[Pkg-gnupg-commit] [gnupg1] 07/15: pull bugfix patches from upstream
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Aug 3 18:58:14 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg1.
commit dbb2080acc5f5f294064bbf2d08f720c9e23c4f4
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Wed Aug 3 10:05:15 2016 -0400
pull bugfix patches from upstream
---
.../0003-change-package-name-to-gnupg1.patch | 4 +-
...obuf-API-of-filter-function-for-alignment.patch | 452 +++++++++++++++++++++
...e-sign-extension-problem-with-newer-compi.patch | 299 ++++++++++++++
...ke-sure-to-have-the-directory-for-trustdb.patch | 143 +++++++
...0007-po-Fix-misleading-german-translation.patch | 25 ++
...-that-gpg-preset-passphrase-can-t-be-used.patch | 24 ++
...non-implemented-option-skip-hidden-recipi.patch | 39 ++
...another-race-condition-for-trustdb-access.patch | 52 +++
debian/patches/0011-g10-Fix-list-packets.patch | 87 ++++
.../patches/0012-g10-Fix-keysize-with-expert.patch | 29 ++
...-Tweak-default-options-for-extra-security.patch | 40 ++
debian/patches/series | 10 +
12 files changed, 1202 insertions(+), 2 deletions(-)
diff --git a/debian/patches/0003-change-package-name-to-gnupg1.patch b/debian/patches/0003-change-package-name-to-gnupg1.patch
index eb52d3e..a5bc274 100644
--- a/debian/patches/0003-change-package-name-to-gnupg1.patch
+++ b/debian/patches/0003-change-package-name-to-gnupg1.patch
@@ -9,10 +9,10 @@ We're moving to calling this gnupg1; this change should affect libexec
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
-index 92ae205..9d70e92 100644
+index f27bffa..4ee71e8 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -42,7 +42,7 @@ m4_define([mym4_betastring],
+@@ -39,7 +39,7 @@ m4_define([mym4_betastring],[])
m4_define([mym4_isgit],m4_if(mym4_betastring,[],[no],[yes]))
m4_define([mym4_full_version],[mym4_version[]mym4_betastring])
diff --git a/debian/patches/0004-g10-Fix-iobuf-API-of-filter-function-for-alignment.patch b/debian/patches/0004-g10-Fix-iobuf-API-of-filter-function-for-alignment.patch
new file mode 100644
index 0000000..7c5f106
--- /dev/null
+++ b/debian/patches/0004-g10-Fix-iobuf-API-of-filter-function-for-alignment.patch
@@ -0,0 +1,452 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Tue, 26 Jan 2016 15:38:27 +0900
+Subject: g10: Fix iobuf API of filter function for alignment.
+
+* include/iobuf.h (struct iobuf_struct): Remove DESC.
+* util/iobuf.c (iobuf_desc): New.
+(print_chain, iobuf_close, iobuf_open, iobuf_fdopen, iobuf_sockopen)
+(iobuf_create, iobuf_append, iobuf_openrw, iobuf_ioctl)
+(iobuf_push_filter2, pop_filter, underflow): Use iobuf_desc.
+(file_filter, sock_filter, block_filter): Fill the description.
+* g10/armor.c, g10/cipher.c, g10/compress-bz2.c, g10/compress.c,
+g10/encode.c, g10/encr-data.c, g10/mdfilter.c, g10/pipemode.c,
+g10/progress.c, g10/textfilter.c: Likewise.
+
+--
+
+Newer GCC warns against possible alignment difference of pointers.
+This change can silence those warnings.
+
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+
+(backported from 2.1 commit 3f52c7da3940ec06572270d511000dc7fe9c27d2)
+---
+ g10/armor.c | 2 +-
+ g10/cipher.c | 2 +-
+ g10/compress-bz2.c | 2 +-
+ g10/compress.c | 2 +-
+ g10/encode.c | 2 +-
+ g10/encr-data.c | 4 +--
+ g10/mdfilter.c | 2 +-
+ g10/pipemode.c | 2 +-
+ g10/progress.c | 2 +-
+ g10/textfilter.c | 2 +-
+ include/iobuf.h | 1 -
+ util/iobuf.c | 74 +++++++++++++++++++++++++++++++++---------------------
+ 12 files changed, 56 insertions(+), 41 deletions(-)
+
+diff --git a/g10/armor.c b/g10/armor.c
+index be03692..1ae3c60 100644
+--- a/g10/armor.c
++++ b/g10/armor.c
+@@ -1300,7 +1300,7 @@ armor_filter( void *opaque, int control,
+ release_armor_context (afx);
+ }
+ else if( control == IOBUFCTRL_DESC )
+- *(char**)buf = "armor_filter";
++ mem2str (buf, "armor_filter", *ret_len);
+ return rc;
+ }
+
+diff --git a/g10/cipher.c b/g10/cipher.c
+index 0c51100..45e1963 100644
+--- a/g10/cipher.c
++++ b/g10/cipher.c
+@@ -145,7 +145,7 @@ cipher_filter( void *opaque, int control,
