[pkgsrc/trunk]: pkgsrc/security/gnupg2 gnupg2: fix possible security issue

[wiz <wiz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/a6d4d1e30b2e
branches:  trunk
changeset: 381148:a6d4d1e30b2e
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Thu Jun 30 14:48:55 2022 +0000

description:
gnupg2: fix possible security issue

Per
https://www.openwall.com/lists/oss-security/2022/06/30/1
using upstream patch.

Bump PKGREVISION.

diffstat:

 security/gnupg2/Makefile                |   3 +-
 security/gnupg2/distinfo                |   3 +-
 security/gnupg2/patches/patch-g10_cpr.c |  40 +++++++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 2 deletions(-)

diffs (69 lines):

diff -r 8377ceeb800b -r a6d4d1e30b2e security/gnupg2/Makefile
--- a/security/gnupg2/Makefile  Thu Jun 30 14:04:32 2022 +0000
+++ b/security/gnupg2/Makefile  Thu Jun 30 14:48:55 2022 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.133 2022/04/26 08:15:35 adam Exp $
+# $NetBSD: Makefile,v 1.134 2022/06/30 14:48:55 wiz Exp $
 
 DISTNAME=      gnupg-2.2.35
 PKGNAME=       ${DISTNAME:S/gnupg-/gnupg2-/}
+PKGREVISION=   1
 CATEGORIES=    security
 MASTER_SITES=  ftp://ftp.gnupg.org/gcrypt/gnupg/
 MASTER_SITES+= http://mirrors.dotsrc.org/gcrypt/gnupg/
diff -r 8377ceeb800b -r a6d4d1e30b2e security/gnupg2/distinfo
--- a/security/gnupg2/distinfo  Thu Jun 30 14:04:32 2022 +0000
+++ b/security/gnupg2/distinfo  Thu Jun 30 14:48:55 2022 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.73 2022/04/26 08:15:35 adam Exp $
+$NetBSD: distinfo,v 1.74 2022/06/30 14:48:55 wiz Exp $
 
 BLAKE2s (gnupg-2.2.35.tar.bz2) = 74f0a044b85c30a11a59bed4e21c322c7a77c839639996fa30f5e3bee8433830
 SHA512 (gnupg-2.2.35.tar.bz2) = ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e
 Size (gnupg-2.2.35.tar.bz2) = 7262687 bytes
 SHA1 (patch-common_sysutils.c) = 569c12e21172c1521284922244b2f4f361c945d6
+SHA1 (patch-g10_cpr.c) = 0a691eb6e6463ce9f9e3e735d3b2d587195a05cc
diff -r 8377ceeb800b -r a6d4d1e30b2e security/gnupg2/patches/patch-g10_cpr.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/gnupg2/patches/patch-g10_cpr.c   Thu Jun 30 14:48:55 2022 +0000
@@ -0,0 +1,40 @@
+$NetBSD: patch-g10_cpr.c,v 1.1 2022/06/30 14:48:55 wiz Exp $
+
+g10: Fix garbled status messages in NOTATION_DATA
+
+* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
+
+Depending on the escaping and line wrapping the computed remaining
+buffer length could be wrong. Fixed by always using a break to
+terminate the escape detection loop. Might have happened for all
+status lines which may wrap.
+
+https://dev.gnupg.org/rG34c649b3601383cd11dbc76221747ec16fd68e1b
+
+--- g10/cpr.c.orig     2022-02-24 13:06:37.000000000 +0000
++++ g10/cpr.c
+@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, co
+             }
+           first = 0;
+         }
+-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++      for (esc=0, s=buffer, n=len; n; s++, n--)
+         {
+           if (*s == '%' || *(const byte*)s <= lower_limit
+               || *(const byte*)s == 127 )
+             esc = 1;
+           if (wrap && ++count > wrap)
+-            {
+-              dowrap=1;
+-              break;
+-            }
+-        }
+-      if (esc)
+-        {
+-          s--; n++;
++            dowrap=1;
++          if (esc || dowrap)
++            break;
+         }
+       if (s != buffer)
+         es_fwrite (buffer, s-buffer, 1, statusfp);