From c2ba8f2cf29157efabbfb1fc407d9a87fd49317c Mon Sep 17 00:00:00 2001 From: Saul Wold Date: Thu, 14 Feb 2013 15:55:12 -0800 Subject: [PATCH] gnupg: fix CVE-2012-6085 Code taken from Redhat [YOCTO #3813] (From OE-Core rev: 17f8e03ace51df6b94fdcb7e410acf79c7b046ce) Signed-off-by: Saul Wold Signed-off-by: Richard Purdie --- .../gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch | 63 ++++++++++++++++++++++ .../gnupg/gnupg-2.0.19/GnuPG2-CVE-2012-6085.patch | 63 ++++++++++++++++++++++ meta/recipes-support/gnupg/gnupg_1.4.7.bb | 3 +- meta/recipes-support/gnupg/gnupg_2.0.19.bb | 5 +- 4 files changed, 131 insertions(+), 3 deletions(-) create mode 100644 meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch create mode 100644 meta/recipes-support/gnupg/gnupg-2.0.19/GnuPG2-CVE-2012-6085.patch diff --git a/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch new file mode 100644 index 0000000..8b5d9a1 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch @@ -0,0 +1,63 @@ +commit f0b33b6fb8e0586e9584a7a409dcc31263776a67 +Author: Werner Koch +Date: Thu Dec 20 09:43:41 2012 +0100 + + gpg: Import only packets which are allowed in a keyblock. + + * g10/import.c (valid_keyblock_packet): New. + (read_block): Store only valid packets. + -- + + A corrupted key, which for example included a mangled public key + encrypted packet, used to corrupt the keyring. This change skips all + packets which are not allowed in a keyblock. + + GnuPG-bug-id: 1455 + + (cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa) + +Upstream-Status: Backport + +Signed-off-by: Saul Wold + +diff --git a/g10/import.c b/g10/import.c +index bfe02eb..a57b32e 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -384,6 +384,27 @@ import_print_stats (void *hd) + } + + ++/* Return true if PKTTYPE is valid in a keyblock. */ ++static int ++valid_keyblock_packet (int pkttype) ++{ ++ switch (pkttype) ++ { ++ case PKT_PUBLIC_KEY: ++ case PKT_PUBLIC_SUBKEY: ++ case PKT_SECRET_KEY: ++ case PKT_SECRET_SUBKEY: ++ case PKT_SIGNATURE: ++ case PKT_USER_ID: ++ case PKT_ATTRIBUTE: ++ case PKT_RING_TRUST: ++ return 1; ++ default: ++ return 0; ++ } ++} ++ ++ + /**************** + * Read the next keyblock from stream A. + * PENDING_PKT should be initialzed to NULL +@@ -461,7 +482,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ) + } + in_cert = 1; + default: +- if( in_cert ) { ++ if (in_cert && valid_keyblock_packet (pkt->pkttype)) { + if( !root ) + root = new_kbnode( pkt ); + else diff --git a/meta/recipes-support/gnupg/gnupg-2.0.19/GnuPG2-CVE-2012-6085.patch b/meta/recipes-support/gnupg/gnupg-2.0.19/GnuPG2-CVE-2012-6085.patch new file mode 100644 index 0000000..64c3034 --- /dev/null +++ b/meta/recipes-support/gnupg/gnupg-2.0.19/GnuPG2-CVE-2012-6085.patch @@ -0,0 +1,63 @@ +commit 498882296ffac7987c644aaf2a0aa108a2925471 +Author: Werner Koch +Date: Thu Dec 20 09:43:41 2012 +0100 + + gpg: Import only packets which are allowed in a keyblock. + + * g10/import.c (valid_keyblock_packet): New. + (read_block): Store only valid packets. + -- + + A corrupted key, which for example included a mangled public key + encrypted packet, used to corrupt the keyring. This change skips all + packets which are not allowed in a keyblock. + + GnuPG-bug-id: 1455 + + (cherry-picked from commit 3a4b96e665fa639772854058737ee3d54ba0694e) + +Upstream-Status: Backport + +Signed-off-by: Saul Wold + +diff --git a/g10/import.c b/g10/import.c +index ba2439d..ad112d6 100644 +--- a/g10/import.c ++++ b/g10/import.c +@@ -347,6 +347,27 @@ import_print_stats (void *hd) + } + + ++/* Return true if PKTTYPE is valid in a keyblock. */ ++static int ++valid_keyblock_packet (int pkttype) ++{ ++ switch (pkttype) ++ { ++ case PKT_PUBLIC_KEY: ++ case PKT_PUBLIC_SUBKEY: ++ case PKT_SECRET_KEY: ++ case PKT_SECRET_SUBKEY: ++ case PKT_SIGNATURE: ++ case PKT_USER_ID: ++ case PKT_ATTRIBUTE: ++ case PKT_RING_TRUST: ++ return 1; ++ default: ++ return 0; ++ } ++} ++ ++ + /**************** + * Read the next keyblock from stream A. + * PENDING_PKT should be initialzed to NULL +@@ -424,7 +445,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root ) + } + in_cert = 1; + default: +- if( in_cert ) { ++ if (in_cert && valid_keyblock_packet (pkt->pkttype)) { + if( !root ) + root = new_kbnode( pkt ); + else diff --git a/meta/recipes-support/gnupg/gnupg_1.4.7.bb b/meta/recipes-support/gnupg/gnupg_1.4.7.bb index 41552b2..8c2f7f6 100644 --- a/meta/recipes-support/gnupg/gnupg_1.4.7.bb +++ b/meta/recipes-support/gnupg/gnupg_1.4.7.bb @@ -7,12 +7,13 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a" -PR = "r6" +PR = "r8" SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-${PV}.tar.bz2 \ file://long-long-thumb.patch \ file://configure.patch \ file://mips_gcc4.4.patch \ + file://GnuPG1-CVE-2012-6085.patch \ file://curl_typeof_fix_backport.patch" SRC_URI[md5sum] = "b06a141cca5cd1a55bbdd25ab833303c" diff --git a/meta/recipes-support/gnupg/gnupg_2.0.19.bb b/meta/recipes-support/gnupg/gnupg_2.0.19.bb index 996a8e8..8cd793b 100644 --- a/meta/recipes-support/gnupg/gnupg_2.0.19.bb +++ b/meta/recipes-support/gnupg/gnupg_2.0.19.bb @@ -7,11 +7,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949 \ DEPENDS = "${PTH} libassuan libksba zlib bzip2 readline libgcrypt" PTH = "pth" PTH_libc-uclibc = "npth" -PR = "r4" +PR = "r5" inherit autotools gettext -SRC_URI = "ftp://ftp.gnupg.org/gcrypt/${BPN}/${BPN}-${PV}.tar.bz2" +SRC_URI = "ftp://ftp.gnupg.org/gcrypt/${BPN}/${BPN}-${PV}.tar.bz2 \ + file://GnuPG2-CVE-2012-6085.patch" SRC_URI[md5sum] = "6a8589381ca1b0c1a921e9955f42b016" SRC_URI[sha256sum] = "efa23a8a925adb51c7d3b708c25b6d000300f5ce37de9bdec6453be7b419c622" -- 2.7.4