+ cipher_close(cfx->cipher_hd);
+ }
+ else if( control == IOBUFCTRL_DESC ) {
+- *(char**)buf = "cipher_filter";
++ mem2str (buf, "cipher_filter", *ret_len);
+ }
+ return rc;
+ }
+diff --git a/g10/compress-bz2.c b/g10/compress-bz2.c
+index baef92f..6c5bd66 100644
+--- a/g10/compress-bz2.c
++++ b/g10/compress-bz2.c
+@@ -247,6 +247,6 @@ compress_filter_bz2( void *opaque, int control,
+ zfx->release (zfx);
+ }
+ else if( control == IOBUFCTRL_DESC )
+- *(char**)buf = "compress_filter";
++ mem2str (buf, "compress_filter", *ret_len);
+ return rc;
+ }
+diff --git a/g10/compress.c b/g10/compress.c
+index 07c9e5e..4598aff 100644
+--- a/g10/compress.c
++++ b/g10/compress.c
+@@ -295,7 +295,7 @@ compress_filter( void *opaque, int control,
+ zfx->release (zfx);
+ }
+ else if( control == IOBUFCTRL_DESC )
+- *(char**)buf = "compress_filter";
++ mem2str (buf, "compress_filter", *ret_len);
+ return rc;
+ }
+
+diff --git a/g10/encode.c b/g10/encode.c
+index a579c42..93c70a7 100644
+--- a/g10/encode.c
++++ b/g10/encode.c
+@@ -736,7 +736,7 @@ encrypt_filter( void *opaque, int control,
+ xfree(efx->symkey_s2k);
+ }
+ else if( control == IOBUFCTRL_DESC ) {
+- *(char**)buf = "encrypt_filter";
++ mem2str (buf, "encrypt_filter", *ret_len);
+ }
+ return rc;
+ }
+diff --git a/g10/encr-data.c b/g10/encr-data.c
+index c65aa11..baa0606 100644
+--- a/g10/encr-data.c
++++ b/g10/encr-data.c
+@@ -300,7 +300,7 @@ mdc_decode_filter( void *opaque, int control, IOBUF a,
+ release_dfx_context (dfx);
+ }
+ else if( control == IOBUFCTRL_DESC ) {
+- *(char**)buf = "mdc_decode_filter";
++ mem2str (buf, "mdc_decode_filter", *ret_len);
+ }
+ return rc;
+ }
+@@ -329,7 +329,7 @@ decode_filter( void *opaque, int control, IOBUF a, byte *buf, size_t *ret_len)
+ release_dfx_context (fc);
+ }
+ else if( control == IOBUFCTRL_DESC ) {
+- *(char**)buf = "decode_filter";
++ mem2str (buf, "decode_filter", *ret_len);
+ }
+ return rc;
+ }
+diff --git a/g10/mdfilter.c b/g10/mdfilter.c
+index 9c0059e..bb47f98 100644
+--- a/g10/mdfilter.c
++++ b/g10/mdfilter.c
+@@ -58,7 +58,7 @@ md_filter( void *opaque, int control,
+ *ret_len = i;
+ }
+ else if( control == IOBUFCTRL_DESC )
+- *(char**)buf = "md_filter";
++ mem2str (buf, "md_filter", *ret_len);
+ return rc;
+ }
+
+diff --git a/g10/pipemode.c b/g10/pipemode.c
+index 077f967..60c8020 100644
+--- a/g10/pipemode.c
++++ b/g10/pipemode.c
+@@ -281,7 +281,7 @@ pipemode_filter( void *opaque, int control,
+ *ret_len = n;
+ }
+ else if( control == IOBUFCTRL_DESC )
+- *(char**)buf = "pipemode_filter";
++ mem2str (buf, "pipemode_filter", *ret_len);
+ return rc;
+ }
+
+diff --git a/g10/progress.c b/g10/progress.c
+index 8c8265f..cea080c 100644
+--- a/g10/progress.c
++++ b/g10/progress.c
+@@ -91,7 +91,7 @@ progress_filter (void *opaque, int control,
+ pfx->what = NULL;
+ }
+ else if (control == IOBUFCTRL_DESC)
+- *(char**)buf = "progress_filter";
++ mem2str (buf, "progress_filter", *ret_len);
+ return rc;
+ }
+
+diff --git a/g10/textfilter.c b/g10/textfilter.c
+index dc72a56..79f2f67 100644
+--- a/g10/textfilter.c
++++ b/g10/textfilter.c
+@@ -150,7 +150,7 @@ text_filter( void *opaque, int control,
+ tfx->buffer = NULL;
+ }
+ else if( control == IOBUFCTRL_DESC )
+- *(char**)buf = "text_filter";
++ mem2str (buf, "text_filter", *ret_len);
+ return rc;
+ }
+
+diff --git a/include/iobuf.h b/include/iobuf.h
+index 9515a0e..030f8c8 100644
+--- a/include/iobuf.h
++++ b/include/iobuf.h
+@@ -59,7 +59,6 @@ struct iobuf_struct {
+ char *real_fname;
+ IOBUF chain; /* next iobuf used for i/o if any (passed to filter) */
+ int no, subno;
+- const char *desc;
+ void *opaque; /* can be used to hold any information */
+ /* this value is copied to all instances */
+ struct {
+diff --git a/util/iobuf.c b/util/iobuf.c
+index a330460..539356e 100644
+--- a/util/iobuf.c
++++ b/util/iobuf.c
+@@ -459,7 +459,7 @@ file_filter(void *opaque, int control, IOBUF chain, byte *buf, size_t *ret_len)
+ a->keep_open = a->no_cache = 0;
+ }
+ else if( control == IOBUFCTRL_DESC ) {
+- *(char**)buf = "file_filter";
++ mem2str (buf, "file_filter", *ret_len);
