diff options
| author |   Alon Bar-Lev <alonbl@gentoo.org> | 2014-12-31 18:27:16 +0000 |
|---|---|---|
| committer | Alon Bar-Lev <alonbl@gentoo.org> | 2014-12-31 18:27:16 +0000 |
| commit | 95ae4c719a6d24004629b7f6e8824985e88410f8 (patch) | |
| tree | 82532c457d57ad80114586bdd9efe9fcf86775d0 /app-crypt | |
| parent | Version bump, bug 532016. (diff) | |
| download | gentoo-2-95ae4c719a6d24004629b7f6e8824985e88410f8.tar.gz gentoo-2-95ae4c719a6d24004629b7f6e8824985e88410f8.tar.bz2 gentoo-2-95ae4c719a6d24004629b7f6e8824985e88410f8.zip | |
Fix misc CVEs, bug#534110
(Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key BF20DC51)
Diffstat (limited to 'app-crypt')
| -rw-r--r-- | app-crypt/gnupg/ChangeLog | 10 | ||||
| -rw-r--r-- | app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch | 118 | ||||
| -rw-r--r-- | app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch | 130 | ||||
| -rw-r--r-- | app-crypt/gnupg/gnupg-2.0.26-r3.ebuild | 165 | ||||
| -rw-r--r-- | app-crypt/gnupg/gnupg-2.1.1-r1.ebuild (renamed from app-crypt/gnupg/gnupg-2.1.1.ebuild) | 3 |
5 files changed, 424 insertions, 2 deletions
diff --git a/app-crypt/gnupg/ChangeLog b/app-crypt/gnupg/ChangeLog index 8d922fef821f..4d45479c81e5 100644 --- a/app-crypt/gnupg/ChangeLog +++ b/app-crypt/gnupg/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-crypt/gnupg # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/ChangeLog,v 1.561 2014/12/17 19:05:55 k_f Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/ChangeLog,v 1.562 2014/12/31 18:27:16 alonbl Exp $ + +*gnupg-2.0.26-r3 (31 Dec 2014) +*gnupg-2.1.1-r1 (31 Dec 2014) + + 31 Dec 2014; Alon Bar-Lev <alonbl@gentoo.org> + +files/gnupg-2.0.26-misc-cve.patch, +files/gnupg-2.1.1-misc-cve.patch, + +gnupg-2.0.26-r3.ebuild, +gnupg-2.1.1-r1.ebuild, -gnupg-2.1.1.ebuild: + Fix misc CVEs, bug#534110 *gnupg-2.1.1 (17 Dec 2014) diff --git a/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch b/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch new file mode 100644 index 000000000000..734a04abd553 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch @@ -0,0 +1,118 @@ +From ed8383c618e124cfa708c9ee87563fcdf2f4649c Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Fri, 19 Dec 2014 18:53:34 -0500 +Subject: [PATCH] sm: Avoid double-free on iconv failure + +* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid +double-free of pwbuf. + +-- + +Observed by Joshua Rogers <honey@internot.info>, who proposed a +slightly different fix. + +Debian-Bug-Id: 773472 + +Added fix at a second place - wk. +--- + sm/minip12.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/agent/minip12.c b/agent/minip12.c +index 01b91b7..ca4d248 100644 +--- a/agent/minip12.c ++++ b/agent/minip12.c +@@ -2422,6 +2422,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, + " requested charset '%s': %s\n", + charset, strerror (errno)); + gcry_free (pwbuf); ++ pwbuf = NULL; + goto failure; + } + +@@ -2436,6 +2437,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, + " requested charset '%s': %s\n", + charset, strerror (errno)); + gcry_free (pwbuf); ++ pwbuf = NULL; + jnlib_iconv_close (cd); + goto failure; + } +-- +1.7.10.4 + +From b0b3803e8c2959dd67ca96debc54b5c6464f0d41 Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Fri, 19 Dec 2014 18:07:55 -0500 +Subject: [PATCH] scd: Avoid double-free on error condition in scd + +* scd/command.c (cmd_readkey): avoid double-free of cert + +-- + +When ksba_cert_new() fails, cert will be double-freed. + +Debian-Bug-Id: 773471 + +Original patch changed by wk to do the free only at leave. +--- + scd/command.