main/gnupg1: security upgrade to 1.4.23 (CVE-2017-7526)

(cherry picked from commit 6895452f9306041d563023e9fae6b77ac6c27dae)
author: tcely <tcely@users.noreply.github.com> 2018-08-03 05:03:52 -0400
committer: Natanael Copa <ncopa@alpinelinux.org> 2018-08-16 16:53:42 +0200
commit: d8f3cd13cfcddc8a83bed4ad7ebae18137c2fe88 (patch)
tree: 428f83e3de43afdc6f6402c00838388bc10889aa
parent: f98e469b6d7abeef7b518467b71cd523b0dbc6e1 (diff)
download: alpine_aports-d8f3cd13cfcddc8a83bed4ad7ebae18137c2fe88.tar.bz2
alpine_aports-d8f3cd13cfcddc8a83bed4ad7ebae18137c2fe88.tar.xz
alpine_aports-d8f3cd13cfcddc8a83bed4ad7ebae18137c2fe88.zip
2 files changed, 6 insertions, 47 deletions
diff --git a/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch b/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch
deleted file mode 100644
index 3592fc5500..0000000000
--- a/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001
-From: Werner Koch <wk@gnupg.org>
-Date: Fri, 8 Jun 2018 10:45:21 +0200
-Subject: [PATCH] gpg: Sanitize diagnostic with the original file name.
-* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
--
-This fixes a forgotten sanitation of user supplied data in a verbose
-mode diagnostic.  The mention CVE is about using this to inject
-status-fd lines into the stderr output.  Other harm good as well be
-done.  Note that GPGME based applications are not affected because
-GPGME does not fold status output into stderr.
-CVE-id: CVE-2018-12020
-GnuPG-bug-id: 4012
-(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)
---
- g10/mainproc.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/g10/mainproc.c b/g10/mainproc.c
-index 33a654b34..ffa7ef6d8 100644
--- a/g10/mainproc.c
-+++ b/g10/mainproc.c
-@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt )
-     if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
-        log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
-     else if( opt.verbose )
-       log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
-+      {
-+        char *tmp = make_printable_string (pt->name, pt->namelen, 0);
-+        log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
-+        xfree (tmp);
-+      }
-     free_md_filter_context( &c->mfx );
-     c->mfx.md = md_open( 0, 0);
-     /* fixme: we may need to push the textfilter if we have sigclass 1
-- 
-2.17.1
diff --git a/main/gnupg1/APKBUILD b/main/gnupg1/APKBUILD
index db58f6a67a..ea0655fc74 100644
--- a/main/gnupg1/APKBUILD
+++ b/main/gnupg1/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=gnupg1
-pkgver=1.4.22
+pkgver=1.4.23
-pkgrel=1
+pkgrel=0
 pkgdesc="GNU Privacy Guard 1 - a PGP replacement tool"
 url="http://www.gnupg.org/"
 arch="all"
@@ -12,10 +12,11 @@ makedepends="curl-dev libassuan libksba-dev libgcrypt-dev libgpg-error-dev
 subpackages="$pkgname-doc"
 provides="gnupg=$pkgver-r$pkgrel"
 replaces="gnupg"
-source="ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-$pkgver.tar.bz2
+source="https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-$pkgver.tar.bz2"
-        0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch"
 # secfixes:
+#   1.4.23-r0:
+#     - CVE-2017-7526
 #   1.4.22-r1:
 #     - CVE-2018-12020
@@ -55,5 +56,4 @@ doc() {
        provides="gnupg-doc=$pkgver-r$pkgrel"
 }
-sha512sums="c03acac0fa55761470bb085d78a44e2b99ebb187e8396cbb031a184b1e40bef2a40c91da07755d1a20610a3daa6aa1eefea2d12a0dbd5a79a45466166419c708  gnupg-1.4.22.tar.bz2
+sha512sums="78dc52a2010202a4afc8814b29fda657a6c9fe230d5e7db11ae040edd2b0ca819e1baa4dbd6c0d04d36cd353df484e83f52d17759d2891c2cf7025c0b5d36612  gnupg-1.4.23.tar.bz2"
-0fecf8735ed56380699d91ff739aac3cf4a8b0fc2b248e403fb8c1411b05ac701eaebed6898f37a13e45df53cab3c319deac05b18a74d40c19409652a500d32b  0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch"
author	tcely <tcely@users.noreply.github.com>	2018-08-03 05:03:52 -0400
committer	Natanael Copa <ncopa@alpinelinux.org>	2018-08-16 16:53:42 +0200
commit	d8f3cd13cfcddc8a83bed4ad7ebae18137c2fe88 (patch)
tree	428f83e3de43afdc6f6402c00838388bc10889aa
parent	f98e469b6d7abeef7b518467b71cd523b0dbc6e1 (diff)
download	alpine_aports-d8f3cd13cfcddc8a83bed4ad7ebae18137c2fe88.tar.bz2 alpine_aports-d8f3cd13cfcddc8a83bed4ad7ebae18137c2fe88.tar.xz alpine_aports-d8f3cd13cfcddc8a83bed4ad7ebae18137c2fe88.zip

