From ce044e5f2319c2f556af4442e3c4627c772b6db8 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 5 Aug 2014 16:40:22 +0200 Subject: [PATCH 1/2] new upstream release fixing a minor regression introduced by the previous one --- .gitignore | 2 ++ gnupg-2.0.18-protect-tool-env.patch | 28 ---------------------------- gnupg2.spec | 7 ++++--- sources | 4 ++-- 4 files changed, 8 insertions(+), 33 deletions(-) delete mode 100644 gnupg-2.0.18-protect-tool-env.patch diff --git a/.gitignore b/.gitignore index af656d2..5fd63dc 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,5 @@ gnupg-2.0.16.tar.bz2.sig /gnupg-2.0.22.tar.bz2.sig /gnupg-2.0.24.tar.bz2 /gnupg-2.0.24.tar.bz2.sig +/gnupg-2.0.25.tar.bz2 +/gnupg-2.0.25.tar.bz2.sig diff --git a/gnupg-2.0.18-protect-tool-env.patch b/gnupg-2.0.18-protect-tool-env.patch deleted file mode 100644 index e0c6c48..0000000 --- a/gnupg-2.0.18-protect-tool-env.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff -u -r gnupg-2.0.18.orig/agent/protect-tool.c gnupg-2.0.18/agent/protect-tool.c ---- gnupg-2.0.18.orig/agent/protect-tool.c 2011-07-22 14:00:44.000000000 +0200 -+++ gnupg-2.0.18/agent/protect-tool.c 2012-04-10 22:42:17.397613438 +0200 -@@ -102,6 +102,7 @@ - static int opt_status_msg; - static const char *opt_p12_charset; - static const char *opt_agent_program; -+static session_env_t opt_session_env; - - static char *get_passphrase (int promptno); - static void release_passphrase (char *pw); -@@ -1040,6 +1041,7 @@ - - opt_homedir = default_homedir (); - -+ opt_session_env = session_env_new (); - - pargs.argc = &argc; - pargs.argv = &argv; -@@ -1091,7 +1093,7 @@ - opt.verbose, - opt_homedir, - opt_agent_program, -- NULL, NULL, NULL); -+ NULL, NULL, opt_session_env); - - if (opt_prompt) - opt_prompt = percent_plus_unescape (opt_prompt, 0); diff --git a/gnupg2.spec b/gnupg2.spec index a5b9590..544d248 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -1,6 +1,6 @@ Summary: Utility for secure communication and data storage Name: gnupg2 -Version: 2.0.24 +Version: 2.0.25 Release: 1%{?dist} License: GPLv3+ @@ -11,7 +11,6 @@ Source1: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}. #Source0: gnupg2-20090809svn.tar.bz2 Patch1: gnupg-2.0.20-insttools.patch Patch3: gnupg-2.0.20-secmem.patch -Patch4: gnupg-2.0.18-protect-tool-env.patch Patch5: gnupg-2.0.20-ocsp-keyusage.patch Patch6: gnupg-2.0.19-fips-algo.patch @@ -77,7 +76,6 @@ to the base GnuPG package %patch1 -p1 -b .insttools %endif %patch3 -p1 -b .secmem -%patch4 -p1 -b .ptool-env %patch5 -p1 -b .keyusage %patch6 -p1 -b .fips @@ -193,6 +191,9 @@ fi %changelog +* Tue Aug 5 2014 Tomáš Mráz - 2.0.25-1 +- new upstream release fixing a minor regression introduced by the previous one + * Wed Jun 25 2014 Tomáš Mráz - 2.0.24-1 - new upstream release fixing CVE-2014-4617 diff --git a/sources b/sources index 7e213eb..d20ccff 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -94cd984321b44ab622aa50f93ee66671 gnupg-2.0.24.tar.bz2 -e8361c1a319a8e7583243b31af2edb15 gnupg-2.0.24.tar.bz2.sig +048d8de797125f1d8e6cf3bdff9e2d12 gnupg-2.0.25.tar.bz2 +d474ba42cba833734c6196b7e6f5d853 gnupg-2.0.25.tar.bz2.sig From bfcc52e45ca606c32009db39e1800f303bad3482 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 5 Aug 2014 17:04:08 +0200 Subject: [PATCH 2/2] add --file-is-digest option needed for copr --- gnupg-2.0.25-file-is-digest.patch | 173 ++++++++++++++++++++++++++++++ gnupg2.spec | 4 + 2 files changed, 177 insertions(+) create mode 100644 