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/scd/command.c b/scd/command.c +index dd4191f..1cc580a 100644 +--- a/scd/command.c ++++ b/scd/command.c +@@ -804,10 +804,8 @@ cmd_readkey (assuan_context_t ctx, char *line) + + rc = ksba_cert_new (&kc); + if (rc) +- { +- xfree (cert); +- goto leave; +- } ++ goto leave; ++ + rc = ksba_cert_init_from_mem (kc, cert, ncert); + if (rc) + { +-- +1.7.10.4 + +From abd5f6752d693b7f313c19604f0723ecec4d39a6 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Mon, 22 Dec 2014 12:16:46 +0100 +Subject: [PATCH] dirmngr,gpgsm: Return NULL on fail + +* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL. +* sm/gpgsm.c (parse_keyserver_line): Ditto. +-- + +Reported-by: Joshua Rogers <git@internot.info> + + "If something inside the ldapserver_parse_one function failed, + 'server' would be freed, then returned, leading to a + use-after-free. This code is likely copied from sm/gpgsm.c, which + was also susceptible to this bug." + +Signed-off-by: Werner Koch <wk@gnupg.org> +--- + dirmngr/ldapserver.c | 1 + + sm/gpgsm.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/sm/gpgsm.c b/sm/gpgsm.c +index 3398d17..72bceb4 100644 +--- a/sm/gpgsm.c ++++ b/sm/gpgsm.c +@@ -862,6 +862,7 @@ parse_keyserver_line (char *line, + { + log_info (_("%s:%u: skipping this line\n"), filename, lineno); + keyserver_list_free (server); ++ server = NULL; + } + + return server; +-- +1.7.10.4 + diff --git a/app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch b/app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch new file mode 100644 index 000000000000..1a54a3d8d58f --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.1.1-misc-cve.patch @@ -0,0 +1,130 @@ +From ed8383c618e124cfa708c9ee87563fcdf2f4649c Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Fri, 19 Dec 2014 18:53:34 -0500 +Subject: [PATCH] sm: Avoid double-free on iconv failure + +* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid +double-free of pwbuf. + +-- + +Observed by Joshua Rogers <honey@internot.info>, who proposed a +slightly different fix. + +Debian-Bug-Id: 773472 + +Added fix at a second place - wk. +--- + sm/minip12.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sm/minip12.c b/sm/minip12.c +index 01b91b7..ca4d248 100644 +--- a/sm/minip12.c ++++ b/sm/minip12.c +@@ -2422,6 +2422,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, + " requested charset '%s': %s\n", + charset, strerror (errno)); + gcry_free (pwbuf); ++ pwbuf = NULL; + goto failure; + } + +@@ -2436,6 +2437,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen, + " requested charset '%s': %s\n", + charset, strerror (errno)); + gcry_free (pwbuf); ++ pwbuf = NULL; + jnlib_iconv_close (cd); + goto failure; + } +-- +1.7.10.4 + +From b0b3803e8c2959dd67ca96debc54b5c6464f0d41 Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Fri, 19 Dec 2014 18:07:55 -0500 +Subject: [PATCH] scd: Avoid double-free on error condition in scd + +* scd/command.c (cmd_readkey): avoid double-free of cert + +-- + +When ksba_cert_new() fails, cert will be double-freed. + +Debian-Bug-Id: 773471 + +Original patch changed by wk to do the free only at leave. +--- + scd/command.