diff --git a/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch b/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch deleted file mode 100644 index 3592fc5500..0000000000 --- a/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch +++ /dev/null
@@ -1,41 +0,0 @@
1	From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001
2	From: Werner Koch <wk@gnupg.org>
3	Date: Fri, 8 Jun 2018 10:45:21 +0200
4	Subject: [PATCH] gpg: Sanitize diagnostic with the original file name.
5
6	* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
7	--
8
9	This fixes a forgotten sanitation of user supplied data in a verbose
10	mode diagnostic. The mention CVE is about using this to inject
11	status-fd lines into the stderr output. Other harm good as well be
12	done. Note that GPGME based applications are not affected because
13	GPGME does not fold status output into stderr.
14
15	CVE-id: CVE-2018-12020
16	GnuPG-bug-id: 4012
17	(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)
18	---
19	g10/mainproc.c \| 6 +++++-
20	1 file changed, 5 insertions(+), 1 deletion(-)
21
22	diff --git a/g10/mainproc.c b/g10/mainproc.c
23	index 33a654b34..ffa7ef6d8 100644
24	--- a/g10/mainproc.c
25	+++ b/g10/mainproc.c
26	@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt )
27	if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
28	log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
29	else if( opt.verbose )
30	- log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
31	+ {
32	+ char *tmp = make_printable_string (pt->name, pt->namelen, 0);
33	+ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
34	+ xfree (tmp);
35	+ }
36	free_md_filter_context( &c->mfx );
37	c->mfx.md = md_open( 0, 0);
38	/* fixme: we may need to push the textfilter if we have sigclass 1
39	--
40	2.17.1
41


diff --git a/main/gnupg1/APKBUILD b/main/gnupg1/APKBUILD index db58f6a67a..ea0655fc74 100644 --- a/main/gnupg1/APKBUILD +++ b/main/gnupg1/APKBUILD
@@ -1,7 +1,7 @@
1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>	1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
2	pkgname=gnupg1	2	pkgname=gnupg1
3	pkgver=1.4.22	3	pkgver=1.4.23
4	pkgrel=1	4	pkgrel=0
5	pkgdesc="GNU Privacy Guard 1 - a PGP replacement tool"	5	pkgdesc="GNU Privacy Guard 1 - a PGP replacement tool"
6	url="http://www.gnupg.org/"	6	url="http://www.gnupg.org/"
7	arch="all"	7	arch="all"
@@ -12,10 +12,11 @@ makedepends="curl-dev libassuan libksba-dev libgcrypt-dev libgpg-error-dev
12	subpackages="$pkgname-doc"	12	subpackages="$pkgname-doc"
13	provides="gnupg=$pkgver-r$pkgrel"	13	provides="gnupg=$pkgver-r$pkgrel"
14	replaces="gnupg"	14	replaces="gnupg"
15	source="ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-$pkgver.tar.bz2	15	source="https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-$pkgver.tar.bz2"
16	0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch"
17		16
18	# secfixes:	17	# secfixes:
		18	# 1.4.23-r0:
		19	# - CVE-2017-7526
19	# 1.4.22-r1:	20	# 1.4.22-r1:
20	# - CVE-2018-12020	21	# - CVE-2018-12020
21		22
@@ -55,5 +56,4 @@ doc() {
55	provides="gnupg-doc=$pkgver-r$pkgrel"	56	provides="gnupg-doc=$pkgver-r$pkgrel"
56	}	57	}
57		58
58	sha512sums="c03acac0fa55761470bb085d78a44e2b99ebb187e8396cbb031a184b1e40bef2a40c91da07755d1a20610a3daa6aa1eefea2d12a0dbd5a79a45466166419c708 gnupg-1.4.22.tar.bz2	59	sha512sums="78dc52a2010202a4afc8814b29fda657a6c9fe230d5e7db11ae040edd2b0ca819e1baa4dbd6c0d04d36cd353df484e83f52d17759d2891c2cf7025c0b5d36612 gnupg-1.4.23.tar.bz2"
59	0fecf8735ed56380699d91ff739aac3cf4a8b0fc2b248e403fb8c1411b05ac701eaebed6898f37a13e45df53cab3c319deac05b18a74d40c19409652a500d32b 0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch"