[Pkg-gnupg-commit] r378 - in /gnupg/branches/wheezy/debian: changelog patches/CVE-2012-6085.patch patches/CVE-2013-4242.patch patches/CVE-2013-4351.patch patches/CVE-2013-4402.patch patches/series
thijs at users.alioth.debian.org
thijs at users.alioth.debian.org
Wed Oct 9 16:08:22 UTC 2013
Author: thijs
Date: Wed Oct 9 16:08:21 2013
New Revision: 378
URL: http://svn.debian.org/wsvn/pkg-gnupg/?sc=1&rev=378
Log:
1.4.12-7+deb7u2 security upload
Added:
gnupg/branches/wheezy/debian/patches/CVE-2013-4351.patch
gnupg/branches/wheezy/debian/patches/CVE-2013-4402.patch
Modified:
gnupg/branches/wheezy/debian/changelog
gnupg/branches/wheezy/debian/patches/CVE-2012-6085.patch
gnupg/branches/wheezy/debian/patches/CVE-2013-4242.patch
gnupg/branches/wheezy/debian/patches/series
Modified: gnupg/branches/wheezy/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/branches/wheezy/debian/changelog?rev=378&op=diff
==============================================================================
--- gnupg/branches/wheezy/debian/changelog (original)
+++ gnupg/branches/wheezy/debian/changelog Wed Oct 9 16:08:21 2013
@@ -1,3 +1,12 @@
+gnupg (1.4.12-7+deb7u2) wheezy-security; urgency=high
+
+ * Apply upstream patch to fix infinite recursion in the
+ compressed packet parser (CVE-2013-4402, closes: #725439).
+ * Apply upstream patch to fix treating no-usage-permitted
+ keys as all-usages-permitted (CVE-2013-4351, closes: #722722).
+
+ -- Thijs Kinkhorst <thijs at debian.org> Wed, 09 Oct 2013 17:26:36 +0200
+
gnupg (1.4.12-7+deb7u1) wheezy-security; urgency=high
* Apply upstream patch to fix side channel attack on RSA
Modified: gnupg/branches/wheezy/debian/patches/CVE-2012-6085.patch
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/branches/wheezy/debian/patches/CVE-2012-6085.patch?rev=378&op=diff
==============================================================================
--- gnupg/branches/wheezy/debian/patches/CVE-2012-6085.patch (original)
+++ gnupg/branches/wheezy/debian/patches/CVE-2012-6085.patch Wed Oct 9 16:08:21 2013
@@ -5,7 +5,7 @@
--- a/g10/import.c
+++ b/g10/import.c
-@@ -343,6 +343,27 @@ import_print_stats (void *hd)
+@@ -343,6 +343,27 @@
}
@@ -33,7 +33,7 @@
/****************
* Read the next keyblock from stream A.
* PENDING_PKT should be initialzed to NULL
-@@ -420,7 +441,7 @@ read_block( IOBUF a, PACKET **pending_pkt, KBNODE *ret_root )
+@@ -420,7 +441,7 @@
}
in_cert = 1;
default:
Modified: gnupg/branches/wheezy/debian/patches/CVE-2013-4242.patch
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/branches/wheezy/debian/patches/CVE-2013-4242.patch?rev=378&op=diff
==============================================================================
--- gnupg/branches/wheezy/debian/patches/CVE-2013-4242.patch (original)
+++ gnupg/branches/wheezy/debian/patches/CVE-2013-4242.patch Wed Oct 9 16:08:21 2013
@@ -30,8 +30,6 @@
Signed-off-by: Werner Koch <wk at gnupg.org>
---
-diff --git a/mpi/mpi-pow.c b/mpi/mpi-pow.c
-index beb01f9..2253ea4 100644
--- a/mpi/mpi-pow.c
+++ b/mpi/mpi-pow.c
@@ -1,5 +1,6 @@
@@ -42,7 +40,7 @@
*
* This file is part of GnuPG.
