main/gnupg1: fix CVE-2018-12020

author: Sören Tempel <soeren+git@soeren-tempel.net> 2018-06-10 20:40:38 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2018-08-16 16:52:42 +0200
commit: f98e469b6d7abeef7b518467b71cd523b0dbc6e1 (patch)
tree: 6a92162a1380a8ea9ddbaeb2c120006d0e181a3b
parent: 9e8163ee0315aa8fe5163b8bd01f757e4245414e (diff)
download: alpine_aports-f98e469b6d7abeef7b518467b71cd523b0dbc6e1.tar.bz2
alpine_aports-f98e469b6d7abeef7b518467b71cd523b0dbc6e1.tar.xz
alpine_aports-f98e469b6d7abeef7b518467b71cd523b0dbc6e1.zip
2 files changed, 56 insertions, 8 deletions
diff --git a/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch b/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch
new file mode 100644
index 0000000000..3592fc5500
--- /dev/null
+++ b/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch
@@ -0,0 +1,41 @@
+From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Fri, 8 Jun 2018 10:45:21 +0200
+Subject: [PATCH] gpg: Sanitize diagnostic with the original file name.
+* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
+--
+This fixes a forgotten sanitation of user supplied data in a verbose
+mode diagnostic.  The mention CVE is about using this to inject
+status-fd lines into the stderr output.  Other harm good as well be
+done.  Note that GPGME based applications are not affected because
+GPGME does not fold status output into stderr.
+CVE-id: CVE-2018-12020
+GnuPG-bug-id: 4012
+(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)
+---
+ g10/mainproc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+diff --git a/g10/mainproc.c b/g10/mainproc.c
+index 33a654b34..ffa7ef6d8 100644
+--- a/g10/mainproc.c
+++ b/g10/mainproc.c
+@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt )
+     if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
+        log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
+     else if( opt.verbose )
+-       log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
+      {
+        char *tmp = make_printable_string (pt->name, pt->namelen, 0);
+        log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
+        xfree (tmp);
+      }
+     free_md_filter_context( &c->mfx );
+     c->mfx.md = md_open( 0, 0);
+     /* fixme: we may need to push the textfilter if we have sigclass 1
+-- 
+2.17.1
diff --git a/main/gnupg1/APKBUILD b/main/gnupg1/APKBUILD
index 60469903b9..db58f6a67a 100644
--- a/main/gnupg1/APKBUILD
+++ b/main/gnupg1/APKBUILD
@@ -1,22 +1,28 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=gnupg1
 pkgver=1.4.22
-pkgrel=0
+pkgrel=1
 pkgdesc="GNU Privacy Guard 1 - a PGP replacement tool"
 url="http://www.gnupg.org/"
 arch="all"
 license="GPL"
 depends="pinentry"
-makedepends="curl-dev libassuan libksba-dev libgcrypt-dev libgpg-error-dev 
+makedepends="curl-dev libassuan libksba-dev libgcrypt-dev libgpg-error-dev
        zlib-dev libassuan-dev"
 subpackages="$pkgname-doc"
 provides="gnupg=$pkgver-r$pkgrel"
 replaces="gnupg"
-source="ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-$pkgver.tar.bz2"
+source="ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-$pkgver.tar.bz2
+        0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch"
-_builddir="$srcdir/gnupg-$pkgver"
+# secfixes:
+#   1.4.22-r1:
+#     - CVE-2018-12020
+builddir="$srcdir/gnupg-$pkgver"
 prepare() {
-        cd "$_builddir"
+        cd "$builddir"
+        default_prepare
        # Fix PIC definitions
        sed -i -e 's:PIC:__PIC__:' \
@@ -27,7 +33,7 @@ prepare() {
 }
 build() {
-        cd "$_builddir"
+        cd "$builddir"
        export CFLAGS="$CFLAGS -g"
        ./configure \
                --build=$CBUILD \
@@ -40,7 +46,7 @@ build() {
 }
 package() {
-        cd "$_builddir"
+        cd "$builddir"
        make -j1 DESTDIR="$pkgdir" install
 }
@@ -49,4 +55,5 @@ doc() {
        provides="gnupg-doc=$pkgver-r$pkgrel"
 }
-sha512sums="c03acac0fa55761470bb085d78a44e2b99ebb187e8396cbb031a184b1e40bef2a40c91da07755d1a20610a3daa6aa1eefea2d12a0dbd5a79a45466166419c708  gnupg-1.4.22.tar.bz2"
+sha512sums="c03acac0fa55761470bb085d78a44e2b99ebb187e8396cbb031a184b1e40bef2a40c91da07755d1a20610a3daa6aa1eefea2d12a0dbd5a79a45466166419c708  gnupg-1.4.22.tar.bz2
+0fecf8735ed56380699d91ff739aac3cf4a8b0fc2b248e403fb8c1411b05ac701eaebed6898f37a13e45df53cab3c319deac05b18a74d40c19409652a500d32b  0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch"
author	Sören Tempel <soeren+git@soeren-tempel.net>	2018-06-10 20:40:38 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2018-08-16 16:52:42 +0200
commit	f98e469b6d7abeef7b518467b71cd523b0dbc6e1 (patch)
tree	6a92162a1380a8ea9ddbaeb2c120006d0e181a3b
parent	9e8163ee0315aa8fe5163b8bd01f757e4245414e (diff)
download	alpine_aports-f98e469b6d7abeef7b518467b71cd523b0dbc6e1.tar.bz2 alpine_aports-f98e469b6d7abeef7b518467b71cd523b0dbc6e1.tar.xz alpine_aports-f98e469b6d7abeef7b518467b71cd523b0dbc6e1.zip

