pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2006Q1]: pkgsrc/security/gnupg Pullup ticket 1709 - requested ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/cbf7455a7e57
branches: pkgsrc-2006Q1
changeset: 510357:cbf7455a7e57
user: snj <snj%pkgsrc.org@localhost>
date: Sun Jun 25 08:58:13 2006 +0000
description:
Pullup ticket 1709 - requested by salo
security update for gnupg
Revisions pulled up:
- pkgsrc/security/gnupg/Makefile 1.83, 1.86
- pkgsrc/security/gnupg/PLIST 1.16
- pkgsrc/security/gnupg/distinfo 1.39, 1.40
- pkgsrc/security/gnupg/options.mk 1.6, 1.7
- pkgsrc/security/gnupg/patches/patch-aa 1.11
- pkgsrc/security/gnupg/patches/patch-ak 1.3
- pkgsrc/security/gnupg/patches/patch-ba 1.1
Module Name: pkgsrc
Committed By: wiz
Date: Tue Apr 4 21:16:37 UTC 2006
Modified Files:
pkgsrc/security/gnupg: Makefile PLIST distinfo options.mk
pkgsrc/security/gnupg/patches: patch-aa patch-ak
Log Message:
Update to 1.4.3:
Noteworthy changes in version 1.4.3 (2006-04-03)
------------------------------------------------
* If available, cURL-based keyserver helpers are built that can
retrieve keys using HKP or any protocol that cURL supports
(HTTP, HTTPS, FTP, FTPS, etc). If cURL is not available, HKP
and HTTP are still supported using a built-in cURL emulator. To
force building the old pre-cURL keyserver helpers, use the
configure option --enable-old-keyserver-helpers. Note that none
of this affects finger or LDAP support, which are unchanged.
Note also that a future version of GnuPG will remove the old
keyserver helpers altogether.
* Implemented Public Key Association (PKA) signature verification.
This uses special DNS records and notation data to associate a
mail address with an OpenPGP key to prove that mail coming from
that address is legitimate without the need for a full trust
path to the signing key.
* When exporting subkeys, those specified with a key ID or
fingerpint and the '!' suffix are now merged into one keyblock.
* Added "gpg-zip", a program to create encrypted archives that can
interoperate with PGP Zip.
* Added support for signing subkey cross-certification "back
signatures". Requiring cross-certification to be present is
currently off by default, but will be changed to on by default
in the future, once more keys use it. A new "cross-certify"
command in the --edit-key menu can be used to update signing
subkeys to have cross-certification.
* The key cleaning options for --import-options and
--export-options have been further polished. "import-clean" and
"export-clean" replace the older
import-clean-sigs/import-clean-uids and
export-clean-sigs/export-clean-uids option pairs.
* New "minimize" command in the --edit-key menu removes everything
that can be removed from a key, rendering it as small as
possible. There are corresponding "export-minimal" and
"import-minimal" commands for --export-options and
--import-options.
* New --fetch-keys command to retrieve keys by specifying a URI.
This allows direct key retrieval from a web page or other
location that can be specified in a URI. Available protocols
are HTTP and finger, plus anything that cURL supplies, if built
with cURL support.
* Files containing several signed messages are not allowed any
longer as there is no clean way to report the status of such
files back to the caller. To partly revert to the old behaviour
the new option --allow-multisig-verification may be used.
* The keyserver helpers can now handle keys in either ASCII armor
or binary format.
* New auto-key-locate option that takes an ordered list of methods
to locate a key if it is not available at encryption time (-r or
--recipient). Possible methods include "cert" (use DNS CERT as
per RFC2538bis, "pka" (use DNS PKA), "ldap" (consult the LDAP
server for the domain in question), "keyserver" (use the
currently defined keyserver), as well as arbitrary keyserver
URIs that will be contacted for the key.
* Able to retrieve keys using DNS CERT records as per RFC-2538bis
(currently in draft): http://www.josefsson.org/rfc2538bis
pkgsrc change:
make architecture-specific options really architecture-specific.
---
Module Name: pkgsrc
Committed By: drochner
Date: Wed Apr 5 10:04:12 UTC 2006
Modified Files:
pkgsrc/security/gnupg: options.mk
Log Message:
--with-libcurl is on per default, so revert the logics
(no functional change, just more effective because a compile check
is skipped)
---
Module Name: pkgsrc
Committed By: salo
Date: Sat Jun 24 14:20:29 UTC 2006
Modified Files:
pkgsrc/security/gnupg: Makefile distinfo
Added Files:
pkgsrc/security/gnupg/patches: patch-ba
Log Message:
Security fix for CVE-2006-3082:
"parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions,
allows remote attackers to cause a denial of service (gpg crash) and
possibly overwrite memory via a message packet with a large length,
which could lead to an integer overflow, as demonstrated using the
--no-armor option."