*
-@@ -209,7 +210,14 @@ mpi_powm( MPI res, MPI base, MPI exponent, MPI mod)
+@@ -209,7 +210,14 @@
tp = rp; rp = xp; xp = tp;
rsize = xsize;
@@ -58,7 +56,7 @@
/*mpihelp_mul( xp, rp, rsize, bp, bsize );*/
if( bsize < KARATSUBA_THRESHOLD ) {
mpihelp_mul( xp, rp, rsize, bp, bsize );
-@@ -224,7 +232,8 @@ mpi_powm( MPI res, MPI base, MPI exponent, MPI mod)
+@@ -224,7 +232,8 @@
mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize);
xsize = msize;
}
Added: gnupg/branches/wheezy/debian/patches/CVE-2013-4351.patch
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/branches/wheezy/debian/patches/CVE-2013-4351.patch?rev=378&op=file
==============================================================================
--- gnupg/branches/wheezy/debian/patches/CVE-2013-4351.patch (added)
+++ gnupg/branches/wheezy/debian/patches/CVE-2013-4351.patch Wed Oct 9 16:08:21 2013
@@ -0,0 +1,49 @@
+From: Werner Koch <wk at gnupg.org>
+
+ gpg: Distinguish between missing and cleared key flags.
+
+ * include/cipher.h (PUBKEY_USAGE_NONE): New.
+ * g10/getkey.c (parse_key_usage): Set new flag.
+ --
+
+ We do not want to use the default capabilities (derived from the
+ algorithm) if any key flags are given in a signature. Thus if key
+ flags are used in any way, the default key capabilities are never
+ used.
+
+ This allows to create a key with key flags set to all zero so it can't
+ be used. This better reflects common sense.
+
+--- a/g10/getkey.c
++++ b/g10/getkey.c
+@@ -1494,13 +1494,19 @@
+
+ if(flags)
+ key_usage |= PUBKEY_USAGE_UNKNOWN;
++
++ if (!key_usage)
++ key_usage |= PUBKEY_USAGE_NONE;
+ }
++ else if (p) /* Key flags of length zero. */
++ key_usage |= PUBKEY_USAGE_NONE;
+
+ /* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
+ capability that we do not handle. This serves to distinguish
+ between a zero key usage which we handle as the default
+ capabilities for that algorithm, and a usage that we do not
+- handle. */
++ handle. Likewise we use PUBKEY_USAGE_NONE to indicate that
++ key_flags have been given but they do not specify any usage. */
+
+ return key_usage;
+ }
+--- a/include/cipher.h
++++ b/include/cipher.h
+@@ -57,6 +57,7 @@
+ #define PUBKEY_USAGE_CERT 4 /* key is also good to certify other keys*/
+ #define PUBKEY_USAGE_AUTH 8 /* key is good for authentication */
+ #define PUBKEY_USAGE_UNKNOWN 128 /* key has an unknown usage bit */
++#define PUBKEY_USAGE_NONE 256 /* No usage given. */
+
+ #define DIGEST_ALGO_MD5 1
+ #define DIGEST_ALGO_SHA1 2
Added: gnupg/branches/wheezy/debian/patches/CVE-2013-4402.patch
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/branches/wheezy/debian/patches/CVE-2013-4402.patch?rev=378&op=file
==============================================================================
--- gnupg/branches/wheezy/debian/patches/CVE-2013-4402.patch (added)
+++ gnupg/branches/wheezy/debian/patches/CVE-2013-4402.patch Wed Oct 9 16:08:21 2013
@@ -0,0 +1,420 @@
+From d90a1d23404f482cc4a5a2b2ee0f296d67ff2227 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 2 Oct 2013 09:11:43 +0200
+Subject: [PATCH 1/2] gpg: Fix bug with deeply nested compressed packets.
+
+* g10/mainproc.c (MAX_NESTING_DEPTH): New.
+(proc_compressed): Return an error code.
+(check_nesting): New.
+(do_proc_packets): Check packet nesting depth. Handle errors from
+check_compressed.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ NEWS | 3 +++
+ g10/mainproc.c | 52 +++++++++++++++++++++++++++++++++++++++++++---------
+ 2 files changed, 46 insertions(+), 9 deletions(-)
+
+--- a/g10/mainproc.c
++++ b/g10/mainproc.c
+@@ -1,6 +1,7 @@
+ /* mainproc.c - handle packets
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
+ * 2008 Free Software Foundation, Inc.
++ * Copyright (C) 2013 Werner Koch
+ *
+ * This file is part of GnuPG.
