diff options
-rw-r--r-- | security/gnupg/Makefile | 9 | ||||
-rw-r--r-- | security/gnupg/distinfo | 12 | ||||
-rw-r--r-- | security/gnupg/files/patch-CVE-2006-6235 | 260 | ||||
-rw-r--r-- | security/gnupg/files/patch-tools:Makefile.in | 11 |
4 files changed, 10 insertions, 282 deletions
diff --git a/security/gnupg/Makefile b/security/gnupg/Makefile index 0e3bb00..b49661a 100644 --- a/security/gnupg/Makefile +++ b/security/gnupg/Makefile @@ -6,8 +6,7 @@ # PORTNAME= gnupg -PORTVERSION= 2.0.1 -PORTREVISION= 1 +PORTVERSION= 2.0.2 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_GNUPG} MASTER_SITE_SUBDIR= gnupg @@ -32,8 +31,8 @@ USE_ICONV= YES USE_LDCONFIG= YES USE_GETTEXT= YES CONFIGURE_TARGET=# empty -CONFIGURE_ARGS+= --infodir=${PREFIX}/info --mandir=${PREFIX}/man \ - --enable-nls +CONFIGURE_ARGS+= --infodir=${PREFIX}/info --mandir=${PREFIX}/man +CONFIGURE_ARGS+= --enable-nls MAN1= gpg2.1 gpgsm.1 gpgv2.1 gpg-agent.1 scdaemon.1 watchgnupg.1 \ gpgconf.1 gpg-preset-passphrase.1 gpg-connect-agent.1 \ gpgparsemail.1 symcryptrun.1 gpgsm-gencert.sh.1 @@ -41,10 +40,10 @@ MAN8= addgnupghome.8 INFO= gnupg OPTIONS= LDAP "LDAP keyserver interface" off \ - NLS "National Language Support" off \ SCDAEMON "Enable Smartcard daemon (with libusb)" off \ CURL "Use the real curl library (worked around if no)" on \ GPGSM "Enable GPGSM" on +#OPTIONS+= NLS "National Language Support" off .include <bsd.port.pre.mk> diff --git a/security/gnupg/distinfo b/security/gnupg/distinfo index c46fb47..542d495 100644 --- a/security/gnupg/distinfo +++ b/security/gnupg/distinfo @@ -1,6 +1,6 @@ -MD5 (gnupg-2.0.1.tar.bz2) = eb24e258db73f4cb53a3ce18375efa21 -SHA256 (gnupg-2.0.1.tar.bz2) = 49949762a4e080379dcca23948442d50488f0d74e04bcba87fc49e19a899b01d -SIZE (gnupg-2.0.1.tar.bz2) = 3923924 -MD5 (gnupg-2.0.1.tar.bz2.sig) = 58b1bbc2f34c0882ab1a49542a8ffd45 -SHA256 (gnupg-2.0.1.tar.bz2.sig) = 2e49d6cfcb9ad12bc10e7185435761622c2da12b850c6c31925da3b4c8100628 -SIZE (gnupg-2.0.1.tar.bz2.sig) = 158 +MD5 (gnupg-2.0.2.tar.bz2) = 9f972c78135a7dea1bae66bb9f263980 +SHA256 (gnupg-2.0.2.tar.bz2) = 10da9a7adadedaa4a9bba8ed936e0421526eea3ea7b63081273d7aa740b3bef9 +SIZE (gnupg-2.0.2.tar.bz2) = 3969476 +MD5 (gnupg-2.0.2.tar.bz2.sig) = a2bde7013f6fa047e617088bbdc29d7b +SHA256 (gnupg-2.0.2.tar.bz2.sig) = 87dafb0a150f0a7b1aecb97de1ca6622caa4e2d0644925651597489054717286 +SIZE (gnupg-2.0.2.tar.bz2.sig) = 158 diff --git a/security/gnupg/files/patch-CVE-2006-6235 b/security/gnupg/files/patch-CVE-2006-6235 deleted file mode 100644 index c169257..0000000 --- a/security/gnupg/files/patch-CVE-2006-6235 +++ /dev/null @@ -1,260 +0,0 @@ -This is a patch against GnuPG 2.0.1. Change the directory to g10/ and -apply this patch. - -2006-12-02 Werner Koch <wk@g10code.com> - - * encr-data.c: Allocate DFX context on the heap and not on the - stack. Changes at several places. Fixes CVE-2006-6235. - - -Index: g10/encr-data.c -=================================================================== ---- g10/encr-data.c (revision 4352) -+++ g10/encr-data.c (working copy) -@@ -39,16 +39,37 @@ - static int decode_filter ( void *opaque, int control, IOBUF a, - byte *buf, size_t *ret_len); - --typedef struct -+typedef struct decode_filter_context_s - { - gcry_cipher_hd_t cipher_hd; - gcry_md_hd_t mdc_hash; - char defer[22]; - int defer_filled; - int eof_seen; --} decode_filter_ctx_t; -+ int refcount; -+} *decode_filter_ctx_t; - - -+/* Helper to release the decode context. */ -+static void -+release_dfx_context (decode_filter_ctx_t dfx) -+{ -+ if (!dfx) -+ return; -+ -+ assert (dfx->refcount); -+ if ( !