Patch from GnuPG CVS repository.
Bump PKGREVISION.
diffstat:
security/gnupg/Makefile | 5 +++--
security/gnupg/PLIST | 6 +++---
security/gnupg/distinfo | 13 +++++++------
security/gnupg/options.mk | 18 +++++++++++++-----
security/gnupg/patches/patch-aa | 8 ++++----
security/gnupg/patches/patch-ak | 6 +++---
security/gnupg/patches/patch-ba | 27 +++++++++++++++++++++++++++
7 files changed, 60 insertions(+), 23 deletions(-)
diffs (155 lines):
diff -r eb0ec6f2a1c5 -r cbf7455a7e57 security/gnupg/Makefile
--- a/security/gnupg/Makefile Fri Jun 23 13:46:37 2006 +0000
+++ b/security/gnupg/Makefile Sun Jun 25 08:58:13 2006 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.82 2006/03/10 15:10:08 ghen Exp $
+# $NetBSD: Makefile,v 1.82.2.1 2006/06/25 08:58:13 snj Exp $
-DISTNAME= gnupg-1.4.2.2
+DISTNAME= gnupg-1.4.3
+PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= ftp://ftp.gnupg.org/gcrypt/gnupg/ \
ftp://ftp.planetmirror.com/pub/gnupg/ \
diff -r eb0ec6f2a1c5 -r cbf7455a7e57 security/gnupg/PLIST
--- a/security/gnupg/PLIST Fri Jun 23 13:46:37 2006 +0000
+++ b/security/gnupg/PLIST Sun Jun 25 08:58:13 2006 +0000
@@ -1,11 +1,11 @@
-@comment $NetBSD: PLIST,v 1.15 2005/03/22 17:50:55 wiz Exp $
+@comment $NetBSD: PLIST,v 1.15.8.1 2006/06/25 08:58:13 snj Exp $
bin/gpg
+bin/gpg-zip
bin/gpgsplit
bin/gpgv
-${CURL}libexec/gnupg/gpgkeys_curl
+libexec/gnupg/gpgkeys_curl
libexec/gnupg/gpgkeys_finger
libexec/gnupg/gpgkeys_hkp
-${NOCURL}libexec/gnupg/gpgkeys_http
${OPENLDAP}libexec/gnupg/gpgkeys_ldap
man/man1/gpg.1
man/man1/gpg.ru.1
diff -r eb0ec6f2a1c5 -r cbf7455a7e57 security/gnupg/distinfo
--- a/security/gnupg/distinfo Fri Jun 23 13:46:37 2006 +0000
+++ b/security/gnupg/distinfo Sun Jun 25 08:58:13 2006 +0000
@@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.38 2006/03/10 15:10:08 ghen Exp $
+$NetBSD: distinfo,v 1.38.2.1 2006/06/25 08:58:13 snj Exp $
-SHA1 (gnupg-1.4.2.2.tar.bz2) = f5559ddb004e0638f6bd9efe2bac00134c5065ba
-RMD160 (gnupg-1.4.2.2.tar.bz2) = cbbf3ffafa51fdf985c2562ecafccd72bc36ea0d
-Size (gnupg-1.4.2.2.tar.bz2) = 3034652 bytes
+SHA1 (gnupg-1.4.3.tar.bz2) = 9e96b36e4f4d1e8bc5028c99fac674482cbdb370
+RMD160 (gnupg-1.4.3.tar.bz2) = f6d328785f41b74f97d25305c6fe95ad45bb70a5
+Size (gnupg-1.4.3.tar.bz2) = 3114088 bytes
SHA1 (idea.c.gz) = 82fded4ec31b97b3b2dd22741880b67cfee40f84
RMD160 (idea.c.gz) = e35be5a031d10d52341ac5f029d28f811edd908d
Size (idea.c.gz) = 5216 bytes
-SHA1 (patch-aa) = 2916ba7403fea027d872fe62ce271c2e8b8ac3be
+SHA1 (patch-aa) = 91d55ca22b58e8a1f3c17a2fd0ad888d4c85c6cf
SHA1 (patch-ab) = 29a7d0b736322eb1ecf0925a2419b513f323000e
-SHA1 (patch-ak) = d6a13c41905c7d0c5bf883add227bc7d5267dc06
+SHA1 (patch-ak) = 89a6a7552104f4d5b97a98889da88fca68c54f31
+SHA1 (patch-ba) = d32db008ec704dacf382da4f43ad6b3f0de88dcb
diff -r eb0ec6f2a1c5 -r cbf7455a7e57 security/gnupg/options.mk
--- a/security/gnupg/options.mk Fri Jun 23 13:46:37 2006 +0000
+++ b/security/gnupg/options.mk Sun Jun 25 08:58:13 2006 +0000
@@ -1,7 +1,17 @@
-# $NetBSD: options.mk,v 1.5 2005/12/05 20:50:56 rillig Exp $
+# $NetBSD: options.mk,v 1.5.4.1 2006/06/25 08:58:14 snj Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.gnupg
-PKG_SUPPORTED_OPTIONS= i586-optimized curl idea ldap m68060-optimized
