main/libgcrypt: security upgrade to 1.8.3

fixes #9003

2 files changed, 55 insertions, 3 deletions

diff --git a/main/libgcrypt/APKBUILD b/main/libgcrypt/APKBUILD
index 8eee2ae379..9cc6bc1115 100644
--- a/main/libgcrypt/APKBUILD
+++ b/main/libgcrypt/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libgcrypt
-pkgver=1.8.2
+pkgver=1.8.3
 pkgrel=0
 pkgdesc="general purpose crypto library based on the code used in GnuPG"
 url="http://www.gnupg.org"
@@ -10,8 +10,14 @@ depends=""
 depends_dev="libgpg-error-dev"
 makedepends="$depends_dev texinfo"
 subpackages="$pkgname-dev $pkgname-doc"
-source="https://www.gnupg.org/ftp/gcrypt/libgcrypt/$pkgname-$pkgver.tar.bz2"
+source="https://www.gnupg.org/ftp/gcrypt/libgcrypt/$pkgname-$pkgver.tar.bz2
+        random-Fix-hang-of-_gcry_rndjent_get_version.patch"
 builddir="$srcdir"/$pkgname-$pkgver
+options="!checkroot"
+
+# secfixes:
+#   1.8.3-r0:
+#   - CVE-2018-0495
 
 build () {
         cd "$builddir"
@@ -53,4 +59,5 @@ package() {
         rm -f ${pkgdir}/usr/share/info/dir
 }
 
-sha512sums="1e8c414f95bf6b50e778102ca7c1b3b1f30d8320826d9fff747a0a098ef85499cdc3e6de736853b9cd4e5dadda35c7c0a291e13643dcac5eaef44f2ddc7a6c09  libgcrypt-1.8.2.tar.bz2"
+sha512sums="8c873204303f173dd3f49817a81035c1d504b2fc885965c9bc074a6e3fb108ceb6dca366d85e840a40712a6890fc325018ea9b8c1b7b8804c51c44b296cb96a0  libgcrypt-1.8.3.tar.bz2
+a717d40702c8ffdd40a7bffc563bf7aecf01640514a2d07c7eb5e40d742473ba297779fc0fea64576b254214011711a010de0cf306f88c5617fd06214a9fd30e  random-Fix-hang-of-_gcry_rndjent_get_version.patch"
diff --git a/main/libgcrypt/random-Fix-hang-of-_gcry_rndjent_get_version.patch b/main/libgcrypt/random-Fix-hang-of-_gcry_rndjent_get_version.patch
new file mode 100644
index 0000000000..cb2a1c340d
--- /dev/null
+++ b/main/libgcrypt/random-Fix-hang-of-_gcry_rndjent_get_version.patch
@@ -0,0 +1,45 @@
+From 355f5b7f69075c010fe33aa5b10ac60c08fae0c7 Mon Sep 17 00:00:00 2001
+From: Will Dietz <w@wdtz.org>
+Date: Sun, 17 Jun 2018 18:53:58 -0500
+Subject: [PATCH] random: Fix hang of _gcry_rndjent_get_version.
+
+* random/rndjent.c (_gcry_rndjent_get_version): Move locking.
+
+--
+
+While the protection for jent_rng_collector is needed,
+_gcry_rndjent_poll is also acquiring the lock for the variable.
+Thus, it hangs.
+
+This change is sub-optimal, the lock is once released after the call
+of _gcry_rndjent_poll.  It might be good to modify the API of
+_gcry_rndjent_poll to explicitly allow this use case of forcing
+initialization keeping the lock.
+
+Comments and change log entry by gniibe.
+
+GnuPG-bug-id: 4034
+Fixes-commit: 0de2a22fcf6607d0aecb550feefa414cee3731b2
+---
+ random/rndjent.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/random/rndjent.c b/random/rndjent.c
+index 0c5a820..3740ddd 100644
+--- a/random/rndjent.c
++++ b/random/rndjent.c
+@@ -334,9 +334,10 @@ _gcry_rndjent_get_version (int *r_active)
+     {
+       if (r_active)
+         {
+-          lock_rng ();
+           /* Make sure the RNG is initialized.  */
+           _gcry_rndjent_poll (NULL, 0, 0);
++
++          lock_rng ();
+           /* To ease debugging we store 2 for a clock_gettime based
+            * implementation and 1 for a rdtsc based code.  */
+           *r_active = jent_rng_collector? is_rng_available () : 0;
+-- 
+2.8.0.rc3
+