+ }
+ else if( control == IOBUFCTRL_FREE ) {
+ if( f != stdin && f != stdout ) {
+@@ -572,7 +572,7 @@ file_filter(void *opaque, int control, IOBUF chain, byte *buf, size_t *ret_len)
+ a->no_cache = 0;
+ }
+ else if ( control == IOBUFCTRL_DESC ) {
+- *(char**)buf = "file_filter(fd)";
++ mem2str (buf, "file_filter(fd)", *ret_len);
+ }
+ else if ( control == IOBUFCTRL_FREE ) {
+ #ifdef HAVE_DOSISH_SYSTEM
+@@ -660,7 +660,7 @@ sock_filter (void *opaque, int control, IOBUF chain, byte *buf, size_t *ret_len)
+ a->no_cache = 0;
+ }
+ else if ( control == IOBUFCTRL_DESC ) {
+- *(char**)buf = "sock_filter";
++ mem2str (buf, "sock_filter", *ret_len);
+ }
+ else if ( control == IOBUFCTRL_FREE ) {
+ if (!a->keep_open)
+@@ -852,7 +852,7 @@ block_filter(void *opaque, int control, IOBUF chain, byte *buf, size_t *ret_len)
+ a->buflen = 0;
+ }
+ else if( control == IOBUFCTRL_DESC ) {
+- *(char**)buf = "block_filter";
++ mem2str (buf, "block_filter", *ret_len);
+ }
+ else if( control == IOBUFCTRL_FREE ) {
+ if( a->use == 2 ) { /* write the end markers */
+@@ -906,6 +906,24 @@ block_filter(void *opaque, int control, IOBUF chain, byte *buf, size_t *ret_len)
+ return rc;
+ }
+
++#define MAX_IOBUF_DESC 32
++/*
++ * Fill the buffer by the description of iobuf A.
++ * The buffer size should be MAX_IOBUF_DESC (or larger).
++ * Returns BUF as (const char *).
++ */
++static const char *
++iobuf_desc (iobuf_t a, byte *buf)
++{
++ size_t len = MAX_IOBUF_DESC;
++
++ if (! a || ! a->filter)
++ memcpy (buf, "?", 2);
++ else
++ a->filter (a->filter_ov, IOBUFCTRL_DESC, NULL, buf, &len);
++
++ return buf;
++}
+
+ static void
+ print_chain( IOBUF a )
+@@ -913,16 +931,11 @@ print_chain( IOBUF a )
+ if( !DBG_IOBUF )
+ return;
+ for(; a; a = a->chain ) {
+- size_t dummy_len = 0;
+- const char *desc = "[none]";
+-
+- if( a->filter )
+- a->filter( a->filter_ov, IOBUFCTRL_DESC, NULL,
+- (byte*)&desc, &dummy_len );
++ byte desc[MAX_IOBUF_DESC];
+
+ log_debug("iobuf chain: %d.%d `%s' filter_eof=%d start=%d len=%d\n",
+- a->no, a->subno, desc?desc:"?", a->filter_eof,
+- (int)a->d.start, (int)a->d.len );
++ a->no, a->subno, iobuf_desc (a, desc), a->filter_eof,
++ (int)a->d.start, (int)a->d.len );
+ }
+ }
+
+@@ -971,13 +984,14 @@ iobuf_close ( IOBUF a )
+ }
+
+ for( ; a && !rc ; a = a2 ) {
++ byte desc[MAX_IOBUF_DESC];
+ a2 = a->chain;
+ if( a->use == 2 && (rc=iobuf_flush(a)) )
+ log_error("iobuf_flush failed on close: %s\n", g10_errstr(rc));
+
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: close `%s'\n", a->no, a->subno,
+- a->desc?a->desc:"?");
++ iobuf_desc (a, desc));
+ if( a->filter && (rc = a->filter(a->filter_ov, IOBUFCTRL_FREE,
+ a->chain, NULL, &dummy_len)) )
+ log_error("IOBUFCTRL_FREE failed on close: %s\n", g10_errstr(rc) );
+@@ -1132,7 +1146,6 @@ iobuf_open( const char *fname )
+ a->real_fname = xstrdup( fname );
+ a->filter = file_filter;
+ a->filter_ov = fcx;
+- file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
+ file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: open `%s' fd=%d\n",
+@@ -1166,7 +1179,6 @@ iobuf_fdopen( int fd, const char *mode )
+ sprintf(fcx->fname, "[fd %d]", fd );
+ a->filter = file_filter;
+ a->filter_ov = fcx;
+- file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
+ file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: fdopen `%s'\n", a->no, a->subno, fcx->fname );
+@@ -1190,7 +1202,6 @@ iobuf_sockopen ( int fd, const char *mode )
+ sprintf(scx->fname, "[sock %d]", fd );
+ a->filter = sock_filter;
+ a->filter_ov = scx;
+- sock_filter( scx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
+ sock_filter( scx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: sockopen `%s'\n", a->no, a->subno, scx->fname);
+@@ -1213,6 +1224,7 @@ iobuf_create( const char *fname )
+ size_t len;
+ int print_only = 0;
+ int fd;
++ byte desc[MAX_IOBUF_DESC];
+
+ if( !fname || (*fname=='-' && !fname[1]) ) {
+ fp = FILEP_OR_FD_FOR_STDOUT;
+@@ -1235,11 +1247,10 @@ iobuf_create( const char *fname )
+ a->real_fname = xstrdup( fname );
+ a->filter = file_filter;
+ a->filter_ov = fcx;
+- file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
+ file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: create `%s'\n", a->no, a->subno,
+- a->desc?a->desc:"?" );
++ iobuf_desc (a, desc));
+
+ return a;
+ }
+@@ -1257,6 +1268,7 @@ iobuf_append( const char *fname )
+ FILE *fp;
+ file_filter_ctx_t *fcx;
+ size_t len;
++ byte desc[MAX_IOBUF_DESC];
+
+ if( !fname )
+ return NULL;
+@@ -1269,11 +1281,10 @@ iobuf_append( const char *fname )
+ a->real_fname = xstrdup( fname );
+ a->filter = file_filter;
+ a->filter_ov = fcx;
+- file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
+ file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: append `%s'\n", a->no, a->subno,
+- a->desc?a->desc:"?" );
++ iobuf_desc (a, desc));
+
+ return a;
+ }
+@@ -1286,6 +1297,7 @@ iobuf_openrw( const char *fname )
+ FILEP_OR_FD fp;
+ file_filter_ctx_t *fcx;
+ size_t len;
++ byte desc[MAX_IOBUF_DESC];
+
+ if( !fname )
+ return NULL;
+@@ -1298,11 +1310,10 @@ iobuf_openrw( const char *fname )
+ a->real_fname = xstrdup( fname );
+ a->filter = file_filter;
+ a->filter_ov = fcx;
+- file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
+ file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: openrw `%s'\n", a->no, a->subno,
+- a->desc?a->desc:"?");
++ iobuf_desc (a, desc));
+
+ return a;
+ }
+@@ -1311,11 +1322,13 @@ iobuf_openrw( const char *fname )
+ int
+ iobuf_ioctl ( IOBUF a, int cmd, int intval, void *ptrval )
+ {
++ byte desc[MAX_IOBUF_DESC];
++
+ if ( cmd == 1 ) { /* keep system filepointer/descriptor open */
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: ioctl `%s' keep=%d\n",
+ a? a->no:-1, a?a->subno:-1,
+- a&&a->desc?a->desc:"?", intval );
++ iobuf_desc (a, desc), intval );
+ for( ; a; a = a->chain )
+ if( !a->chain && a->filter == file_filter ) {
+ file_filter_ctx_t *b = a->filter_ov;
+@@ -1345,7 +1358,7 @@ iobuf_ioctl ( IOBUF a, int cmd, int intval, void *ptrval )
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: ioctl `%s' no_cache=%d\n",
+ a? a->no:-1, a?a->subno:-1,
+- a&&a->desc?a->desc:"?", intval );
++ iobuf_desc (a, desc), intval );
+ for( ; a; a = a->chain )
+ if( !a->chain && a->filter == file_filter ) {
+ file_filter_ctx_t *b = a->filter_ov;
+@@ -1457,11 +1470,12 @@ iobuf_push_filter2( IOBUF a,
+ a->filter_ov_owner = rel_ov;
+
+ a->subno = b->subno + 1;
+- f( ov, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &dummy_len );
+
+ if( DBG_IOBUF ) {
++ byte desc[MAX_IOBUF_DESC];
++
+ log_debug("iobuf-%d.%d: push `%s'\n", a->no, a->subno,
+- a->desc?a->desc:"?" );
++ iobuf_desc (a, desc));
+ print_chain( a );
+ }
+
+@@ -1482,13 +1496,14 @@ pop_filter( IOBUF a, int (*f)(void *opaque, int control,
+ IOBUF b;
+ size_t dummy_len=0;
+ int rc=0;
++ byte desc[MAX_IOBUF_DESC];
+
+ if( a->directfp )
+ BUG();
+
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: pop `%s'\n", a->no, a->subno,
+- a->desc?a->desc:"?" );
++ iobuf_desc (a, desc));
+ if( !a->filter ) { /* this is simple */
+ b = a->chain;
+ assert(b);
+@@ -1563,10 +1578,12 @@ underflow(IOBUF a)
+
+ if( a->filter_eof ) {
+ if( a->chain ) {
++ byte desc[MAX_IOBUF_DESC];
++
+ IOBUF b = a->chain;
+ if( DBG_IOBUF )
+ log_debug("iobuf-%d.%d: pop `%s' in underflow\n",
+- a->no, a->subno, a->desc?a->desc:"?" );
++ a->no, a->subno, iobuf_desc (a, desc) );
+ xfree(a->d.buf);
+ xfree(a->real_fname);
+ memcpy(a, b, sizeof *a);
+@@ -1625,7 +1642,6 @@ underflow(IOBUF a)
+ a->filter_ov = NULL;
+ }
+ a->filter = NULL;
+- a->desc = NULL;
+ a->filter_ov = NULL;
+ a->filter_eof = 1;
+ if( !len && a->chain ) {
diff --git a/debian/patches/0005-Fix-possible-sign-extension-problem-with-newer-compi.patch b/debian/patches/0005-Fix-possible-sign-extension-problem-with-newer-compi.patch
new file mode 100644
index 0000000..ee089e4
--- /dev/null
+++ b/debian/patches/0005-Fix-possible-sign-extension-problem-with-newer-compi.patch
@@ -0,0 +1,299 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 1 Feb 2016 18:06:14 +0100
+Subject: Fix possible sign extension problem with newer compilers.