+ *
+@@ -41,6 +42,11 @@
+ #include "photoid.h"
+
+
++/* Put an upper limit on nested packets. The 32 is an arbitrary
++ value, a much lower should actually be sufficient. */
++#define MAX_NESTING_DEPTH 32
++
++
+ struct kidlist_item {
+ struct kidlist_item *next;
+ u32 kid[2];
+@@ -784,7 +790,7 @@
+ return proc_encryption_packets( info, a );
+ }
+
+-static void
++static int
+ proc_compressed( CTX c, PACKET *pkt )
+ {
+ PKT_compressed *zd = pkt->pkt.compressed;
+@@ -803,6 +809,7 @@
+ log_error("uncompressing failed: %s\n", g10_errstr(rc));
+ free_packet(pkt);
+ c->last_was_session_key = 0;
++ return rc;
+ }
+
+ /****************
+@@ -1233,14 +1240,37 @@
+ }
+
+
+-int
++static int
++check_nesting (CTX c)
++{
++ int level;
++
++ for (level = 0; c; c = c->anchor)
++ level++;
++
++ if (level > MAX_NESTING_DEPTH)
++ {
++ log_error ("input data with too deeply nested packets\n");
++ write_status_text (STATUS_UNEXPECTED, "1");
++ return G10ERR_UNEXPECTED;
++ }
++ return 0;
++}
++
++
++static int
+ do_proc_packets( CTX c, IOBUF a )
+ {
+- PACKET *pkt = xmalloc( sizeof *pkt );
+- int rc=0;
+- int any_data=0;
++ PACKET *pkt;
++ int rc = 0;
++ int any_data = 0;
+ int newpkt;
+
++ rc = check_nesting (c);
++ if (rc)
++ return rc;
++
++ pkt = xmalloc( sizeof *pkt );
+ c->iobuf = a;
+ init_packet(pkt);
+ while( (rc=parse_packet(a, pkt)) != -1 ) {
+@@ -1260,7 +1290,7 @@
+ case PKT_SYMKEY_ENC: proc_symkey_enc( c, pkt ); break;
+ case PKT_ENCRYPTED:
+ case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break;
+- case PKT_COMPRESSED: proc_compressed( c, pkt ); break;
++ case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break;
+ default: newpkt = 0; break;
+ }
+ }
+@@ -1278,7 +1308,7 @@
+ goto leave;
+ case PKT_SIGNATURE: newpkt = add_signature( c, pkt ); break;
+ case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break;
+- case PKT_COMPRESSED: proc_compressed( c, pkt ); break;
++ case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break;
+ case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break;
+ case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
+ default: newpkt = 0; break;
+@@ -1298,7 +1328,7 @@
+ case PKT_ENCRYPTED:
+ case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break;
+ case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break;
+- case PKT_COMPRESSED: proc_compressed( c, pkt ); break;
++ case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break;
+ case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break;
+ case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
+ default: newpkt = 0; break;
+@@ -1323,13 +1353,17 @@
+ case PKT_ENCRYPTED:
+ case PKT_ENCRYPTED_MDC: proc_encrypted( c, pkt ); break;
+ case PKT_PLAINTEXT: proc_plaintext( c, pkt ); break;
+- case PKT_COMPRESSED: proc_compressed( c, pkt ); break;
++ case PKT_COMPRESSED: rc = proc_compressed( c, pkt ); break;
+ case PKT_ONEPASS_SIG: newpkt = add_onepass_sig( c, pkt ); break;
+ case PKT_GPG_CONTROL: newpkt = add_gpg_control(c, pkt); break;
+ case PKT_RING_TRUST: newpkt = add_ring_trust( c, pkt ); break;
+ default: newpkt = 0; break;
+ }
+ }
++
++ if (rc)
++ goto leave;
++
+ /* This is a very ugly construct and frankly, I don't remember why
+ * I used it. Adding the MDC check here is a hack.
+ * The right solution is to initiate another context for encrypted
+--- a/util/iobuf.c
++++ b/util/iobuf.c
+@@ -27,7 +27,7 @@
+ #include <assert.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+-#include <fcntl.h>
++#include <fcntl.h>
+ #include <unistd.h>
+ #ifdef HAVE_DOSISH_SYSTEM
+ #include <windows.h>
+@@ -41,13 +41,13 @@
+ #include "util.h"
+ #include "dynload.h"
+ #include "iobuf.h"
+-
++
+ #ifdef __VMS
+ # include "vms.h"
+ # define open open_vms
+ #endif /* def __VMS */
+
+-/* The size of the internal buffers.
++/* The size of the internal buffers.