diff --git a/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch b/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch new file mode 100644 index 0000000000..3592fc5500 --- /dev/null +++ b/main/gnupg1/0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch
@@ -0,0 +1,41 @@
		1	From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001
		2	From: Werner Koch <wk@gnupg.org>
		3	Date: Fri, 8 Jun 2018 10:45:21 +0200
		4	Subject: [PATCH] gpg: Sanitize diagnostic with the original file name.
		5
		6	* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
		7	--
		8
		9	This fixes a forgotten sanitation of user supplied data in a verbose
		10	mode diagnostic. The mention CVE is about using this to inject
		11	status-fd lines into the stderr output. Other harm good as well be
		12	done. Note that GPGME based applications are not affected because
		13	GPGME does not fold status output into stderr.
		14
		15	CVE-id: CVE-2018-12020
		16	GnuPG-bug-id: 4012
		17	(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)
		18	---
		19	g10/mainproc.c \| 6 +++++-
		20	1 file changed, 5 insertions(+), 1 deletion(-)
		21
		22	diff --git a/g10/mainproc.c b/g10/mainproc.c
		23	index 33a654b34..ffa7ef6d8 100644
		24	--- a/g10/mainproc.c
		25	+++ b/g10/mainproc.c
		26	@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt )
		27	if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
		28	log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
		29	else if( opt.verbose )
		30	- log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
		31	+ {
		32	+ char *tmp = make_printable_string (pt->name, pt->namelen, 0);
		33	+ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
		34	+ xfree (tmp);
		35	+ }
		36	free_md_filter_context( &c->mfx );
		37	c->mfx.md = md_open( 0, 0);
		38	/* fixme: we may need to push the textfilter if we have sigclass 1
		39	--
		40	2.17.1
		41


diff --git a/main/gnupg1/APKBUILD b/main/gnupg1/APKBUILD index 60469903b9..db58f6a67a 100644 --- a/main/gnupg1/APKBUILD +++ b/main/gnupg1/APKBUILD
@@ -1,22 +1,28 @@
1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>	1	# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
2	pkgname=gnupg1	2	pkgname=gnupg1
3	pkgver=1.4.22	3	pkgver=1.4.22
4	pkgrel=0	4	pkgrel=1
5	pkgdesc="GNU Privacy Guard 1 - a PGP replacement tool"	5	pkgdesc="GNU Privacy Guard 1 - a PGP replacement tool"
6	url="http://www.gnupg.org/"	6	url="http://www.gnupg.org/"
7	arch="all"	7	arch="all"
8	license="GPL"	8	license="GPL"
9	depends="pinentry"	9	depends="pinentry"
10	makedepends="curl-dev libassuan libksba-dev libgcrypt-dev libgpg-error-dev	10	makedepends="curl-dev libassuan libksba-dev libgcrypt-dev libgpg-error-dev
11	zlib-dev libassuan-dev"	11	zlib-dev libassuan-dev"
12	subpackages="$pkgname-doc"	12	subpackages="$pkgname-doc"
13	provides="gnupg=$pkgver-r$pkgrel"	13	provides="gnupg=$pkgver-r$pkgrel"
14	replaces="gnupg"	14	replaces="gnupg"
15	source="ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-$pkgver.tar.bz2"	15	source="ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-$pkgver.tar.bz2
		16	0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch"
16		17
17	_builddir="$srcdir/gnupg-$pkgver"	18	# secfixes:
		19	# 1.4.22-r1:
		20	# - CVE-2018-12020
		21
		22	builddir="$srcdir/gnupg-$pkgver"
18	prepare() {	23	prepare() {
19	cd "$_builddir"	24	cd "$builddir"
		25	default_prepare
20		26
21	# Fix PIC definitions	27	# Fix PIC definitions
22	sed -i -e 's:PIC:__PIC__:' \	28	sed -i -e 's:PIC:__PIC__:' \
@@ -27,7 +33,7 @@ prepare() {
27	}	33	}
28		34
29	build() {	35	build() {
30	cd "$_builddir"	36	cd "$builddir"
31	export CFLAGS="$CFLAGS -g"	37	export CFLAGS="$CFLAGS -g"
32	./configure \	38	./configure \
33	--build=$CBUILD \	39	--build=$CBUILD \
@@ -40,7 +46,7 @@ build() {
40	}	46	}
41		47
42	package() {	48	package() {
43	cd "$_builddir"	49	cd "$builddir"
44	make -j1 DESTDIR="$pkgdir" install	50	make -j1 DESTDIR="$pkgdir" install
45	}	51	}
46		52
@@ -49,4 +55,5 @@ doc() {
49	provides="gnupg-doc=$pkgver-r$pkgrel"	55	provides="gnupg-doc=$pkgver-r$pkgrel"
50	}	56	}
51		57
52	sha512sums="c03acac0fa55761470bb085d78a44e2b99ebb187e8396cbb031a184b1e40bef2a40c91da07755d1a20610a3daa6aa1eefea2d12a0dbd5a79a45466166419c708 gnupg-1.4.22.tar.bz2"	58	sha512sums="c03acac0fa55761470bb085d78a44e2b99ebb187e8396cbb031a184b1e40bef2a40c91da07755d1a20610a3daa6aa1eefea2d12a0dbd5a79a45466166419c708 gnupg-1.4.22.tar.bz2
		59	0fecf8735ed56380699d91ff739aac3cf4a8b0fc2b248e403fb8c1411b05ac701eaebed6898f37a13e45df53cab3c319deac05b18a74d40c19409652a500d32b 0001-gpg-Sanitize-diagnostic-with-the-original-file-name.patch"