+
+* cipher/des.c (READ_64BIT_DATA): Cast to u32 before shifting by 24.
+* cipher/blowfish.c (do_encrypt_block): Ditto.
+(do_decrypt_block): Ditto.
+* cipher/camellia.c (CAMELLIA_RR8): Ditto.
+* cipher/cast5.c (do_encrypt_block): Ditto.
+(do_decrypt_block): Ditto.
+(do_cast_setkey): Ditto.
+* cipher/twofish.c (INPACK): Ditto.
+* util/iobuf.c (block_filter): Ditto.
+--
+
+For cipher/des.c
+Reported-by: Balint Reczey <balint at balintreczey.hu>
+
+See commit 57af33d9e7c9b20b413b96882e670e75a67a5e65 for details.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ cipher/blowfish.c | 10 +++++-----
+ cipher/camellia.c | 28 ++++++++++++++--------------
+ cipher/cast5.c | 18 +++++++++---------
+ cipher/des.c | 20 ++++++++++----------
+ cipher/twofish.c | 6 +++---
+ util/iobuf.c | 2 +-
+ 6 files changed, 42 insertions(+), 42 deletions(-)
+
+diff --git a/cipher/blowfish.c b/cipher/blowfish.c
+index 61cd2b7..e421099 100644
+--- a/cipher/blowfish.c
++++ b/cipher/blowfish.c
+@@ -278,7 +278,7 @@ static void
+ burn_stack (int bytes)
+ {
+ char buf[64];
+-
++
+ wipememory(buf,sizeof buf);
+ bytes -= sizeof buf;
+ if (bytes > 0)
+@@ -424,8 +424,8 @@ do_encrypt_block( BLOWFISH_context *bc, byte *outbuf, const byte *inbuf )
+ {
+ u32 d1, d2;
+
+- d1 = inbuf[0] << 24 | inbuf[1] << 16 | inbuf[2] << 8 | inbuf[3];
+- d2 = inbuf[4] << 24 | inbuf[5] << 16 | inbuf[6] << 8 | inbuf[7];
++ d1 = (u32)inbuf[0] << 24 | inbuf[1] << 16 | inbuf[2] << 8 | inbuf[3];
++ d2 = (u32)inbuf[4] << 24 | inbuf[5] << 16 | inbuf[6] << 8 | inbuf[7];
+ do_encrypt( bc, &d1, &d2 );
+ outbuf[0] = (d1 >> 24) & 0xff;
+ outbuf[1] = (d1 >> 16) & 0xff;
+@@ -449,8 +449,8 @@ do_decrypt_block( BLOWFISH_context *bc, byte *outbuf, const byte *inbuf )
+ {
+ u32 d1, d2;
+
+- d1 = inbuf[0] << 24 | inbuf[1] << 16 | inbuf[2] << 8 | inbuf[3];
+- d2 = inbuf[4] << 24 | inbuf[5] << 16 | inbuf[6] << 8 | inbuf[7];
++ d1 = (u32)inbuf[0] << 24 | inbuf[1] << 16 | inbuf[2] << 8 | inbuf[3];
++ d2 = (u32)inbuf[4] << 24 | inbuf[5] << 16 | inbuf[6] << 8 | inbuf[7];
+ decrypt( bc, &d1, &d2 );
+ outbuf[0] = (d1 >> 24) & 0xff;
+ outbuf[1] = (d1 >> 16) & 0xff;
+diff --git a/cipher/camellia.c b/cipher/camellia.c
+index 1a204e1..a03266e 100644
+--- a/cipher/camellia.c
++++ b/cipher/camellia.c
+@@ -18,7 +18,7 @@
+ */
+
+ /*
+- * Algorithm Specification
++ * Algorithm Specification
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html
+ */
+
+@@ -77,7 +77,7 @@ typedef unsigned char u8;
+ #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1])
+
+ /* rotation right shift 1byte */
+-#define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24))
++#define CAMELLIA_RR8(x) (((x) >> 8) + ((u32)(x) << 24))
+ /* rotation left shift 1bit */
+ #define CAMELLIA_RL1(x) (((x) << 1) + ((x) >> 31))
+ /* rotation left shift 1byte */
+@@ -936,7 +936,7 @@ void camellia_setup256(const unsigned char *key, u32 *subkey)
+ CamelliaSubkeyR(30) = CamelliaSubkeyL(30) ^ dw, CamelliaSubkeyL(30) = dw;
+ dw = CamelliaSubkeyL(31) ^ CamelliaSubkeyR(31), dw = CAMELLIA_RL8(dw);
+ CamelliaSubkeyR(31) = CamelliaSubkeyL(31) ^ dw,CamelliaSubkeyL(31) = dw;
+-
++
+ return;
+ }
+
+@@ -1048,14 +1048,14 @@ void camellia_encrypt128(const u32 *subkey, u32 *io)
+ io[1] = io[3];
+ io[2] = t0;
+ io[3] = t1;
+-
++
+ return;
+ }
+
+ void camellia_decrypt128(const u32 *subkey, u32 *io)
+ {
+ u32 il,ir,t0,t1; /* temporary valiables */
+-
++
+ /* pre whitening but absorb kw2*/
+ io[0] ^= CamelliaSubkeyL(24);
+ io[1] ^= CamelliaSubkeyR(24);
+@@ -1266,7 +1266,7 @@ void camellia_decrypt256(const u32 *subkey, u32 *io)
+ /* pre whitening but absorb kw2*/