+ NOTE: If you change this value you MUST also adjust the regression
+ test "armored_key_8192" and "nopad_armored_msg" in armor.test! */
+ #define IOBUF_BUFFER_SIZE 8192
+@@ -55,6 +55,11 @@
+
+ #undef FILE_FILTER_USES_STDIO
+
++/* To avoid a potential DoS with compression packets we better limit
++ the number of filters in a chain. */
++#define MAX_NESTING_FILTER 64
++
++
+ #ifdef HAVE_DOSISH_SYSTEM
+ #define USE_SETMODE 1
+ #endif
+@@ -76,8 +81,8 @@
+ } file_filter_ctx_t ;
+ #else
+ #define my_fileno(a) (a)
+-#define my_fopen_ro(a,b) fd_cache_open ((a),(b))
+-#define my_fopen(a,b) direct_open ((a),(b))
++#define my_fopen_ro(a,b) fd_cache_open ((a),(b))
++#define my_fopen(a,b) direct_open ((a),(b))
+ #ifdef HAVE_DOSISH_SYSTEM
+ typedef HANDLE FILEP_OR_FD;
+ #define INVALID_FP ((HANDLE)-1)
+@@ -99,7 +104,7 @@
+ char fname[1]; /* name of the file */
+ } file_filter_ctx_t ;
+
+- struct close_cache_s {
++ struct close_cache_s {
+ struct close_cache_s *next;
+ FILEP_OR_FD fp;
+ char fname[1];
+@@ -153,7 +158,7 @@
+ #ifdef HAVE_DOSISH_SYSTEM
+ for (; *a && *b; a++, b++)
+ {
+- if (*a != *b && !((*a == '/' && *b == '\\')
++ if (*a != *b && !((*a == '/' && *b == '\\')
+ || (*a == '\\' && *b == '/')) )
+ break;
+ }
+@@ -295,7 +300,7 @@
+ {
+ struct stat buf;
+ int rc = stat( fname, &buf );
+-
++
+ /* Don't allow iobufs on directories */
+ if( !rc && S_ISDIR(buf.st_mode) && !S_ISREG(buf.st_mode) )
+ return __set_errno( EISDIR );
+@@ -308,7 +313,7 @@
+
+
+ /*
+- * Instead of closing an FD we keep it open and cache it for later reuse
++ * Instead of closing an FD we keep it open and cache it for later reuse
+ * Note that this caching strategy only works if the process does not chdir.
+ */
+ static void
+@@ -471,8 +476,8 @@
+ if( control == IOBUFCTRL_UNDERFLOW ) {
+ assert( size ); /* need a buffer */
+ if ( a->eof_seen) {
+- rc = -1;
+- *ret_len = 0;
++ rc = -1;
++ *ret_len = 0;
+ }
+ else {
+ #ifdef HAVE_DOSISH_SYSTEM
+@@ -606,8 +611,8 @@
+ if( control == IOBUFCTRL_UNDERFLOW ) {
+ assert( size ); /* need a buffer */
+ if ( a->eof_seen) {
+- rc = -1;
+- *ret_len = 0;
++ rc = -1;
++ *ret_len = 0;
+ }
+ else {
+ int nread;
+@@ -1076,7 +1081,7 @@
+ fname += 2;
+ for (i=0; digitp (fname+i); i++ )
+ ;
+- if ( !fname[i] )
++ if ( !fname[i] )
+ return atoi (fname);
+ }
+ return -1;
+@@ -1189,7 +1194,7 @@
+ sock_filter( scx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: sockopen `%s'\n", a->no, a->subno, scx->fname);
+- iobuf_ioctl (a,3,1,NULL); /* disable fd caching */
++ iobuf_ioctl (a,3,1,NULL); /* disable fd caching */
+ #else
+ a = iobuf_fdopen (fd, mode);
+ #endif
+@@ -1233,7 +1238,7 @@
+ file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
+ file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+- log_debug("iobuf-%d.%d: create `%s'\n", a->no, a->subno,
++ log_debug("iobuf-%d.%d: create `%s'\n", a->no, a->subno,
+ a->desc?a->desc:"?" );
+
+ return a;
+@@ -1267,7 +1272,7 @@
+ file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
+ file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+- log_debug("iobuf-%d.%d: append `%s'\n", a->no, a->subno,
++ log_debug("iobuf-%d.%d: append `%s'\n", a->no, a->subno,
+ a->desc?a->desc:"?" );
+
+ return a;
+@@ -1296,7 +1301,7 @@
+ file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
+ file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+- log_debug("iobuf-%d.%d: openrw `%s'\n", a->no, a->subno,
++ log_debug("iobuf-%d.%d: openrw `%s'\n", a->no, a->subno,
+ a->desc?a->desc:"?");
+
+ return a;
+@@ -1309,7 +1314,7 @@
+ if ( cmd == 1 ) { /* keep system filepointer/descriptor open */
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: ioctl `%s' keep=%d\n",
+- a? a->no:-1, a?a->subno:-1,
++ a? a->no:-1, a?a->subno:-1,
+ a&&a->desc?a->desc:"?", intval );
+ for( ; a; a = a->chain )
+ if( !a->chain && a->filter == file_filter ) {
+@@ -1339,7 +1344,7 @@
+ else if ( cmd == 3 ) { /* disallow/allow caching */
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: ioctl `%s' no_cache=%d\n",
+- a? a->no:-1, a?a->subno:-1,
++ a? a->no:-1, a?a->subno:-1,
+ a&&a->desc?a->desc:"?", intval );
+ for( ; a; a = a->chain )
+ if( !a->chain && a->filter == file_filter ) {
+@@ -1403,6 +1408,12 @@
+
+ if( a->use == 2 && (rc=iobuf_flush(a)) )
+ return rc;
++
++ if (a->subno >= MAX_NESTING_FILTER) {
++ log_error ("i/o filter too deeply nested - corrupted data?\n");
++ return G10ERR_UNEXPECTED;
++ }
++
+ /* make a copy of the current stream, so that
+ * A is the new stream and B the original one.
