fix CVE-2012-6085 - skip invalid key packets (#891142)

2013-01-02 22:14:59 +01:00 · 2013-01-02 22:14:59 +01:00 · 2af6509cf2
commit 2af6509cf2
parent 5eb4571a5e
2 changed files with 67 additions and 1 deletions
--- a/gnupg-2.0.19-cve-2012-6085.patch
+++ b/gnupg-2.0.19-cve-2012-6085.patch
@ -0,0 +1,61 @@
+From: Werner Koch <wk@gnupg.org>
+Date: Thu, 20 Dec 2012 08:43:41 +0000 (+0100)
+Subject: gpg: Import only packets which are allowed in a keyblock.
+X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=498882296ffac7987c644aaf2a0aa108a2925471
+
+gpg: Import only packets which are allowed in a keyblock.
+
+* g10/import.c (valid_keyblock_packet): New.
+(read_block): Store only valid packets.
+--
+
+A corrupted key, which for example included a mangled public key
+encrypted packet, used to corrupt the keyring.  This change skips all
+packets which are not allowed in a keyblock.
+
+GnuPG-bug-id: 1455
+
+(cherry-picked from commit 3a4b96e665fa639772854058737ee3d54ba0694e)
+---
+
+diff --git a/g10/import.c b/g10/import.c
+index ba2439d..ad112d6 100644
+--- a/g10/import.c
+++ b/g10/import.c
+@@ -347,6 +347,27 @@ import_print_stats (void *hd)
+ }
+ 
+ 
+/* Return true if PKTTYPE is valid in a keyblock.  */
+static int
+valid_keyblock_packet (int pkttype)
+{
+  switch (pkttype)
+    {
+    case PKT_PUBLIC_KEY:
+    case PKT_PUBLIC_SUBKEY:
+    case PKT_SECRET_KEY:
+    case PKT_SECRET_SUBKEY:
+    case PKT_SIGNATURE:
+    case PKT_USER_ID:
+    case PKT_ATTRIBUTE:
+    case PKT_RING_TRUST:
+      return 1;
+    default:
+      return 0;
+    }
+}
+
+
+ /****************
+  * Read the next keyblock from stream A.
+  * PENDING_PKT should be initialzed to NULL
+@@ -424,7 +445,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root )
+ 	    }
+ 	    in_cert = 1;
+ 	  default:
+-	    if( in_cert ) {
+	    if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
+ 		if( !root )
+ 		    root = new_kbnode( pkt );
+ 		else
--- a/gnupg2.spec
+++ b/gnupg2.spec
@ -1,7 +1,7 @@
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 2.0.19
-Release: 6%{?dist}
+Release: 7%{?dist}

 License: GPLv3+
 Group:   Applications/System
@ -15,6 +15,7 @@ Patch3:  gnupg-2.0.18-secmem.patch
 Patch4:  gnupg-2.0.18-protect-tool-env.patch
 Patch5:  gnupg-2.0.16-ocsp-keyusage.patch
 Patch6:  gnupg-2.0.19-fips-algo.patch
+Patch7:  gnupg-2.0.19-cve-2012-6085.patch

 URL:     http://www.gnupg.org/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -81,6 +82,7 @@ to the base GnuPG package
 %patch4 -p1 -b .ptool-env
 %patch5 -p1 -b .keyusage
 %patch6 -p1 -b .fips
+%patch7 -p1 -b .valid-packet

 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@ -198,6 +200,9 @@ rm -rf %{buildroot}


 %changelog
+* Wed Jan  2 2013 Tomas Mraz <tmraz@redhat.com> - 2.0.19-7
+- fix CVE-2012-6085 - skip invalid key packets (#891142)
+
 * Thu Nov 22 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-6
 - use AES as default crypto algorithm in FIPS mode (#879047)