+ io[0] ^= CamelliaSubkeyL(32);
+ io[1] ^= CamelliaSubkeyR(32);
+-
++
+ /* main iteration */
+ CAMELLIA_ROUNDSM(io[0],io[1],
+ CamelliaSubkeyL(31),CamelliaSubkeyR(31),
+@@ -1378,8 +1378,8 @@ void camellia_decrypt256(const u32 *subkey, u32 *io)
+ * API for compatibility
+ */
+
+-void Camellia_Ekeygen(const int keyBitLength,
+- const unsigned char *rawKey,
++void Camellia_Ekeygen(const int keyBitLength,
++ const unsigned char *rawKey,
+ KEY_TABLE_TYPE keyTable)
+ {
+ switch(keyBitLength) {
+@@ -1398,9 +1398,9 @@ void Camellia_Ekeygen(const int keyBitLength,
+ }
+
+
+-void Camellia_EncryptBlock(const int keyBitLength,
+- const unsigned char *plaintext,
+- const KEY_TABLE_TYPE keyTable,
++void Camellia_EncryptBlock(const int keyBitLength,
++ const unsigned char *plaintext,
++ const KEY_TABLE_TYPE keyTable,
+ unsigned char *ciphertext)
+ {
+ u32 tmp[4];
+@@ -1429,9 +1429,9 @@ void Camellia_EncryptBlock(const int keyBitLength,
+ PUTU32(ciphertext + 12, tmp[3]);
+ }
+
+-void Camellia_DecryptBlock(const int keyBitLength,
+- const unsigned char *ciphertext,
+- const KEY_TABLE_TYPE keyTable,
++void Camellia_DecryptBlock(const int keyBitLength,
++ const unsigned char *ciphertext,
++ const KEY_TABLE_TYPE keyTable,
+ unsigned char *plaintext)
+ {
+ u32 tmp[4];
+diff --git a/cipher/cast5.c b/cipher/cast5.c
+index ed8c738..8d46f1a 100644
+--- a/cipher/cast5.c
++++ b/cipher/cast5.c
+@@ -353,7 +353,7 @@ static void
+ burn_stack (int bytes)
+ {
+ char buf[64];
+-
++
+ wipememory(buf,sizeof buf);
+ bytes -= sizeof buf;
+ if (bytes > 0)
+@@ -375,8 +375,8 @@ do_encrypt_block( CAST5_context *c, byte *outbuf, const byte *inbuf )
+ /* (L0,R0) <-- (m1...m64). (Split the plaintext into left and
+ * right 32-bit halves L0 = m1...m32 and R0 = m33...m64.)
+ */
+- l = inbuf[0] << 24 | inbuf[1] << 16 | inbuf[2] << 8 | inbuf[3];
+- r = inbuf[4] << 24 | inbuf[5] << 16 | inbuf[6] << 8 | inbuf[7];
++ l = (u32)inbuf[0] << 24 | inbuf[1] << 16 | inbuf[2] << 8 | inbuf[3];
++ r = (u32)inbuf[4] << 24 | inbuf[5] << 16 | inbuf[6] << 8 | inbuf[7];
+
+ /* (16 rounds) for i from 1 to 16, compute Li and Ri as follows:
+ * Li = Ri-1;
+@@ -433,8 +433,8 @@ do_decrypt_block (CAST5_context *c, byte *outbuf, const byte *inbuf )
+ Km = c->Km;
+ Kr = c->Kr;
+
+- l = inbuf[0] << 24 | inbuf[1] << 16 | inbuf[2] << 8 | inbuf[3];
+- r = inbuf[4] << 24 | inbuf[5] << 16 | inbuf[6] << 8 | inbuf[7];
++ l = (u32)inbuf[0] << 24 | inbuf[1] << 16 | inbuf[2] << 8 | inbuf[3];
++ r = (u32)inbuf[4] << 24 | inbuf[5] << 16 | inbuf[6] << 8 | inbuf[7];
+
+ t = l; l = r; r = t ^ F1(r, Km[15], Kr[15]);
+ t = l; l = r; r = t ^ F3(r, Km[14], Kr[14]);
+@@ -588,10 +588,10 @@ do_cast_setkey( CAST5_context *c, const byte *key, unsigned keylen )
+ if( keylen != 16 )
+ return G10ERR_WRONG_KEYLEN;
+
+- x[0] = key[0] << 24 | key[1] << 16 | key[2] << 8 | key[3];
+- x[1] = key[4] << 24 | key[5] << 16 | key[6] << 8 | key[7];
+- x[2] = key[8] << 24 | key[9] << 16 | key[10] << 8 | key[11];
+- x[3] = key[12] << 24 | key[13] << 16 | key[14] << 8 | key[15];
++ x[0] = (u32)key[0] << 24 | key[1] << 16 | key[2] << 8 | key[3];
++ x[1] = (u32)key[4] << 24 | key[5] << 16 | key[6] << 8 | key[7];
++ x[2] = (u32)key[8] << 24 | key[9] << 16 | key[10] << 8 | key[11];
++ x[3] = (u32)key[12] << 24 | key[13] << 16 | key[14] << 8 | key[15];
+
+ key_schedule( x, z, k );
+ for(i=0; i < 16; i++ )
+diff --git a/cipher/des.c b/cipher/des.c
+index 756c146..670ba65 100644
+--- a/cipher/des.c
++++ b/cipher/des.c
+@@ -429,15 +429,15 @@ static byte weak_keys[64][8] =
+ /*
+ * Macros to convert 8 bytes from/to 32bit words.
