[pkgsrc/trunk]: pkgsrc/security/gnupg-devel Backport fix for CVE-2006-3082 fr...

[shannonjr <shannonjr%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/dc60abf9f947
branches:  trunk
changeset: 515056:dc60abf9f947
user:      shannonjr <shannonjr%pkgsrc.org@localhost>
date:      Fri Jun 23 12:28:55 2006 +0000

description:
Backport fix for CVE-2006-3082 from GnuPG: trunk/g10/

diffstat:

 security/gnupg-devel/Makefile         |   7 +++----
 security/gnupg-devel/buildlink3.mk    |  20 +++++++++++---------
 security/gnupg-devel/distinfo         |   3 ++-
 security/gnupg-devel/patches/patch-ba |  24 ++++++++++++++++++++++++
 4 files changed, 40 insertions(+), 14 deletions(-)

diffs (106 lines):

diff -r 024d070e10eb -r dc60abf9f947 security/gnupg-devel/Makefile
--- a/security/gnupg-devel/Makefile     Fri Jun 23 11:59:53 2006 +0000
+++ b/security/gnupg-devel/Makefile     Fri Jun 23 12:28:55 2006 +0000
@@ -1,16 +1,15 @@
-# $NetBSD: Makefile,v 1.16 2006/05/31 18:22:25 ghen Exp $
+# $NetBSD: Makefile,v 1.17 2006/06/23 12:28:55 shannonjr Exp $
 #
 
 DISTNAME=              gnupg-1.9.20
 PKGNAME=               ${DISTNAME:S/gnupg/gnupg-devel/}
-#PKGREVISION=          1
-PKGREVISION=           1
+PKGREVISION=           2
 CATEGORIES=            security
 MASTER_SITES=          ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/
 EXTRACT_SUFX=          .tar.bz2
 DISTFILES=             ${DISTNAME}${EXTRACT_SUFX}
 DISTFILES+=            pth-2.0.4.tar.gz
-SITES_pth-2.0.4.tar.gz=        ${MASTER_SITE_GNU:=pth/}
+SITES.pth-2.0.4.tar.gz=        ${MASTER_SITE_GNU:=pth/}
 
 MAINTAINER=            shannonjr%NetBSD.org@localhost
 HOMEPAGE=              ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/
diff -r 024d070e10eb -r dc60abf9f947 security/gnupg-devel/buildlink3.mk
--- a/security/gnupg-devel/buildlink3.mk        Fri Jun 23 11:59:53 2006 +0000
+++ b/security/gnupg-devel/buildlink3.mk        Fri Jun 23 12:28:55 2006 +0000
@@ -1,26 +1,28 @@
-# $NetBSD: buildlink3.mk,v 1.5 2006/04/12 10:27:32 rillig Exp $
+# $NetBSD: buildlink3.mk,v 1.6 2006/06/23 12:28:55 shannonjr Exp $
 
 BUILDLINK_DEPTH:=              ${BUILDLINK_DEPTH}+
 GNUPG_DEVEL_BUILDLINK3_MK:=    ${GNUPG_DEVEL_BUILDLINK3_MK}+
 
-.if !empty(BUILDLINK_DEPTH:M+)
+.if ${BUILDLINK_DEPTH} == "+"
 BUILDLINK_DEPENDS+=    gnupg-devel
 .endif
 
 BUILDLINK_PACKAGES:=   ${BUILDLINK_PACKAGES:Ngnupg-devel}
 BUILDLINK_PACKAGES+=   gnupg-devel
 
-.if !empty(GNUPG_DEVEL_BUILDLINK3_MK:M+)
-BUILDLINK_API_DEPENDS.gnupg-devel+=    gnupg-devel>=1.9.11
-BUILDLINK_ABI_DEPENDS.gnupg-devel+=    gnupg-devel>=1.9.20nb1
+.if ${GNUPG_DEVEL_BUILDLINK3_MK} == "+"
+BUILDLINK_API_DEPENDS.gnupg-devel+=    gnupg-devel>=1.9.20nb2
 BUILDLINK_PKGSRCDIR.gnupg-devel?=      ../../security/gnupg-devel
 .endif # GNUPG_DEVEL_BUILDLINK3_MK
-BUILDLINK_PREFIX.gnupg-devel?= ${LOCALBASE}
 
-.include "../../security/libgpg-error/buildlink3.mk"
+.include "../../databases/openldap-client/buildlink3.mk"
+.include "../../converters/libiconv/buildlink3.mk"
+.include "../../devel/gettext-lib/buildlink3.mk"
+.include "../../devel/zlib/buildlink3.mk"
+.include "../../security/libassuan/buildlink3.mk"
 .include "../../security/libgcrypt/buildlink3.mk"
-.include "../../security/libassuan/buildlink3.mk"
+.include "../../security/libgpg-error/buildlink3.mk"
 .include "../../security/libksba/buildlink3.mk"
-.include "../../devel/zlib/buildlink3.mk"
+.include "../../security/pinentry/buildlink3.mk"
 
 BUILDLINK_DEPTH:=              ${BUILDLINK_DEPTH:S/+$//}
diff -r 024d070e10eb -r dc60abf9f947 security/gnupg-devel/distinfo
--- a/security/gnupg-devel/distinfo     Fri Jun 23 11:59:53 2006 +0000
+++ b/security/gnupg-devel/distinfo     Fri Jun 23 12:28:55 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.11 2006/01/06 11:05:18 shannonjr Exp $
+$NetBSD: distinfo,v 1.12 2006/06/23 12:28:55 shannonjr Exp $
 
 SHA1 (gnupg-1.9.20.tar.bz2) = 557be26c21c114a3b345ce6b177fcb088883f827
 RMD160 (gnupg-1.9.20.tar.bz2) = 3501de32f1526f64510a77fe3cc0905dd7fc8854
@@ -7,3 +7,4 @@
 RMD160 (pth-2.0.4.tar.gz) = ba78260cb8860433cd240e24e2e90dc6997943d8
 Size (pth-2.0.4.tar.gz) = 641851 bytes
 SHA1 (patch-aa) = 4fdedc1f98dbe717fd5a1229944703f19c3c10e5
+SHA1 (patch-ba) = 9ae61eb17f5f447f05d663e97b6b4d288c7f648a
diff -r 024d070e10eb -r dc60abf9f947 security/gnupg-devel/patches/patch-ba
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/gnupg-devel/patches/patch-ba     Fri Jun 23 12:28:55 2006 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-ba,v 1.1 2006/06/23 12:28:55 shannonjr Exp $
+
+--- ./g10/parse-packet.c.orig  2005-07-27 08:18:03.000000000 -0600
++++ ./g10/parse-packet.c
+@@ -1995,6 +1995,19 @@ parse_attribute( iobuf_t inp, int pkttyp
+     byte *p;
+ 
+ #define EXTRA_UID_NAME_SPACE 71
++    /* Cap the size of a user ID at 2k: a value absurdly large enough
++       that there is no sane user ID string (which is printable text
++       as of RFC2440bis) that won't fit in it, but yet small enough to
++       avoid allocation problems.  A large pktlen may not be
++       allocatable, and a very large pktlen could actually cause our
++       allocation to wrap around in xmalloc to a small number. */
++      
++    if(pktlen>2048)
++    {
++      log_error("packet(%d) too large\n", pkttype);
++      iobuf_skip_rest(inp, pktlen, 0);
++      return G10ERR_INVALID_PACKET;
++    }
+     packet->pkt.user_id = xmalloc (sizeof *packet->pkt.user_id
+                                   + EXTRA_UID_NAME_SPACE);
+