gnupg-2.0.25-file-is-digest.patch diff --git a/gnupg-2.0.25-file-is-digest.patch b/gnupg-2.0.25-file-is-digest.patch new file mode 100644 index 0000000..dda2635 --- /dev/null +++ b/gnupg-2.0.25-file-is-digest.patch @@ -0,0 +1,173 @@ +diff -up gnupg-2.0.25/g10/gpg.c.file-is-digest gnupg-2.0.25/g10/gpg.c +--- gnupg-2.0.25/g10/gpg.c.file-is-digest 2014-08-05 16:46:28.865869320 +0200 ++++ gnupg-2.0.25/g10/gpg.c 2014-08-05 16:49:27.520063937 +0200 +@@ -345,6 +345,7 @@ enum cmd_and_opt_values + oTTYtype, + oLCctype, + oLCmessages, ++ oFileIsDigest, + oXauthority, + oGroup, + oUnGroup, +@@ -711,6 +712,7 @@ static ARGPARSE_OPTS opts[] = { + ARGPARSE_s_s (oPersonalDigestPreferences, "personal-digest-preferences","@"), + ARGPARSE_s_s (oPersonalCompressPreferences, + "personal-compress-preferences", "@"), ++ ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"), + + /* Aliases. I constantly mistype these, and assume other people do + as well. */ +@@ -2003,6 +2005,7 @@ main (int argc, char **argv) + set_homedir ( default_homedir () ); + opt.passphrase_repeat=1; + opt.emit_version = 1; /* Limit to the major number. */ ++ opt.file_is_digest=0; + + opt.list_options |= LIST_SHOW_UID_VALIDITY; + opt.verify_options |= LIST_SHOW_UID_VALIDITY; +@@ -2493,6 +2496,7 @@ main (int argc, char **argv) + case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; + case oForceV3Sigs: opt.force_v3_sigs = 1; break; + case oNoForceV3Sigs: opt.force_v3_sigs = 0; break; ++ case oFileIsDigest: opt.file_is_digest = 1; break; + case oForceV4Certs: opt.force_v4_certs = 1; break; + case oNoForceV4Certs: opt.force_v4_certs = 0; break; + case oForceMDC: opt.force_mdc = 1; break; +diff -up gnupg-2.0.25/g10/options.h.file-is-digest gnupg-2.0.25/g10/options.h +--- gnupg-2.0.25/g10/options.h.file-is-digest 2014-06-30 17:28:52.000000000 +0200 ++++ gnupg-2.0.25/g10/options.h 2014-08-05 16:46:28.869869414 +0200 +@@ -198,6 +198,7 @@ struct + int no_auto_check_trustdb; + int preserve_permissions; + int no_homedir_creation; ++ int file_is_digest; + struct groupitem *grouplist; + int mangle_dos_filenames; + int enable_progress_filter; +diff -up gnupg-2.0.25/g10/sign.c.file-is-digest gnupg-2.0.25/g10/sign.c +--- gnupg-2.0.25/g10/sign.c.file-is-digest 2014-06-30 17:28:52.000000000 +0200 ++++ gnupg-2.0.25/g10/sign.c 2014-08-05 16:46:28.870869438 +0200 +@@ -665,8 +665,12 @@ write_signature_packets (SK_LIST sk_list + mk_notation_policy_etc (sig, NULL, sk); + } + ++ if (!opt.file_is_digest) { + hash_sigversion_to_magic (md, sig); + gcry_md_final (md); ++ } else if (sig->version >= 4) { ++ log_bug("file-is-digest doesn't work with v4 sigs\n"); ++ } + + rc = do_sign( sk, sig, md, hash_for (sk) ); + gcry_md_close (md); +@@ -723,6 +727,8 @@ sign_file( strlist_t filenames, int deta + SK_LIST sk_rover = NULL; + int multifile = 0; + u32 duration=0; ++ int sigclass = 0x00; ++ u32 timestamp = 0; + + pfx = new_progress_context (); + afx = new_armor_context (); +@@ -739,7 +745,16 @@ sign_file( strlist_t filenames, int deta + fname = NULL; + + if( fname && filenames->next && (!detached || encryptflag) ) +- log_bug("multiple files can only be detached signed"); ++ log_bug("multiple files can only be detached signed\n"); ++ ++ if (opt.file_is_digest && (multifile || !fname)) ++ log_bug("file-is-digest only works with one file\n"); ++ if (opt.file_is_digest && !detached) ++ log_bug("file-is-digest can only write detached signatures\n"); ++ if (opt.file_is_digest && !opt.def_digest_algo) ++ log_bug("file-is-digest needs --digest-algo\n"); ++ if (opt.file_is_digest && opt.textmode) ++ log_bug("file-is-digest doesn't work with --textmode\n"); + + if(encryptflag==2 + && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) +@@ -767,7 +782,7 @@ sign_file( strlist_t filenames, int deta + goto leave; + + /* prepare iobufs */ +- if( multifile ) /* have list of filenames */ ++ if( multifile || opt.file_is_digest) /* have list of filenames */ + inp = NULL; /* we do it later */ + else { + inp = iobuf_open(fname); +@@ -900,7 +915,7 @@ sign_file( strlist_t filenames, int deta + gcry_md_enable (mfx.md, hash_for(sk)); + } + +- if( !multifile ) ++ if( !multifile && !opt.file_is_digest ) + iobuf_push_filter( inp, md_filter, &mfx ); + + if( detached && !encryptflag && !RFC1991 ) +@@ -955,6 +970,8 @@ sign_file( strlist_t filenames, int deta + + write_status_begin_signing (mfx.md); + ++ sigclass = opt.textmode && !outfile? 0x01 : 0x00; ++ + /* Setup the inner packet. */ + if( detached ) { + if( multifile ) { +@@ -995,6 +1012,45 @@ sign_file( strlist_t filenames, int deta + if( opt.verbose ) + putc( '\n', stderr ); + } ++ else if (opt.file_is_digest) { ++ byte *mdb, ts[5]; ++ size_t mdlen; ++ const char *fp; ++ int c, d; ++ ++ gcry_md_final(mfx.md); ++ /* this assumes gcry_md_read returns the same buffer */ ++ mdb = gcry_md_read(mfx.md, opt.def_digest_algo); ++ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo); ++ if (strlen(fname) != mdlen * 2 + 11) ++ log_bug("digests must be %zu + @ + 5 bytes\n", mdlen); ++ d = -1; ++ for (fp = fname ; *fp; ) { ++ c = *fp++; ++ if (c >= '0' && c <= '9') ++ c -= '0'; ++ else if (c >= 'a' && c <= 'f') ++ c -= 'a' - 10; ++ else if (c >= 'A' && c <= 'F') ++ c -= 'A' - 10; ++ else ++ log_bug("filename is not hex\n"); ++ if (d >= 0) { ++ *mdb++ = d << 4 | c; ++ c = -1; ++ if (--mdlen == 0) { ++ mdb = ts; ++ if (*fp++ != '@') ++ log_bug("missing time separator\n"); ++ } ++ } ++ d = c; ++ } ++ sigclass = ts[0]; ++ if (sigclass != 0x00 && sigclass != 0x01) ++ log_bug("bad cipher class\n"); ++ timestamp = buffer_to_u32(ts + 1); ++ } + else { + /* read, so that the filter can calculate the digest */ + while( iobuf_get(inp) != -1 ) +@@ -1012,8 +1068,8 @@ sign_file( strlist_t filenames, int deta + + /* write the signatures */ + rc = write_signature_packets (sk_list, out, mfx.md, +- opt.textmode && !outfile? 0x01 : 0x00, +- 0, duration, detached ? 'D':'S'); ++ sigclass, ++ timestamp, duration, detached ? 'D':'S'); + if( rc ) + goto leave; + diff --git a/gnupg2.spec b/gnupg2.spec index 544d248..d84da8f 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -11,6 +11,8 @@ Source1: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}. #Source0: gnupg2-20090809svn.tar.bz2 Patch1: gnupg-2.0.20-insttools.patch Patch3: gnupg-2.0.20-secmem.patch +# non-upstreamable patch adding file-is-digest option needed for Copr +Patch4: gnupg-2.0.25-file-is-digest.patch Patch5: gnupg-2.0.20-ocsp-keyusage.patch Patch6: gnupg-2.0.19-fips-algo.patch @@ -76,6 +78,7 @@ to the base GnuPG package %patch1 -p1 -b .insttools %endif %patch3 -p1 -b .secmem +%patch4 -p1 -b .file-is-digest %patch5 -p1 -b .keyusage %patch6 -p1 -b .fips @@ -193,6 +196,7 @@ fi %changelog * Tue Aug 5 2014 Tomáš Mráz - 2.0.25-1 - new upstream release fixing a minor regression introduced by the previous one +- add --file-is-digest option needed for copr * Wed Jun 25 2014 Tomáš Mráz - 2.0.24-1 - new upstream release fixing CVE-2014-4617