[Pkg-gnupg-commit] r302 - in /gnupg/trunk/debian: changelog patches/CVE-2012-6085.patch patches/series
thijs at users.alioth.debian.org
thijs at users.alioth.debian.org
Wed Jan 2 18:53:53 UTC 2013
Author: thijs
Date: Wed Jan 2 18:53:52 2013
New Revision: 302
URL: http://svn.debian.org/wsvn/pkg-gnupg/?sc=1&rev=302
Log:
Apply upstream patch to fix memory and key database corruption
when importing with invalid keys (CVE-2012-6085, closes: #697108).
Added:
gnupg/trunk/debian/patches/CVE-2012-6085.patch
Modified:
gnupg/trunk/debian/changelog
gnupg/trunk/debian/patches/series
Modified: gnupg/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/trunk/debian/changelog?rev=302&op=diff
==============================================================================
--- gnupg/trunk/debian/changelog (original)
+++ gnupg/trunk/debian/changelog Wed Jan 2 18:53:52 2013
@@ -1,8 +1,9 @@
-gnupg (1.4.12-7) UNRELEASED; urgency=low
-
- * NOT RELEASED YET
-
- -- Daniel Leidert <dleidert at debian.org> Sun, 14 Oct 2012 20:55:36 +0200
+gnupg (1.4.12-7) unstable; urgency=high
+
+ * Apply upstream patch to fix memory and key database corruption
+ when importing with invalid keys (CVE-2012-6085, closes: #697108).
+
+ -- Thijs Kinkhorst <thijs at debian.org> Wed, 02 Jan 2013 19:48:36 +0100
gnupg (1.4.12-6) unstable; urgency=low
Added: gnupg/trunk/debian/patches/CVE-2012-6085.patch
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/trunk/debian/patches/CVE-2012-6085.patch?rev=302&op=file
==============================================================================
--- gnupg/trunk/debian/patches/CVE-2012-6085.patch (added)
+++ gnupg/trunk/debian/patches/CVE-2012-6085.patch Wed Jan 2 18:53:52 2013
@@ -1,0 +1,44 @@
+Origin: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blobdiff_plain;f=g10%2Fimport.c;h=90fc2d67885b1e31523cea70d3855a1d07951b0b;hp=21ada4197d892f7b3bbf3da95736d373e915664a;hb=f795a0d59e197455f8723c300eebf59e09853efa;hpb=5c557a51cdf37d9f50b3d5d7e11d17e6ea6bb2b8
+Description: Fix memory and key database corruption on importing invalid keys by rejecting invalid keyblock packet types.
+Applied-Upstream: yes
+Bug-Debian: http://bugs.debian.org/697108
+
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -343,6 +343,27 @@ import_print_stats (void *hd)
+ }
+
+
++/* Return true if PKTTYPE is valid in a keyblock. */
++static int
++valid_keyblock_packet (int pkttype)
++{
++ switch (pkttype)
++ {
++ case PKT_PUBLIC_KEY:
++ case PKT_PUBLIC_SUBKEY:
++ case PKT_SECRET_KEY:
++ case PKT_SECRET_SUBKEY:
++ case PKT_SIGNATURE:
++ case PKT_USER_ID:
++ case PKT_ATTRIBUTE:
++ case PKT_RING_TRUST:
++ return 1;
++ default:
++ return 0;
++ }
++}
++
++
+ /****************
+ * Read the next keyblock from stream A.
+ * PENDING_PKT should be initialzed to NULL
+@@ -420,7 +441,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root )
+ }
+ in_cert = 1;
+ default:
+- if( in_cert ) {
++ if (in_cert && valid_keyblock_packet (pkt->pkttype)) {
+ if( !root )
+ root = new_kbnode( pkt );
+ else
Modified: gnupg/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/trunk/debian/patches/series?rev=302&op=diff
==============================================================================
--- gnupg/trunk/debian/patches/series (original)
+++ gnupg/trunk/debian/patches/series Wed Jan 2 18:53:52 2013
@@ -1,1 +1,2 @@
685627_french_translation_update.patch
+CVE-2012-6085.patch
More information about the Pkg-gnupg-commit
mailing list