+ * The contents of the buffers are transferred to the
+@@ -1449,7 +1460,7 @@
+ f( ov, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &dummy_len );
+
+ if( DBG_IOBUF ) {
+- log_debug("iobuf-%d.%d: push `%s'\n", a->no, a->subno,
++ log_debug("iobuf-%d.%d: push `%s'\n", a->no, a->subno,
+ a->desc?a->desc:"?" );
+ print_chain( a );
+ }
+@@ -1921,7 +1932,7 @@
+ if (overflow)
+ *overflow = 0;
+
+- if (a->directfp)
++ if (a->directfp)
+ {
+ FILE *fp = a->directfp;
+
+@@ -1949,14 +1960,14 @@
+
+ #if defined(HAVE_DOSISH_SYSTEM) && !defined(FILE_FILTER_USES_STDIO)
+ ulong size;
+- static int (* __stdcall get_file_size_ex)
++ static int (* __stdcall get_file_size_ex)
+ (void *handle, LARGE_INTEGER *size);
+ static int get_file_size_ex_initialized;
+
+ if (!get_file_size_ex_initialized)
+ {
+ void *handle;
+-
++
+ handle = dlopen ("kernel32.dll", RTLD_LAZY);
+ if (handle)
+ {
+@@ -1974,14 +1985,14 @@
+ return a proper error in case a file is larger than
+ 4GB. */
+ LARGE_INTEGER size;
+-
++
+ if (get_file_size_ex (fp, &size))
+ {
+ if (!size.u.HighPart)
+ return size.u.LowPart;
+ if (overflow)
+ *overflow = 1;
+- return 0;
++ return 0;
+ }
+ }
+ else
+@@ -2007,7 +2018,7 @@
+
+ /* Return the file descriptor of the underlying file or -1 if it is
+ not available. */
+-int
++int
+ iobuf_get_fd (IOBUF a)
+ {
+ if (a->directfp)
+@@ -2260,7 +2271,7 @@
+ #ifdef _WIN32
+ {
+ int x;
+-
++
+ if ( fd <= 2 )
+ return fd; /* do not do this for error, stdin, stdout, stderr */
+
+@@ -2281,17 +2292,17 @@
+ translate_file_handle ( int fd, int for_write )
+ {
+ #ifdef _WIN32
+-#ifdef FILE_FILTER_USES_STDIO
++#ifdef FILE_FILTER_USES_STDIO
+ fd = iobuf_translate_file_handle (fd, for_write);
+ #else
+ {
+ int x;
+
+- if ( fd == 0 )
++ if ( fd == 0 )
+ x = (int)GetStdHandle (STD_INPUT_HANDLE);
+- else if (fd == 1)
++ else if (fd == 1)
+ x = (int)GetStdHandle (STD_OUTPUT_HANDLE);
+- else if (fd == 2)
++ else if (fd == 2)
+ x = (int)GetStdHandle (STD_ERROR_HANDLE);
+ else
+ x = fd;
Modified: gnupg/branches/wheezy/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/branches/wheezy/debian/patches/series?rev=378&op=diff
==============================================================================
--- gnupg/branches/wheezy/debian/patches/series (original)
+++ gnupg/branches/wheezy/debian/patches/series Wed Oct 9 16:08:21 2013
@@ -1,3 +1,5 @@
685627_french_translation_update.patch
CVE-2012-6085.patch
CVE-2013-4242.patch
+CVE-2013-4402.patch
+CVE-2013-4351.patch
More information about the Pkg-gnupg-commit
mailing list