+PKG_SUPPORTED_OPTIONS= curl idea ldap
+
+.include "../../mk/bsd.prefs.mk"
+
+.if ${MACHINE_ARCH:Mi386}
+PKG_SUPPORTED_OPTIONS+= i586-optimized
+.endif
+
+.if ${MACHINE_ARCH:Mm68k}
+PKG_SUPPORTED_OPTIONS+= m68060-optimized
+.endif
.include "../../mk/bsd.options.mk"
@@ -13,10 +23,8 @@
.if !empty(PKG_OPTIONS:Mcurl)
.include "../../www/curl/buildlink3.mk"
-CONFIGURE_ARGS+= --with-libcurl
-PLIST_SUBST+= CURL="" NOCURL="@comment "
.else
-PLIST_SUBST+= CURL="@comment " NOCURL=""
+CONFIGURE_ARGS+= --without-libcurl
.endif
.if !empty(PKG_OPTIONS:Midea)
diff -r eb0ec6f2a1c5 -r cbf7455a7e57 security/gnupg/patches/patch-aa
--- a/security/gnupg/patches/patch-aa Fri Jun 23 13:46:37 2006 +0000
+++ b/security/gnupg/patches/patch-aa Sun Jun 25 08:58:13 2006 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-aa,v 1.10 2004/12/25 02:54:13 wiz Exp $
+$NetBSD: patch-aa,v 1.10.10.1 2006/06/25 08:58:14 snj Exp $
---- cipher/idea-stub.c.orig 2004-11-17 16:50:56.000000000 +0100
+--- cipher/idea-stub.c.orig 2005-12-08 06:58:36.000000000 +0000
+++ cipher/idea-stub.c
-@@ -132,9 +132,9 @@ load_module (const char *name)
+@@ -133,9 +133,9 @@ load_module (const char *name)
}
sym = dlsym (handle, "idea_get_info");
@@ -13,4 +13,4 @@
+ if ((sym == NULL) && (err=dlerror()))
goto failure;
- return sym;
+ return (INFO_FNC)sym;
diff -r eb0ec6f2a1c5 -r cbf7455a7e57 security/gnupg/patches/patch-ak
--- a/security/gnupg/patches/patch-ak Fri Jun 23 13:46:37 2006 +0000
+++ b/security/gnupg/patches/patch-ak Sun Jun 25 08:58:13 2006 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-ak,v 1.2 2004/12/25 02:54:13 wiz Exp $
+$NetBSD: patch-ak,v 1.2.10.1 2006/06/25 08:58:14 snj Exp $
---- include/types.h.orig 2003-09-28 13:35:29.000000000 +0200
+--- include/types.h.orig 2005-07-27 17:02:56.000000000 +0000
+++ include/types.h
-@@ -103,7 +103,12 @@ typedef unsigned long u32;
+@@ -104,7 +104,12 @@ typedef unsigned long u32;
#undef u64 /* maybe there is a macro with this name */
#if SIZEOF_UINT64_T == 8
typedef uint64_t u64;
diff -r eb0ec6f2a1c5 -r cbf7455a7e57 security/gnupg/patches/patch-ba
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/gnupg/patches/patch-ba Sun Jun 25 08:58:13 2006 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-ba,v 1.1.2.2 2006/06/25 08:58:14 snj Exp $
+
+Security fix for CVE-2006-3082, from GnuPG CVS repository.
+
+--- g10/parse-packet.c.orig 2005-12-06 14:22:19.000000000 +0100
++++ g10/parse-packet.c 2006-06-24 16:09:34.000000000 +0200
+@@ -1972,6 +1972,20 @@
+ {
+ byte *p;
+
++ /* Cap the size of a user ID at 2k: a value absurdly large enough
++ that there is no sane user ID string (which is printable text
++ as of RFC2440bis) that won't fit in it, but yet small enough to
++ avoid allocation problems. A large pktlen may not be
++ allocatable, and a very large pktlen could actually cause our
++ allocation to wrap around in xmalloc to a small number. */
++
++ if(pktlen>2048)
++ {
++ log_error("packet(%d) too large\n", pkttype);
++ iobuf_skip_rest(inp, pktlen, 0);
++ return G10ERR_INVALID_PACKET;
++ }
++
+ packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen);
+ packet->pkt.user_id->len = pktlen;
+ packet->pkt.user_id->ref=1;
Home |
Main Index |
Thread Index |
Old Index