pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/gnupg Security fix for CVE-2006-3082:



details:   https://anonhg.NetBSD.org/pkgsrc/rev/d1fe2ed107bf
branches:  trunk
changeset: 515091:d1fe2ed107bf
user:      salo <salo%pkgsrc.org@localhost>
date:      Sat Jun 24 14:20:29 2006 +0000

description:
Security fix for CVE-2006-3082:

"parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions,
 allows remote attackers to cause a denial of service (gpg crash) and
 possibly overwrite memory via a message packet with a large length,
 which could lead to an integer overflow, as demonstrated using the
 --no-armor option."

Patch from GnuPG CVS repository.
Bump PKGREVISION.

diffstat:

 security/gnupg/Makefile         |   3 ++-
 security/gnupg/distinfo         |   3 ++-
 security/gnupg/patches/patch-ba |  27 +++++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)

diffs (57 lines):

diff -r 6df73c749708 -r d1fe2ed107bf security/gnupg/Makefile
--- a/security/gnupg/Makefile   Sat Jun 24 13:37:08 2006 +0000
+++ b/security/gnupg/Makefile   Sat Jun 24 14:20:29 2006 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.85 2006/04/13 18:23:37 jlam Exp $
+# $NetBSD: Makefile,v 1.86 2006/06/24 14:20:29 salo Exp $
 
 DISTNAME=      gnupg-1.4.3
+PKGREVISION=   1
 CATEGORIES=    security
 MASTER_SITES=  ftp://ftp.gnupg.org/gcrypt/gnupg/ \
                ftp://ftp.planetmirror.com/pub/gnupg/ \
diff -r 6df73c749708 -r d1fe2ed107bf security/gnupg/distinfo
--- a/security/gnupg/distinfo   Sat Jun 24 13:37:08 2006 +0000
+++ b/security/gnupg/distinfo   Sat Jun 24 14:20:29 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.39 2006/04/04 21:16:37 wiz Exp $
+$NetBSD: distinfo,v 1.40 2006/06/24 14:20:29 salo Exp $
 
 SHA1 (gnupg-1.4.3.tar.bz2) = 9e96b36e4f4d1e8bc5028c99fac674482cbdb370
 RMD160 (gnupg-1.4.3.tar.bz2) = f6d328785f41b74f97d25305c6fe95ad45bb70a5
@@ -9,3 +9,4 @@
 SHA1 (patch-aa) = 91d55ca22b58e8a1f3c17a2fd0ad888d4c85c6cf
 SHA1 (patch-ab) = 29a7d0b736322eb1ecf0925a2419b513f323000e
 SHA1 (patch-ak) = 89a6a7552104f4d5b97a98889da88fca68c54f31
+SHA1 (patch-ba) = d32db008ec704dacf382da4f43ad6b3f0de88dcb
diff -r 6df73c749708 -r d1fe2ed107bf security/gnupg/patches/patch-ba
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/gnupg/patches/patch-ba   Sat Jun 24 14:20:29 2006 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-ba,v 1.1 2006/06/24 14:20:29 salo Exp $
+
+Security fix for CVE-2006-3082, from GnuPG CVS repository.
+
+--- g10/parse-packet.c.orig    2005-12-06 14:22:19.000000000 +0100
++++ g10/parse-packet.c 2006-06-24 16:09:34.000000000 +0200
+@@ -1972,6 +1972,20 @@
+ {
+     byte *p;
+ 
++    /* Cap the size of a user ID at 2k: a value absurdly large enough
++       that there is no sane user ID string (which is printable text
++       as of RFC2440bis) that won't fit in it, but yet small enough to
++       avoid allocation problems.  A large pktlen may not be
++       allocatable, and a very large pktlen could actually cause our
++       allocation to wrap around in xmalloc to a small number. */
++
++    if(pktlen>2048)
++      {
++      log_error("packet(%d) too large\n", pkttype);
++      iobuf_skip_rest(inp, pktlen, 0);
++      return G10ERR_INVALID_PACKET;
++      }
++
+     packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen);
+     packet->pkt.user_id->len = pktlen;
+     packet->pkt.user_id->ref=1;



Home | Main Index | Thread Index | Old Index