupg-1.4.5-files_are_digests.patch ++++++ --- gnupg-1.4.5/g10/gpg.c.orig 2006-06-27 10:00:41.000000000 +0200 +++ gnupg-1.4.5/g10/gpg.c 2006-08-02 20:14:53.000000000 +0200 @@ -342,6 +342,7 @@ oTTYtype, oLCctype, oLCmessages, + oFilesAreDigests, oGroup, oUnGroup, oNoGroups, @@ -682,6 +683,7 @@ { oTTYtype, "ttytype", 2, "@" }, { oLCctype, "lc-ctype", 2, "@" }, { oLCmessages, "lc-messages", 2, "@" }, + { oFilesAreDigests, "files-are-digests", 0, "@" }, { oGroup, "group", 2, "@" }, { oUnGroup, "ungroup", 2, "@" }, { oNoGroups, "no-groups", 0, "@" }, @@ -2681,6 +2683,7 @@ case oTTYtype: opt.ttytype = pargs.r.ret_str; break; case oLCctype: opt.lc_ctype = pargs.r.ret_str; break; case oLCmessages: opt.lc_messages = pargs.r.ret_str; break; + case oFilesAreDigests: opt.files_are_digests = 1; break; case oGroup: add_group(pargs.r.ret_str); break; case oUnGroup: rm_group(pargs.r.ret_str); break; case oNoGroups: --- gnupg-1.4.5/g10/options.h.orig 2006-06-25 12:58:40.000000000 +0200 +++ gnupg-1.4.5/g10/options.h 2006-08-02 20:14:53.000000000 +0200 @@ -193,6 +193,7 @@ int no_auto_check_trustdb; int preserve_permissions; int no_homedir_creation; + int files_are_digests; struct groupitem *grouplist; int strict; int mangle_dos_filenames; --- gnupg-1.4.5/g10/sign.c.orig 2006-06-28 20:54:35.000000000 +0200 +++ gnupg-1.4.5/g10/sign.c 2006-08-02 20:17:12.000000000 +0200 @@ -692,8 +692,12 @@ build_sig_subpkt_from_sig (sig); mk_notation_policy_etc (sig, NULL, sk); - hash_sigversion_to_magic (md, sig); - md_final (md); + if (!opt.files_are_digests) { + hash_sigversion_to_magic (md, sig); + md_final (md); + } else if (sig->version >= 4) { + log_bug("files-are-digests doesn't work with v4 sigs\n"); + } rc = do_sign( sk, sig, md, hash_for (sk) ); md_close (md); @@ -751,6 +755,8 @@ SK_LIST sk_rover = NULL; int multifile = 0; u32 duration=0; + int sigclass = 0x00; + u32 timestamp=0; memset( &afx, 0, sizeof afx); memset( &zfx, 0, sizeof zfx); @@ -766,7 +772,16 @@ fname = NULL; if( fname && filenames->next && (!detached || encryptflag) ) - log_bug("multiple files can only be detached signed"); + log_bug("multiple files can only be detached signed\n"); + + if (opt.files_are_digests && (multifile || !fname)) + log_bug("files-are-digests only works with one file\n"); + if (opt.files_are_digests && !detached) + log_bug("files-are-digests can only write detached signatures\n"); + if (opt.files_are_digests && !opt.def_digest_algo) + log_bug("files-are-digests needs --digest-algo\n"); + if (opt.files_are_digests && opt.textmode) + log_bug("files-are-digests doesn't work with --textmode\n"); if(encryptflag==2 && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) @@ -794,7 +809,7 @@ goto leave; /* prepare iobufs */ - if( multifile ) /* have list of filenames */ + if( multifile || opt.files_are_digests) /* have list of filenames */ inp = NULL; /* we do it later */ else { inp = iobuf_open(fname); @@ -924,7 +939,7 @@ md_enable(mfx.md, hash_for(sk)); } - if( !multifile ) + if( !multifile && !opt.files_are_digests ) iobuf_push_filter( inp, md_filter, &mfx ); if( detached && !encryptflag && !RFC1991 ) @@ -979,6 +994,8 @@ write_status (STATUS_BEGIN_SIGNING); + sigclass = opt.textmode && !outfile? 0x01 : 0x00; + /* Setup the inner packet. */ if( detached ) { if( multifile ) { @@ -1019,6 +1036,45 @@ if( opt.verbose ) putc( '\n', stderr ); } + else if (opt.files_are_digests) { + byte *mdb, ts[5]; + size_t mdlen; + const char *fp; + int c, d; + + md_final(mfx.md); + /* this assumes md_read returns the same buffer */ + mdb = md_read(mfx.md, opt.def_digest_algo); + (void)md_asn_oid(opt.def_digest_algo, (size_t)0, &mdlen); + if (strlen(fname) != mdlen * 2 + 11) + log_bug("digests must be %d + @ + 5 bytes\n", mdlen); + d = -1; + for (fp = fname ; *fp; ) { + c = *fp++; + if (c >= '0' && c <= '9') + c -= '0'; + else if (c >= 'a' && c <= 'f') + c -= 'a' - 10; + else if (c >= 'A' && c <= 'F') + c -= 'A' - 10; + else + log_bug("filename is not hex\n"); + if (d >= 0) { + *mdb++ = d << 4 | c; + c = -1; + if (--mdlen == 0) { + mdb = ts; + if (*fp++ != '@') + log_bug("missing time separator\n"); + } + } + d = c; + } + sigclass = ts[0]; + if (sigclass != 0x00 && sigclass != 0x01) + log_bug("bad cipher class\n"); + timestamp = buffer_to_u32(ts + 1); + } else { /* read, so that the filter can calculate the digest */ while( iobuf_get(inp) != -1 ) @@ -1036,8 +1092,8 @@ /* write the signatures */ rc = write_signature_packets (sk_list, out, mfx.md, - opt.textmode && !outfile? 0x01 : 0x00, - 0, duration, detached ? 'D':'S'); + sigclass, + timestamp, duration, detached ? 'D':'S'); if( rc ) goto leave; ++++++ gnupg-1.4.4.tar.bz2 -> gnupg-1.4.5.tar.bz2 ++++++ ++++ 28583 lines of diff (skipped) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...