--dfx->refcount ) -+ { -+ gcry_cipher_close (dfx->cipher_hd); -+ dfx->cipher_hd = NULL; -+ gcry_md_close (dfx->mdc_hash); -+ dfx->mdc_hash = NULL; -+ xfree (dfx); -+ } -+} -+ -+ -+ - /**************** - * Decrypt the data, specified by ED with the key DEK. - */ -@@ -62,7 +83,11 @@ - unsigned blocksize; - unsigned nprefix; - -- memset( &dfx, 0, sizeof dfx ); -+ dfx = xtrycalloc (1, sizeof *dfx); -+ if (!dfx) -+ return gpg_error_from_syserror (); -+ dfx->refcount = 1; -+ - if ( opt.verbose && !dek->algo_info_printed ) - { - const char *s = gcry_cipher_algo_name (dek->algo); -@@ -77,20 +102,20 @@ - goto leave; - blocksize = gcry_cipher_get_algo_blklen (dek->algo); - if ( !blocksize || blocksize > 16 ) -- log_fatal("unsupported blocksize %u\n", blocksize ); -+ log_fatal ("unsupported blocksize %u\n", blocksize ); - nprefix = blocksize; - if ( ed->len && ed->len < (nprefix+2) ) - BUG(); - - if ( ed->mdc_method ) - { -- if (gcry_md_open (&dfx.mdc_hash, ed->mdc_method, 0 )) -+ if (gcry_md_open (&dfx->mdc_hash, ed->mdc_method, 0 )) - BUG (); - if ( DBG_HASHING ) -- gcry_md_start_debug (dfx.mdc_hash, "checkmdc"); -+ gcry_md_start_debug (dfx->mdc_hash, "checkmdc"); - } - -- rc = gcry_cipher_open (&dfx.cipher_hd, dek->algo, -+ rc = gcry_cipher_open (&dfx->cipher_hd, dek->algo, - GCRY_CIPHER_MODE_CFB, - (GCRY_CIPHER_SECURE - | ((ed->mdc_method || dek->algo >= 100)? -@@ -104,7 +129,7 @@ - - - /* log_hexdump( "thekey", dek->key, dek->keylen );*/ -- rc = gcry_cipher_setkey (dfx.cipher_hd, dek->key, dek->keylen); -+ rc = gcry_cipher_setkey (dfx->cipher_hd, dek->key, dek->keylen); - if ( gpg_err_code (rc) == GPG_ERR_WEAK_KEY ) - { - log_info(_("WARNING: message was encrypted with" -@@ -123,7 +148,7 @@ - goto leave; - } - -- gcry_cipher_setiv (dfx.cipher_hd, NULL, 0); -+ gcry_cipher_setiv (dfx->cipher_hd, NULL, 0); - - if ( ed->len ) - { -@@ -144,8 +169,8 @@ - temp[i] = c; - } - -- gcry_cipher_decrypt (dfx.cipher_hd, temp, nprefix+2, NULL, 0); -- gcry_cipher_sync (dfx.cipher_hd); -+ gcry_cipher_decrypt (dfx->cipher_hd, temp, nprefix+2, NULL, 0); -+ gcry_cipher_sync (dfx->cipher_hd); - p = temp; - /* log_hexdump( "prefix", temp, nprefix+2 ); */ - if (dek->symmetric -@@ -155,17 +180,18 @@ - goto leave; - } - -- if ( dfx.mdc_hash ) -- gcry_md_write (dfx.mdc_hash, temp, nprefix+2); -- -+ if ( dfx->mdc_hash ) -+ gcry_md_write (dfx->mdc_hash, temp, nprefix+2); -+ -+ dfx->refcount++; - if ( ed->mdc_method ) -- iobuf_push_filter( ed->buf, mdc_decode_filter, &dfx ); -+ iobuf_push_filter ( ed->buf, mdc_decode_filter, dfx ); - else -- iobuf_push_filter( ed->buf, decode_filter, &dfx ); -+ iobuf_push_filter ( ed->buf, decode_filter, dfx ); - - proc_packets ( procctx, ed->buf ); - ed->buf = NULL; -- if ( ed->mdc_method && dfx.eof_seen == 2 ) -+ if ( ed->mdc_method && dfx->eof_seen == 2 ) - rc = gpg_error (GPG_ERR_INV_PACKET); - else if ( ed->mdc_method ) - { -@@ -184,26 +210,28 @@ - bytes are appended. */ - int datalen = gcry_md_get_algo_dlen (ed->mdc_method); - -- gcry_cipher_decrypt (dfx.cipher_hd, dfx.defer, 22, NULL, 0); -- gcry_md_write (dfx.mdc_hash, dfx.defer, 2); -- gcry_md_final (dfx.mdc_hash); -+ assert (dfx->cipher_hd); -+ assert (dfx->mdc_hash); -+ gcry_cipher_decrypt (dfx->cipher_hd, dfx->defer, 22, NULL, 0); -+ gcry_md_write (dfx->mdc_hash, dfx->defer, 2); -+ gcry_md_final (dfx->mdc_hash); - -- if (dfx.defer[0] != '\xd3' || dfx.defer[1] != '\x14' ) -+ if (dfx->defer[0] != '\xd3' || dfx->defer[1] != '\x14' ) - { - log_error("mdc_packet with invalid encoding\n"); - rc = gpg_error (GPG_ERR_INV_PACKET); - } - else if (datalen != 20 -- || memcmp (gcry_md_read (dfx.mdc_hash, 0),dfx.defer+2,datalen)) -+ || memcmp (gcry_md_read (dfx->mdc_hash, 0), -+ dfx->defer+2,datalen )) - rc = gpg_error (GPG_ERR_BAD_SIGNATURE); -- /* log_printhex("MDC message:", dfx.defer, 22); */ -- /* log_printhex("MDC calc:", gcry_md_read (dfx.mdc_hash,0), datalen); */ -+ /* log_printhex("MDC message:", dfx->defer, 22); */ -+ /* log_printhex("MDC calc:", gcry_md_read (dfx->mdc_hash,0), datalen); */ - } - - - leave: -- gcry_cipher_close (dfx.cipher_hd); -- gcry_md_close (dfx.mdc_hash); -+ release_dfx_context (dfx); - return rc; - } - -@@ -214,7 +242,7 @@ - mdc_decode_filter (void *opaque, int control, IOBUF a, - byte *buf, size_t *ret_len) - { -- decode_filter_ctx_t *dfx = opaque; -+ decode_filter_ctx_t dfx = opaque; - size_t n, size = *ret_len; - int rc = 0; - int c; -@@ -226,11 +254,11 @@ - } - else if( control == IOBUFCTRL_UNDERFLOW ) - { -- assert(a); -- assert( size > 44 ); -+ assert (a); -+ assert ( size > 44 ); - - /* Get at least 22 bytes and put it somewhere ahead in the buffer. */ -- for(n=22; n < 44 ; n++ ) -+ for (n=22; n < 44 ; n++ ) - { - if( (c = iobuf_get(a)) == -1 ) - break; -@@ -279,8 +307,10 @@ - - if ( n ) - { -- gcry_cipher_decrypt (dfx->cipher_hd, buf, n, NULL, 0); -- gcry_md_write (dfx->mdc_hash, buf, n); -+ if ( dfx->cipher_hd ) -+ gcry_cipher_decrypt (dfx->cipher_hd, buf, n, NULL, 0); -+ if ( dfx->mdc_hash ) -+ gcry_md_write (dfx->mdc_hash, buf, n); - } - else - { -@@ -289,6 +319,10 @@ - } - *ret_len = n; - } -+ else if ( control == IOBUFCTRL_FREE ) -+ { -+ release_dfx_context (dfx); -+ } - else if ( control == IOBUFCTRL_DESC ) - { - *(char**)buf = "mdc_decode_filter"; -@@ -300,7 +334,7 @@ - static int - decode_filter( void *opaque, int control, IOBUF a, byte *buf, size_t *ret_len) - { -- decode_filter_ctx_t *fc = opaque; -+ decode_filter_ctx_t fc = opaque; - size_t n, size = *ret_len; - int rc = 0; - -@@ -311,11 +345,18 @@ - if ( n == -1 ) - n = 0; - if ( n ) -- gcry_cipher_decrypt (fc->cipher_hd, buf, n, NULL, 0); -+ { -+ if (fc->cipher_hd) -+ gcry_cipher_decrypt (fc->cipher_hd, buf, n, NULL, 0); -+ } - else - rc = -1; /* EOF */ - *ret_len = n; - } -+ else if ( control == IOBUFCTRL_FREE ) -+ { -+ release_dfx_context (fc); -+ } - else if ( control == IOBUFCTRL_DESC ) - { - *(char**)buf = "decode_filter"; diff --git a/security/gnupg/files/patch-tools:Makefile.in b/security/gnupg/files/patch-tools:Makefile.in deleted file mode 100644 index 98683c9..0000000 --- a/security/gnupg/files/patch-tools:Makefile.in +++ /dev/null @@ -1,11 +0,0 @@ ---- tools/Makefile.in.orig Mon Dec 25 11:52:16 2006 -+++ tools/Makefile.in Mon Dec 25 11:53:00 2006 -@@ -453,7 +453,7 @@ - @BUILD_SYMCRYPTRUN_TRUE@symcryptrun = symcryptrun - common_libs = ../jnlib/libjnlib.a ../common/libcommon.a ../gl/libgnu.a - pwquery_libs = ../common/libsimple-pwquery.a --gpgsplit_LDADD = $(common_libs) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(ZLIBS) -+gpgsplit_LDADD = $(common_libs) $(LIBINTL) $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) $(ZLIBS) - gpgconf_SOURCES = gpgconf.c gpgconf.h gpgconf-comp.c no-libgcrypt.c - - # jnlib/common sucks in gpg-error, will they, nil they (some compilers |