--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package gnupg/1.4.18-7
- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Tue, 27 Oct 2015 17:16:25 -0400
- Message-id: <144598058562.4150.14360131456474226287.reportbug@alice.fifthhorseman.net>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
https://bugs.debian.org/787046 shows a reasonable patch from noodles
(imported from GnuPG upstream) that makes gnupg 1.4.x behave sensibly
when previously unknown key types are encountered.
since Curve25519 keys are becoming more visible, we need gpg to at
least ignore them cleanly. This patch has already been included
upstream and is in debian testing and stable without any bad
consequences.
Is it ok to upload to stable?
--dkg
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.3.0-rc3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From eb0a483d83d15f4dc053065a44373aba56c7f3cb Mon Sep 17 00:00:00 2001
From: Jonathan McDowell <noodles@earth.li>
Date: Mon, 17 Aug 2015 18:36:31 +0200
Subject: [STABLE-BRANCH-1-4 PATCH] import fix for unknown subkey types to
jessie
---
debian/changelog | 7 ++
...10-fix-cmp_public_key-and-cmp_secret_keys.patch | 94 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 102 insertions(+)
create mode 100644 debian/patches/0045-g10-fix-cmp_public_key-and-cmp_secret_keys.patch
diff --git a/debian/changelog b/debian/changelog
index 4488965..0972f28 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+gnupg (1.4.18-7+deb8u1) stable; urgency=medium
+
+ [ Jonathan McDowell ]
+ * Import upstream bugfix for handling unknown subkey types (Closes: #787046)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 27 Oct 2015 15:39:42 -0400
+
gnupg (1.4.18-7) unstable; urgency=medium
* import a series of DoS and vulnerabilities from upstream, including
diff --git a/debian/patches/0045-g10-fix-cmp_public_key-and-cmp_secret_keys.patch b/debian/patches/0045-g10-fix-cmp_public_key-and-cmp_secret_keys.patch
new file mode 100644
index 0000000..9fac4e5
--- /dev/null
+++ b/debian/patches/0045-g10-fix-cmp_public_key-and-cmp_secret_keys.patch
@@ -0,0 +1,94 @@
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 30 Apr 2015 17:20:08 +0900
+Subject: g10: fix cmp_public_key and cmp_secret_keys.
+
+* g10/free-packet.c (cmp_public_keys, cmp_secret_keys): Compare opaque
+data at the first entry of the array when it's unknown algo.
+* mpi/mpi-cmp.c (mpi_cmp): Backport libgcrypt 1.5.0's semantics.
+
+--
+
+(backported from 2.0 commit 43429c7869152f301157e4b24790b3801dce0f0a)
+
+GnuPG-bug-id: 1962
+---
+ g10/free-packet.c | 22 ++++++++++++++--------
+ mpi/mpi-cmp.c | 16 ++++++++++++++++
+ 2 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/g10/free-packet.c b/g10/free-packet.c
+index 0f8e0e8..e772c08 100644
+--- a/g10/free-packet.c
++++ b/g10/free-packet.c
+@@ -452,11 +452,14 @@ cmp_public_keys( PKT_public_key *a, PKT_public_key *b )
+ return -1;
+
+ n = pubkey_get_npkey( b->pubkey_algo );
+- if( !n )
+- return -1; /* can't compare due to unknown algorithm */
+- for(i=0; i < n; i++ ) {
+- if( mpi_cmp( a->pkey[i], b->pkey[i] ) )
++ if( !n ) { /* unknown algorithm, rest is in opaque MPI */
++ if( mpi_cmp( a->pkey[0], b->pkey[0] ) )
+ return -1;
++ } else {
++ for(i=0; i < n; i++ ) {
++ if( mpi_cmp( a->pkey[i], b->pkey[i] ) )
++ return -1;
++ }
+ }
+
+ return 0;
+@@ -479,11 +482,14 @@ cmp_secret_keys( PKT_secret_key *a, PKT_secret_key *b )
+ return -1;
+
+ n = pubkey_get_npkey( b->pubkey_algo );
+- if( !n )
+- return -1; /* can't compare due to unknown algorithm */
+- for(i=0; i < n; i++ ) {
+- if( mpi_cmp( a->skey[i], b->skey[i] ) )
++ if( !n ) { /* unknown algorithm, rest is in opaque MPI */
++ if( mpi_cmp( a->skey[0], b->skey[0] ) )
+ return -1;
++ } else {
++ for(i=0; i < n; i++ ) {
++ if( mpi_cmp( a->skey[i], b->skey[i] ) )
++ return -1;
++ }
+ }
+
+ return 0;
+diff --git a/mpi/mpi-cmp.c b/mpi/mpi-cmp.c
+index e119fad..3c1322a 100644
+--- a/mpi/mpi-cmp.c
++++ b/mpi/mpi-cmp.c
+@@ -20,6 +20,7 @@
+ #include <config.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <string.h>
+ #include "mpi-internal.h"
+
+ int
+@@ -49,6 +50,21 @@ mpi_cmp( MPI u, MPI v )
+ mpi_size_t usize, vsize;
+ int cmp;
+
++ if (mpi_is_opaque (u) || mpi_is_opaque (v))
++ {
++ if (mpi_is_opaque (u) && !mpi_is_opaque (v))
++ return -1;
++ if (!mpi_is_opaque (u) && mpi_is_opaque (v))
++ return 1;
++ if (!u->nbits && !v->nbits)
++ return 0; /* Empty buffers are identical. */
++ if (u->nbits < v->nbits)
++ return -1;
++ if (u->nbits > v->nbits)
++ return 1;
++ return memcmp (u->d, v->d, u->nbits);
++ }
++
+ mpi_normalize( u );
+ mpi_normalize( v );
+ usize = u->nlimbs;
diff --git a/debian/patches/series b/debian/patches/series
index 5f450c0..5fb7468 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -37,3 +37,4 @@ sync-docs-with-upstream.patch
0042-Protect-against-NULL-return-of-mpi_get_opaque.patch
0043-doc-Add-warning-note-about-not-acting-as-an-oracle-t.patch
0044-mpi-Avoid-data-dependent-timing-variations-in-mpi_po.patch
+0045-g10-fix-cmp_public_key-and-cmp_secret_keys.patch
--
2.6.1
--- End Message ---