+ */
+-#define READ_64BIT_DATA(data, left, right) \
+- left = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; \
+- right = (data[4] << 24) | (data[5] << 16) | (data[6] << 8) | data[7];
++#define READ_64BIT_DATA(data, left, right) \
++ left = ((u32)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; \
++ right = ((u32)data[4] << 24) | (data[5] << 16) | (data[6] << 8) | data[7];
+
+-#define WRITE_64BIT_DATA(data, left, right) \
+- data[0] = (left >> 24) &0xff; data[1] = (left >> 16) &0xff; \
+- data[2] = (left >> 8) &0xff; data[3] = left &0xff; \
+- data[4] = (right >> 24) &0xff; data[5] = (right >> 16) &0xff; \
+- data[6] = (right >> 8) &0xff; data[7] = right &0xff;
++#define WRITE_64BIT_DATA(data, left, right) \
++ data[0] = (left >> 24) &0xff; data[1] = (left >> 16) &0xff; \
++ data[2] = (left >> 8) &0xff; data[3] = left &0xff; \
++ data[4] = (right >> 24) &0xff; data[5] = (right >> 16) &0xff; \
++ data[6] = (right >> 8) &0xff; data[7] = right &0xff;
+
+ /*
+ * Handy macros for encryption and decryption of data
+@@ -452,7 +452,7 @@ static void
+ burn_stack (int bytes)
+ {
+ char buf[64];
+-
++
+ wipememory(buf,sizeof buf);
+ bytes -= sizeof buf;
+ if (bytes > 0)
+@@ -960,7 +960,7 @@ do_tripledes_setkey ( void *ctx, const byte *key, unsigned keylen )
+ burn_stack (64);
+ return G10ERR_WEAK_KEY;
+ }
+- burn_stack (64);
++ burn_stack (64);
+
+ return 0;
+ }
+diff --git a/cipher/twofish.c b/cipher/twofish.c
+index 2feccdf..2fe3791 100644
+--- a/cipher/twofish.c
++++ b/cipher/twofish.c
+@@ -549,7 +549,7 @@ static void
+ burn_stack (int bytes)
+ {
+ char buf[64];
+-
++
+ wipememory(buf,sizeof buf);
+ bytes -= sizeof buf;
+ if (bytes > 0)
+@@ -702,7 +702,7 @@ twofish_setkey (void *ctx, const byte *key, unsigned int keylen)
+ burn_stack (23+6*sizeof(void*));
+ return rc;
+ }
+-
++
+
+
+ /* Macros to compute the g() function in the encryption and decryption
+@@ -756,7 +756,7 @@ twofish_setkey (void *ctx, const byte *key, unsigned int keylen)
+
+ #define INPACK(n, x, m) \
+ x = in[4 * (n)] ^ (in[4 * (n) + 1] << 8) \
+- ^ (in[4 * (n) + 2] << 16) ^ (in[4 * (n) + 3] << 24) ^ ctx->w[m]
++ ^ (in[4 * (n) + 2] << 16) ^ ((u32)in[4 * (n) + 3] << 24) ^ ctx->w[m]
+
+ #define OUTUNPACK(n, x, m) \
+ x ^= ctx->w[m]; \
+diff --git a/util/iobuf.c b/util/iobuf.c
+index 539356e..c844292 100644
+--- a/util/iobuf.c
++++ b/util/iobuf.c
+@@ -738,7 +738,7 @@ block_filter(void *opaque, int control, IOBUF chain, byte *buf, size_t *ret_len)
+ }
+ }
+ else if( c == 255 ) {
+- a->size = iobuf_get(chain) << 24;
++ a->size = (size_t)iobuf_get(chain) << 24;
+ a->size |= iobuf_get(chain) << 16;
+ a->size |= iobuf_get(chain) << 8;
+ if( (c = iobuf_get(chain)) == -1 ) {
diff --git a/debian/patches/0006-g10-Make-sure-to-have-the-directory-for-trustdb.patch b/debian/patches/0006-g10-Make-sure-to-have-the-directory-for-trustdb.patch
new file mode 100644
index 0000000..d23de81
--- /dev/null
+++ b/debian/patches/0006-g10-Make-sure-to-have-the-directory-for-trustdb.patch
@@ -0,0 +1,143 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Fri, 12 Feb 2016 10:00:31 +0900
+Subject: g10: Make sure to have the directory for trustdb.
+
+* g10/tdbio.c (tdbio_set_dbname): Return earlier if !CREATE. Check
+the directory and create it if none before calling take_write_lock.
+
+--
+
+Thanks to Marc Deslauriers for the bug report and his patch.
