Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_146592725966230"
MIME-Version: 1.0
Date: Tue, 14 Jun 2016 18:00:59 +0000
From: "Alistair G. Crooks" <agc@netbsd.org>
Subject: CVS commit: pkgsrc/security/netpgpverify/files
To: pkgsrc-changes@NetBSD.org
Reply-To: agc@netbsd.org
Message-Id: <20160614180059.8C9F2FBB5@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_146592725966230
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	agc
Date:		Tue Jun 14 18:00:59 UTC 2016

Modified Files:
	pkgsrc/security/netpgpverify/files: Makefile.bsd Makefile.in
	    libverify.c verify.h
Added Files:
	pkgsrc/security/netpgpverify/files: noversion.asc

Log Message:
Update netpgpverify (and libnetpgpverify) to 20160614

+ handle signatures created by gpg with "--no-emit-version", don't assume
there will always be a version string.

+ add a test for above

Fixes security PR/51240.

Thanks to xnox@ubuntu.com for reporting the error


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 pkgsrc/security/netpgpverify/files/Makefile.bsd
cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/netpgpverify/files/Makefile.in
cvs rdiff -u -r1.13 -r1.14 pkgsrc/security/netpgpverify/files/libverify.c
cvs rdiff -u -r0 -r1.1 pkgsrc/security/netpgpverify/files/noversion.asc
cvs rdiff -u -r1.20 -r1.21 pkgsrc/security/netpgpverify/files/verify.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_146592725966230
Content-Disposition: inline
Content-Length: 4083
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/netpgpverify/files/Makefile.bsd
diff -u pkgsrc/security/netpgpverify/files/Makefile.bsd:1.8 pkgsrc/security/netpgpverify/files/Makefile.bsd:1.9
--- pkgsrc/security/netpgpverify/files/Makefile.bsd:1.8	Thu Feb  5 00:21:57 2015
+++ pkgsrc/security/netpgpverify/files/Makefile.bsd	Tue Jun 14 18:00:59 2016
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.bsd,v 1.8 2015/02/05 00:21:57 agc Exp $
+# $NetBSD: Makefile.bsd,v 1.9 2016/06/14 18:00:59 agc Exp $
 
 PROG=netpgpverify
 
@@ -43,3 +43,5 @@ tst:
 	rm -f 1keytest.gpg
 	@echo "testing signing with a subkey"
 	./chk.sh -k joyent-pubring.gpg digest-20121220.tgz
+	@echo "testing signatures with no version"
+	./${PROG} -k pubring.gpg noversion.asc

Index: pkgsrc/security/netpgpverify/files/Makefile.in
diff -u pkgsrc/security/netpgpverify/files/Makefile.in:1.4 pkgsrc/security/netpgpverify/files/Makefile.in:1.5
--- pkgsrc/security/netpgpverify/files/Makefile.in:1.4	Mon Aug 17 11:37:55 2015
+++ pkgsrc/security/netpgpverify/files/Makefile.in	Tue Jun 14 18:00:59 2016
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.in,v 1.4 2015/08/17 11:37:55 jperkin Exp $
+# $NetBSD: Makefile.in,v 1.5 2016/06/14 18:00:59 agc Exp $
 
 PROG=netpgpverify
 
@@ -43,6 +43,8 @@ tst:
 	rm -f 1keytest.gpg
 	@echo "testing signing with a subkey"
 	./chk.sh -k joyent-pubring.gpg digest-20121220.tgz
+	@echo "testing signatures with no version"
+	./${PROG} -k pubring.gpg noversion.asc
 
 clean:
 	rm -rf *.core ${OBJS} ${PROG}

Index: pkgsrc/security/netpgpverify/files/libverify.c
diff -u pkgsrc/security/netpgpverify/files/libverify.c:1.13 pkgsrc/security/netpgpverify/files/libverify.c:1.14
--- pkgsrc/security/netpgpverify/files/libverify.c:1.13	Fri Feb 19 22:41:50 2016
+++ pkgsrc/security/netpgpverify/files/libverify.c	Tue Jun 14 18:00:59 2016
@@ -2022,12 +2022,17 @@ read_ascii_armor(pgpv_cursor_t *cursor, 
 	}
 	litdata.u.litdata.len = litdata.s.size = (size_t)(p - datastart);
 	p += strlen(SIGSTART);
-	if ((p = find_bin_string(p, mem->size, "\n\n",  2)) == NULL) {
-		snprintf(cursor->why, sizeof(cursor->why),
-			"malformed armed signature at %zu", (size_t)(p - mem->mem));
-		return 0;
+	/* Work out whther there's a version line */
+	if (memcmp(p, "Version:", 8) == 0) {
+		if ((p = find_bin_string(p, mem->size, "\n\n",  2)) == NULL) {
+			snprintf(cursor->why, sizeof(cursor->why),
+				"malformed armed signature at %zu", (size_t)(p - mem->mem));
+			return 0;
+		}
+		p += 2;
+	} else {
+		p += 1;
 	}
-	p += 2;
 	sigend = find_bin_string(p, mem->size, SIGEND, strlen(SIGEND));
 	binsigsize = b64decode((char *)p, (size_t)(sigend - p), binsig, sizeof(binsig));
 

Index: pkgsrc/security/netpgpverify/files/verify.h
diff -u pkgsrc/security/netpgpverify/files/verify.h:1.20 pkgsrc/security/netpgpverify/files/verify.h:1.21
--- pkgsrc/security/netpgpverify/files/verify.h:1.20	Fri Jun  3 00:11:10 2016
+++ pkgsrc/security/netpgpverify/files/verify.h	Tue Jun 14 18:00:59 2016
@@ -23,9 +23,9 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #ifndef NETPGP_VERIFY_H_
-#define NETPGP_VERIFY_H_	20160313
+#define NETPGP_VERIFY_H_	20160614
 
-#define NETPGPVERIFY_VERSION	"netpgpverify portable 20160313"
+#define NETPGPVERIFY_VERSION	"netpgpverify portable 20160614"
 
 #include <sys/types.h>
 

Added files:

Index: pkgsrc/security/netpgpverify/files/noversion.asc
diff -u /dev/null pkgsrc/security/netpgpverify/files/noversion.asc:1.1
--- /dev/null	Tue Jun 14 18:00:59 2016
+++ pkgsrc/security/netpgpverify/files/noversion.asc	Tue Jun 14 18:00:59 2016
@@ -0,0 +1,14 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+bar
+-----BEGIN PGP SIGNATURE-----
+
+iQEcBAEBAgAGBQJXYEJcAAoJEBto3PzAWWgjk5cH/03A4/a+ywsnzZMncQ7H7rtu
+QiIWwyiJo28Xf5z3fL5WG6VKNJdPpx0TIthcxu0O1YgF6lvqqQbnNpfNbD+1h88+
+JCcqJfyVk38vsFPxdFTIOWjbEtHs9yyjUVk5tJQrxtTaSJbGtQIMHQXXfWAyKCn4
+0Zl+E2iWb6tXxxMaAkrCOipjC9knuTJJbG6oVZpujp7jOt+2bOWY+89+FhoGJ5tv
+XiOvqIUUSW5Iua+wBOmhb/iuNFUVrO8rS/7BpMLQmxbnLxWtwwSWIcyyg6BwiIvm
+8K5NmD3WKN97tPA1HYjk76SlLj254OVLDmTZua7ljqasl5PR9W+aUFIByDgQrGE=
+=90+m
+-----END PGP SIGNATURE-----


--_----------=_146592725966230--