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/scd/command.c b/scd/command.c +index dd4191f..1cc580a 100644 +--- a/scd/command.c ++++ b/scd/command.c +@@ -804,10 +804,8 @@ cmd_readkey (assuan_context_t ctx, char *line) + + rc = ksba_cert_new (&kc); + if (rc) +- { +- xfree (cert); +- goto leave; +- } ++ goto leave; ++ + rc = ksba_cert_init_from_mem (kc, cert, ncert); + if (rc) + { +-- +1.7.10.4 + +From abd5f6752d693b7f313c19604f0723ecec4d39a6 Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Mon, 22 Dec 2014 12:16:46 +0100 +Subject: [PATCH] dirmngr,gpgsm: Return NULL on fail + +* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL. +* sm/gpgsm.c (parse_keyserver_line): Ditto. +-- + +Reported-by: Joshua Rogers <git@internot.info> + + "If something inside the ldapserver_parse_one function failed, + 'server' would be freed, then returned, leading to a + use-after-free. This code is likely copied from sm/gpgsm.c, which + was also susceptible to this bug." + +Signed-off-by: Werner Koch <wk@gnupg.org> +--- + dirmngr/ldapserver.c | 1 + + sm/gpgsm.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/dirmngr/ldapserver.c b/dirmngr/ldapserver.c +index 20a574c..5808c5b 100644 +--- a/dirmngr/ldapserver.c ++++ b/dirmngr/ldapserver.c +@@ -125,6 +125,7 @@ ldapserver_parse_one (char *line, + { + log_info (_("%s:%u: skipping this line\n"), filename, lineno); + ldapserver_list_free (server); ++ server = NULL; + } + + return server; +diff --git a/sm/gpgsm.c b/sm/gpgsm.c +index 3398d17..72bceb4 100644 +--- a/sm/gpgsm.c ++++ b/sm/gpgsm.c +@@ -862,6 +862,7 @@ parse_keyserver_line (char *line, + { + log_info (_("%s:%u: skipping this line\n"), filename, lineno); + keyserver_list_free (server); ++ server = NULL; + } + + return server; +-- +1.7.10.4 + diff --git a/app-crypt/gnupg/gnupg-2.0.26-r3.ebuild b/app-crypt/gnupg/gnupg-2.0.26-r3.ebuild new file mode 100644 index 000000000000..9e03d08aa770 --- /dev/null +++ b/app-crypt/gnupg/gnupg-2.0.26-r3.ebuild @@ -0,0 +1,165 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/gnupg-2.0.26-r3.ebuild,v 1.1 2014/12/31 18:27:16 alonbl Exp $ + +EAPI="5" + +inherit eutils flag-o-matic toolchain-funcs + +DESCRIPTION="The GNU Privacy Guard, a GPL pgp replacement" +HOMEPAGE="http://www.gnupg.org/" +SRC_URI="mirror://gnupg/gnupg/${P}.tar.bz2" +# SRC_URI="ftp://ftp.gnupg.org/gcrypt/${PN}/${P}.tar.bz2" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +IUSE="bzip2 doc ldap nls mta readline static selinux smartcard tools usb" + +COMMON_DEPEND_LIBS=" + >=dev-libs/libassuan-2 + >=dev-libs/libgcrypt-1.4:0= + >=dev-libs/libgpg-error-1.11 + >=dev-libs/libksba-1.0.7 + >=dev-libs/pth-1.3.7 + >=net-misc/curl-7.10 + sys-libs/zlib + bzip2? ( app-arch/bzip2 ) + readline? ( sys-libs/readline ) + smartcard? ( usb? ( virtual/libusb:0 ) ) + ldap? ( net-nds/openldap )" +COMMON_DEPEND_BINS="|| ( app-crypt/pinentry app-crypt/pinentry-qt )" + +# Existence of executables is checked during configuration. +DEPEND="${COMMON_DEPEND_LIBS} + ${COMMON_DEPEND_BINS} + static? ( + >=dev-libs/libassuan-2[static-libs] + >=dev-libs/libgcrypt-1.4:0=[static-libs] + >=dev-libs/libgpg-error-1.11[static-libs] + >=dev-libs/libksba-1.0.7[static-libs] + >=dev-libs/pth-1.3.7[static-libs] + >=net-misc/curl-7.10[static-libs] + sys-libs/zlib[static-libs] + bzip2? ( app-arch/bzip2[static-libs] ) + ) + nls? ( sys-devel/gettext ) + doc? ( sys-apps/texinfo )" + +RDEPEND="!static? ( ${COMMON_DEPEND_LIBS} ) + ${COMMON_DEPEND_BINS} + mta? ( virtual/mta ) + !