diff options
| author |   Alon Bar-Lev <alonbl@gentoo.org> | 2013-10-04 22:24:41 +0000 |
|---|---|---|
| committer | Alon Bar-Lev <alonbl@gentoo.org> | 2013-10-04 22:24:41 +0000 |
| commit | 3b0798596bbdf6e7c7c896f9fc96054bd9dbb562 (patch) | |
| tree | d90d9a85a165a49570279809a781eac15d65a062 /app-crypt | |
| parent | Fails to build with >=vala-0.22 (diff) | |
| download | gentoo-2-3b0798596bbdf6e7c7c896f9fc96054bd9dbb562.tar.gz gentoo-2-3b0798596bbdf6e7c7c896f9fc96054bd9dbb562.tar.bz2 gentoo-2-3b0798596bbdf6e7c7c896f9fc96054bd9dbb562.zip | |
Fix CVE-2013-4351, bug#484836
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key BF20DC51)
Diffstat (limited to 'app-crypt')
| -rw-r--r-- | app-crypt/gnupg/ChangeLog | 9 | ||||
| -rw-r--r-- | app-crypt/gnupg/files/gnupg-2.0.21-CVE-2013-4351.patch | 69 | ||||
| -rw-r--r-- | app-crypt/gnupg/gnupg-2.0.21-r2.ebuild (renamed from app-crypt/gnupg/gnupg-2.0.21-r1.ebuild) | 3 |
3 files changed, 79 insertions, 2 deletions
diff --git a/app-crypt/gnupg/ChangeLog b/app-crypt/gnupg/ChangeLog index 6c4650ab7d3d..6b30aea95fbf 100644 --- a/app-crypt/gnupg/ChangeLog +++ b/app-crypt/gnupg/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for app-crypt/gnupg # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/ChangeLog,v 1.487 2013/10/03 19:20:06 alonbl Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/ChangeLog,v 1.488 2013/10/04 22:24:40 alonbl Exp $ + +*gnupg-2.0.21-r2 (04 Oct 2013) + + 04 Oct 2013; Alon Bar-Lev <alonbl@gentoo.org> + +files/gnupg-2.0.21-CVE-2013-4351.patch, +gnupg-2.0.21-r2.ebuild, + -gnupg-2.0.21-r1.ebuild: + Fix CVE-2013-4351, bug#484836 *gnupg-2.0.21-r1 (03 Oct 2013) diff --git a/app-crypt/gnupg/files/gnupg-2.0.21-CVE-2013-4351.patch b/app-crypt/gnupg/files/gnupg-2.0.21-CVE-2013-4351.patch new file mode 100644 index 000000000000..13ef0b7cfcc5 --- /dev/null +++ b/app-crypt/gnupg/files/gnupg-2.0.21-CVE-2013-4351.patch @@ -0,0 +1,69 @@ +From 4bde12206c5bf199dc6e12a74af8da4558ba41bf Mon Sep 17 00:00:00 2001 +From: Werner Koch <wk@gnupg.org> +Date: Fri, 15 Mar 2013 15:46:03 +0100 +Subject: [PATCH] gpg: Distinguish between missing and cleared key flags. + +* include/cipher.h (PUBKEY_USAGE_NONE): New. +* g10/getkey.c (parse_key_usage): Set new flag. +-- + +We do not want to use the default capabilities (derived from the +algorithm) if any key flags are given in a signature. Thus if key +flags are used in any way, the default key capabilities are never +used. + +This allows to create a key with key flags set to all zero so it can't +be used. This better reflects common sense. +--- + g10/getkey.c | 8 +++++++- + include/cipher.h | 7 ++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/g10/getkey.c b/g10/getkey.c +index 9294273..8cc5601 100644 +--- a/g10/getkey.c ++++ b/g10/getkey.c +@@ -1276,13 +1276,19 @@ parse_key_usage (PKT_signature * sig) + + if (flags) + key_usage |= PUBKEY_USAGE_UNKNOWN; ++ ++ if (!key_usage) ++ key_usage |= PUBKEY_USAGE_NONE; + } ++ else if (p) /* Key flags of length zero. */ ++ key_usage |= PUBKEY_USAGE_NONE; + + /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a + capability that we do not handle. This serves to distinguish + between a zero key usage which we handle as the default + capabilities for that algorithm, and a usage that we do not +- handle. */ ++ handle. Likewise we use PUBKEY_USAGE_NONE to indicate that ++ key_flags have been given but they do not specify any usage. */ + + return key_usage; + } +diff --git a/include/cipher.h b/include/cipher.h +index 191e197..557ab70 100644 +--- a/include/cipher.h ++++ b/include/cipher.h +@@ -54,9 +54,14 @@ + + #define PUBKEY_USAGE_SIG GCRY_PK_USAGE_SIGN /* Good for signatures. */ + #define PUBKEY_USAGE_ENC GCRY_PK_USAGE_ENCR /* Good for encryption. */ +-#define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys. */ ++#define PUBKEY_USAGE_CERT GCRY_PK_USAGE_CERT /* Also good to certify keys.*/ + #define PUBKEY_USAGE_AUTH GCRY_PK_USAGE_AUTH /* Good for authentication. */ + #define PUBKEY_USAGE_UNKNOWN GCRY_PK_USAGE_UNKN /* Unknown usage flag. */ ++#define PUBKEY_USAGE_NONE 256 /* No usage given. */ ++#if (GCRY_PK_USAGE_SIGN | GCRY_PK_USAGE_ENCR | GCRY_PK_USAGE_CERT \ ++ | GCRY_PK_USAGE_AUTH | GCRY_PK_USAGE_UNKN) >= 256 ++# error Please choose another value for PUBKEY_USAGE_NONE ++#endif + + #define DIGEST_ALGO_MD5 /* 1 */ GCRY_MD_MD5 + #define DIGEST_ALGO_SHA1 /* 2 */ GCRY_MD_SHA1 +-- +1.7.2.5 + diff --git a/app-crypt/gnupg/gnupg-2.0.21-r1.ebuild b/app-crypt/gnupg/gnupg-2.0.21-r2.ebuild index d79ba58dd290..8d095344aa95 100644 --- a/app-crypt/gnupg/gnupg-2.0.21-r1.ebuild +++ b/app-crypt/gnupg/gnupg-2.0.21-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/gnupg-2.0.21-r1.ebuild,v 1.1 2013/10/03 19:20:06 alonbl Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/gnupg-2.0.21-r2.ebuild,v 1.1 2013/10/04 22:24:40 alonbl Exp $ EAPI="5" @@ -58,6 +58,7 @@ REQUIRED_USE="smartcard? ( !static )" src_prepare() { epatch "${FILESDIR}/${PN}-2.0.17-gpgsm-gencert.patch" + epatch "${FILESDIR}/${P}-CVE-2013-4351.patch" epatch_user } |