Received: by mail.netbsd.org (Postfix, from userid 605)
	id A2AA084D54; Thu, 30 Jun 2022 14:46:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.netbsd.org (Postfix) with ESMTP id D962784D28
	for <pkgsrc-changes@NetBSD.org>; Thu, 30 Jun 2022 14:46:38 +0000 (UTC)
X-Virus-Scanned: amavisd-new at netbsd.org
Received: from mail.netbsd.org ([127.0.0.1])
	by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025)
	with ESMTP id WtkYQ0CXITWT for <pkgsrc-changes@netbsd.org>;
	Thu, 30 Jun 2022 14:46:38 +0000 (UTC)
Received: from cvs.NetBSD.org (ivanova.NetBSD.org [IPv6:2001:470:a085:999:28c:faff:fe03:5984])
	by mail.netbsd.org (Postfix) with ESMTP id 40F0D84D17
	for <pkgsrc-changes@NetBSD.org>; Thu, 30 Jun 2022 14:46:38 +0000 (UTC)
Received: by cvs.NetBSD.org (Postfix, from userid 500)
	id DCD2DFB1A; Thu, 30 Jun 2022 14:48:55 +0000 (UTC)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_165660053549890"
MIME-Version: 1.0
Date: Thu, 30 Jun 2022 14:48:55 +0000
From: "Thomas Klausner" <wiz@netbsd.org>
Subject: CVS commit: pkgsrc/security/gnupg2
To: pkgsrc-changes@NetBSD.org
Reply-To: wiz@netbsd.org
X-Mailer: log_accum
Message-Id: <20220630144855.DCD2DFB1A@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
List-Id: <pkgsrc-changes.NetBSD.org>
Precedence: bulk
List-Unsubscribe: <mailto:majordomo@NetBSD.org?subject=Unsubscribe%20pkgsrc-changes&body=unsubscribe%20pkgsrc-changes>

This is a multi-part message in MIME format.

--_----------=_165660053549890
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	wiz
Date:		Thu Jun 30 14:48:55 UTC 2022

Modified Files:
	pkgsrc/security/gnupg2: Makefile distinfo
Added Files:
	pkgsrc/security/gnupg2/patches: patch-g10_cpr.c

Log Message:
gnupg2: fix possible security issue

Per
https://www.openwall.com/lists/oss-security/2022/06/30/1
using upstream patch.

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.133 -r1.134 pkgsrc/security/gnupg2/Makefile
cvs rdiff -u -r1.73 -r1.74 pkgsrc/security/gnupg2/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/gnupg2/patches/patch-g10_cpr.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_165660053549890
Content-Disposition: inline
Content-Length: 2971
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/gnupg2/Makefile
diff -u pkgsrc/security/gnupg2/Makefile:1.133 pkgsrc/security/gnupg2/Makefile:1.134
--- pkgsrc/security/gnupg2/Makefile:1.133	Tue Apr 26 08:15:35 2022
+++ pkgsrc/security/gnupg2/Makefile	Thu Jun 30 14:48:55 2022
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.133 2022/04/26 08:15:35 adam Exp $
+# $NetBSD: Makefile,v 1.134 2022/06/30 14:48:55 wiz Exp $
 
 DISTNAME=	gnupg-2.2.35
 PKGNAME=	${DISTNAME:S/gnupg-/gnupg2-/}
+PKGREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.gnupg.org/gcrypt/gnupg/
 MASTER_SITES+=	http://mirrors.dotsrc.org/gcrypt/gnupg/

Index: pkgsrc/security/gnupg2/distinfo
diff -u pkgsrc/security/gnupg2/distinfo:1.73 pkgsrc/security/gnupg2/distinfo:1.74
--- pkgsrc/security/gnupg2/distinfo:1.73	Tue Apr 26 08:15:35 2022
+++ pkgsrc/security/gnupg2/distinfo	Thu Jun 30 14:48:55 2022
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.73 2022/04/26 08:15:35 adam Exp $
+$NetBSD: distinfo,v 1.74 2022/06/30 14:48:55 wiz Exp $
 
 BLAKE2s (gnupg-2.2.35.tar.bz2) = 74f0a044b85c30a11a59bed4e21c322c7a77c839639996fa30f5e3bee8433830
 SHA512 (gnupg-2.2.35.tar.bz2) = ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e
 Size (gnupg-2.2.35.tar.bz2) = 7262687 bytes
 SHA1 (patch-common_sysutils.c) = 569c12e21172c1521284922244b2f4f361c945d6
+SHA1 (patch-g10_cpr.c) = 0a691eb6e6463ce9f9e3e735d3b2d587195a05cc

Added files:

Index: pkgsrc/security/gnupg2/patches/patch-g10_cpr.c
diff -u /dev/null pkgsrc/security/gnupg2/patches/patch-g10_cpr.c:1.1
--- /dev/null	Thu Jun 30 14:48:55 2022
+++ pkgsrc/security/gnupg2/patches/patch-g10_cpr.c	Thu Jun 30 14:48:55 2022
@@ -0,0 +1,40 @@
+$NetBSD: patch-g10_cpr.c,v 1.1 2022/06/30 14:48:55 wiz Exp $
+
+g10: Fix garbled status messages in NOTATION_DATA
+
+* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
+
+Depending on the escaping and line wrapping the computed remaining
+buffer length could be wrong. Fixed by always using a break to
+terminate the escape detection loop. Might have happened for all
+status lines which may wrap.
+
+https://dev.gnupg.org/rG34c649b3601383cd11dbc76221747ec16fd68e1b
+
+--- g10/cpr.c.orig	2022-02-24 13:06:37.000000000 +0000
++++ g10/cpr.c
+@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, co
+             }
+           first = 0;
+         }
+-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++      for (esc=0, s=buffer, n=len; n; s++, n--)
+         {
+           if (*s == '%' || *(const byte*)s <= lower_limit
+               || *(const byte*)s == 127 )
+             esc = 1;
+           if (wrap && ++count > wrap)
+-            {
+-              dowrap=1;
+-              break;
+-            }
+-        }
+-      if (esc)
+-        {
+-          s--; n++;
++            dowrap=1;
++          if (esc || dowrap)
++            break;
+         }
+       if (s != buffer)
+         es_fwrite (buffer, s-buffer, 1, statusfp);


--_----------=_165660053549890--