<=app-crypt/gnupg-2.0.1 + selinux? ( sec-policy/selinux-gpg ) + nls? ( virtual/libintl )" + +REQUIRED_USE="smartcard? ( !static )" + +src_prepare() { + epatch "${FILESDIR}/${PN}-2.0.17-gpgsm-gencert.patch" + epatch "${FILESDIR}/${P}-Need-to-init-the-trustdb-for-import.patch" + epatch "${FILESDIR}/${P}-misc-cve.patch" + epatch_user +} + +src_configure() { + local myconf=() + + # 'USE=static' support was requested: + # gnupg1: bug #29299 + # gnupg2: bug #159623 + use static && append-ldflags -static + + if use smartcard; then + myconf+=( + --enable-scdaemon + $(use_enable usb ccid-driver) + ) + else + myconf+=( --disable-scdaemon ) + fi + + if use elibc_SunOS || use elibc_AIX; then + myconf+=( --disable-symcryptrun ) + else + myconf+=( --enable-symcryptrun ) + fi + + econf \ + --docdir="${EPREFIX}/usr/share/doc/${PF}" \ + --enable-gpg \ + --enable-gpgsm \ + --enable-agent \ + --without-adns \ + "${myconf[@]}" \ + $(use_enable bzip2) \ + $(use_enable nls) \ + $(use_enable mta mailto) \ + $(use_enable ldap) \ + $(use_with readline) \ + CC_FOR_BUILD="$(tc-getBUILD_CC)" +} + +src_compile() { + default + + if use doc; then + cd doc + emake html + fi +} + +src_install() { + default + + use tools && dobin tools/{convert-from-106,gpg-check-pattern} \ + tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys,make-dns-cert} + + emake DESTDIR="${D}" -f doc/Makefile uninstall-nobase_dist_docDATA + rm "${ED}"/usr/share/gnupg/help* || die + + dodoc ChangeLog NEWS README THANKS TODO VERSION doc/FAQ doc/DETAILS \ + doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER doc/help* + + dosym gpg2 /usr/bin/gpg + dosym gpgv2 /usr/bin/gpgv + dosym gpg2keys_hkp /usr/libexec/gpgkeys_hkp + dosym gpg2keys_finger /usr/libexec/gpgkeys_finger + dosym gpg2keys_curl /usr/libexec/gpgkeys_curl + if use ldap; then + dosym gpg2keys_ldap /usr/libexec/gpgkeys_ldap + fi + echo ".so man1/gpg2.1" > "${ED}"/usr/share/man/man1/gpg.1 + echo ".so man1/gpgv2.1" > "${ED}"/usr/share/man/man1/gpgv.1 + + dodir /etc/env.d + echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg + + if use doc; then + dohtml doc/gnupg.html/* doc/*.png + fi +} + +pkg_postinst() { + elog "If you wish to view images emerge:" + elog "media-gfx/xloadimage, media-gfx/xli or any other viewer" + elog "Remember to use photo-viewer option in configuration file to activate" + elog "the right viewer." + elog + + if use smartcard; then + elog "To use your OpenPGP smartcard (or token) with GnuPG you need one of" + use usb && elog " - a CCID-compatible reader, used directly through libusb;" + elog " - sys-apps/pcsc-lite and a compatible reader device;" + elog " - dev-libs/openct and a compatible reader device;" + elog " - a reader device and drivers exporting either PC/SC or CT-API interfaces." + elog "" + elog "General hint: you probably want to try installing sys-apps/pcsc-lite and" + elog "app-crypt/ccid first." + fi + + ewarn "Please remember to restart gpg-agent if a different version" + ewarn "of the agent is currently used. If you are unsure of the gpg" + ewarn "agent you are using please run 'killall gpg-agent'," + ewarn "and to start a fresh daemon just run 'gpg-agent --daemon'." +} diff --git a/app-crypt/gnupg/gnupg-2.1.1.ebuild b/app-crypt/gnupg/gnupg-2.1.1-r1.ebuild index 7b1b48931b32..c59232df8373 100644 --- a/app-crypt/gnupg/gnupg-2.1.1.ebuild +++ b/app-crypt/gnupg/gnupg-2.1.1-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/gnupg-2.1.1.ebuild,v 1.1 2014/12/17 19:05:55 k_f Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/gnupg-2.1.1-r1.ebuild,v 1.1 2014/12/31 18:27:16 alonbl Exp $ EAPI="5" @@ -59,6 +59,7 @@ S="${WORKDIR}/${MY_P}" src_prepare() { epatch "${FILESDIR}/${PN}-2.0.17-gpgsm-gencert.patch" + epatch "${FILESDIR}/${P}-misc-cve.patch" epatch_user } |