Pullup ticket #4029 - requested by drochner security/gnupg2: security patch Revisions pulled up: - security/gnupg2/Makefile 1.42 - security/gnupg2/distinfo 1.26 - security/gnupg2/patches/patch-CVE-2012-6085 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Tue Jan 15 11:21:50 UTC 2013 Modified Files: pkgsrc/security/gnupg2: Makefile distinfo Added Files: pkgsrc/security/gnupg2/patches: patch-CVE-2012-6085 Log Message: add patch from upstream to fix possible keyring corruption on import of corrupted keys (CVE-2012-6085), bump PKGREV from "Bug Hunting" per PR pkg/47442diff -r1.41 -r1.41.2.1 pkgsrc/security/gnupg2/Makefile
(tron)
@@ -1,18 +1,18 @@ | @@ -1,18 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.41 2012/12/16 01:52:32 obache Exp $ | 1 | # $NetBSD: Makefile,v 1.41.2.1 2013/01/18 16:43:23 tron Exp $ | |
2 | 2 | |||
3 | DISTNAME= gnupg-2.0.19 | 3 | DISTNAME= gnupg-2.0.19 | |
4 | PKGNAME= ${DISTNAME:S/gnupg/gnupg2/} | 4 | PKGNAME= ${DISTNAME:S/gnupg/gnupg2/} | |
5 | PKGREVISION= 1 | 5 | PKGREVISION= 2 | |
6 | CATEGORIES= security | 6 | CATEGORIES= security | |
7 | MASTER_SITES= ftp://ftp.gnupg.org/gcrypt/gnupg/ | 7 | MASTER_SITES= ftp://ftp.gnupg.org/gcrypt/gnupg/ | |
8 | EXTRACT_SUFX= .tar.bz2 | 8 | EXTRACT_SUFX= .tar.bz2 | |
9 | 9 | |||
10 | MAINTAINER= shannonjr@NetBSD.org | 10 | MAINTAINER= shannonjr@NetBSD.org | |
11 | HOMEPAGE= http://www.gnupg.org/ | 11 | HOMEPAGE= http://www.gnupg.org/ | |
12 | COMMENT= GNUpg with OpenPGP and S/MIME capabilities | 12 | COMMENT= GNUpg with OpenPGP and S/MIME capabilities | |
13 | LICENSE= gnu-gpl-v3 | 13 | LICENSE= gnu-gpl-v3 | |
14 | 14 | |||
15 | PKG_INSTALLATION_TYPES= overwrite pkgviews | 15 | PKG_INSTALLATION_TYPES= overwrite pkgviews | |
16 | 16 | |||
17 | INFO_FILES= yes | 17 | INFO_FILES= yes | |
18 | USE_LIBTOOL= yes | 18 | USE_LIBTOOL= yes |
@@ -1,9 +1,10 @@ | @@ -1,9 +1,10 @@ | |||
1 | $NetBSD: distinfo,v 1.25 2012/04/17 18:35:33 drochner Exp $ | 1 | $NetBSD: distinfo,v 1.25.6.1 2013/01/18 16:43:23 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (gnupg-2.0.19.tar.bz2) = 190c09e6688f688fb0a5cf884d01e240d957ac1f | 3 | SHA1 (gnupg-2.0.19.tar.bz2) = 190c09e6688f688fb0a5cf884d01e240d957ac1f | |
4 | RMD160 (gnupg-2.0.19.tar.bz2) = 026b5c5fa2b21c3586f325f48ff1420c987b88a7 | 4 | RMD160 (gnupg-2.0.19.tar.bz2) = 026b5c5fa2b21c3586f325f48ff1420c987b88a7 | |
5 | Size (gnupg-2.0.19.tar.bz2) = 4187460 bytes | 5 | Size (gnupg-2.0.19.tar.bz2) = 4187460 bytes | |
6 | SHA1 (patch-CVE-2012-6085) = cbc5ff88eaaebcff9c7bc7983b3d363eff4fcd8b | |||
6 | SHA1 (patch-ai) = 4445d30150518f71f996e3b368a81523daded2e2 | 7 | SHA1 (patch-ai) = 4445d30150518f71f996e3b368a81523daded2e2 | |
7 | SHA1 (patch-aj) = bfd21504e0d55f99df543912b1cdf2c573de2f98 | 8 | SHA1 (patch-aj) = bfd21504e0d55f99df543912b1cdf2c573de2f98 | |
8 | SHA1 (patch-al) = ef7c698ed102c4e27bbf707ae5d1fce4c2b5d8d4 | 9 | SHA1 (patch-al) = ef7c698ed102c4e27bbf707ae5d1fce4c2b5d8d4 | |
9 | SHA1 (patch-ao) = 2f91b33271d5e79d48b392cc58978da08ee46e8a | 10 | SHA1 (patch-ao) = 2f91b33271d5e79d48b392cc58978da08ee46e8a |
$NetBSD: patch-CVE-2012-6085,v 1.1.2.2 2013/01/18 16:43:23 tron Exp $
upstream rev. 498882296ffac7987c644aaf2a0aa108a2925471
--- g10/import.c.orig 2012-03-27 08:00:37.000000000 +0000
+++ g10/import.c
@@ -347,6 +347,27 @@ import_print_stats (void *hd)
}
+/* Return true if PKTTYPE is valid in a keyblock. */
+static int
+valid_keyblock_packet (int pkttype)
+{
+ switch (pkttype)
+ {
+ case PKT_PUBLIC_KEY:
+ case PKT_PUBLIC_SUBKEY:
+ case PKT_SECRET_KEY:
+ case PKT_SECRET_SUBKEY:
+ case PKT_SIGNATURE:
+ case PKT_USER_ID:
+ case PKT_ATTRIBUTE:
+ case PKT_RING_TRUST:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
+
/****************
* Read the next keyblock from stream A.
* PENDING_PKT should be initialzed to NULL
@@ -424,7 +445,7 @@ read_block( IOBUF a, PACKET **pending_pk
}
in_cert = 1;
default:
- if( in_cert ) {
+ if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
if( !root )
root = new_kbnode( pkt );
else