+
+GnuPG-bug-id: 2246
+
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+
+(backport from master
+ commit 2f3e42047d17313eeb38d354048f343158402a8d)
+---
+ g10/tdbio.c | 97 +++++++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 52 insertions(+), 45 deletions(-)
+
+diff --git a/g10/tdbio.c b/g10/tdbio.c
+index 9d722c2..b01b550 100644
+--- a/g10/tdbio.c
++++ b/g10/tdbio.c
+@@ -477,7 +477,7 @@ create_version_record (void)
+ int
+ tdbio_set_dbname( const char *new_dbname, int create, int *r_nofile)
+ {
+- char *fname;
++ char *fname, *p;
+ struct stat statbuf;
+ static int initialized = 0;
+
+@@ -512,57 +512,64 @@ tdbio_set_dbname( const char *new_dbname, int create, int *r_nofile)
+ if (stat (fname, &statbuf) == 0 && statbuf.st_size > 0)
+ /* OK, we have the valid trustdb.gpg already. */
+ return 0;
++ else if (!create) {
++ *r_nofile = 1;
++ return 0;
++ }
++
++ /* Here comes: No valid trustdb.gpg AND CREATE==1 */
++
++ /*
++ * Make sure the directory exists. This should be done before
++ * acquiring the lock, which assumes the directory existence.
++ */
++ p = strrchr( fname, DIRSEP_C );
++ assert(p); /* See the code above. Always, it has DIRSEP_C. */
++ *p = 0;
++ if( access( fname, F_OK ) ) {
++ try_make_homedir( fname );
++ if (access (fname, F_OK ))
++ log_fatal (_("%s: directory does not exist!\n"), p);
++ }
++ *p = DIRSEP_C;
+
+ take_write_lock ();
+
++ /* Check the file after aquiring the lock. */
+ if( access( fname, R_OK ) ) {
++ FILE *fp;
++ TRUSTREC rec;
++ int rc;
++ mode_t oldmask;
++
+ if( errno != ENOENT )
+ log_fatal( _("can't access `%s': %s\n"), fname, strerror(errno) );
+
+- if (!create)
+- *r_nofile = 1;
+- else {
+- FILE *fp;
+- TRUSTREC rec;
+- int rc;
+- char *p = strrchr( fname, DIRSEP_C );
+- mode_t oldmask;
+-
+- assert(p);
+- *p = 0;
+- if( access( fname, F_OK ) ) {
+- try_make_homedir( fname );
+- if (access (fname, F_OK ))
+- log_fatal (_("%s: directory does not exist!\n"), fname);
+- }
+- *p = DIRSEP_C;
+-
+- oldmask=umask(077);
+- if (is_secured_filename (fname)) {
+- fp = NULL;
+- errno = EPERM;
+- }
+- else
+- fp =fopen( fname, "wb" );
+- umask(oldmask);
+- if( !fp )
+- log_fatal( _("can't create `%s': %s\n"), fname, strerror(errno) );
+- fclose(fp);
+- db_fd = open( db_name, O_RDWR | MY_O_BINARY );
+- if( db_fd == -1 )
+- log_fatal( _("can't open `%s': %s\n"), db_name, strerror(errno) );
+-
+- rc = create_version_record ();
+- if( rc )
+- log_fatal( _("%s: failed to create version record: %s"),
+- fname, g10_errstr(rc));
+- /* and read again to check that we are okay */
+- if( tdbio_read_record( 0, &rec, RECTYPE_VER ) )
+- log_fatal( _("%s: invalid trustdb created\n"), db_name );
+-
+- if( !opt.quiet )
+- log_info(_("%s: trustdb created\n"), db_name);
+- }
++ oldmask=umask(077);
++ if (is_secured_filename (fname)) {
++ fp = NULL;
++ errno = EPERM;
++ }
++ else
++ fp =fopen( fname, "wb" );
++ umask(oldmask);
++ if( !fp )
++ log_fatal( _("can't create `%s': %s\n"), fname, strerror(errno) );
++ fclose(fp);
++ db_fd = open( db_name, O_RDWR | MY_O_BINARY );
++ if( db_fd == -1 )
++ log_fatal( _("can't open `%s': %s\n"), db_name, strerror(errno) );
++
++ rc = create_version_record ();
++ if( rc )
++ log_fatal( _("%s: failed to create version record: %s"),
++ fname, g10_errstr(rc));
++ /* and read again to check that we are okay */
++ if( tdbio_read_record( 0, &rec, RECTYPE_VER ) )
++ log_fatal( _("%s: invalid trustdb created\n"), db_name );
++
++ if( !opt.quiet )
++ log_info(_("%s: trustdb created\n"), db_name);
+ }
+
+ release_write_lock ();
diff --git a/debian/patches/0007-po-Fix-misleading-german-translation.patch b/debian/patches/0007-po-Fix-misleading-german-translation.patch
new file mode 100644
index 0000000..447343a
--- /dev/null
+++ b/debian/patches/0007-po-Fix-misleading-german-translation.patch
@@ -0,0 +1,25 @@
+From: Justus Winter <justus at g10code.com>
+Date: Fri, 1 Apr 2016 16:38:24 +0200
+Subject: po: Fix misleading german translation.
+
+--
+GnuPG-bug-id: 2239
+Signed-off-by: Justus Winter <justus at g10code.com>
+---
+ po/de.po | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/po/de.po b/po/de.po
+index 1a4ea08..82fb790 100644
+--- a/po/de.po
++++ b/po/de.po
+@@ -3552,8 +3552,7 @@ msgstr "Dieser Schlüssel wurde am %s von %s Schlüssel %s widerrufen\n"
+ #: g10/keyedit.c:2721
+ #, c-format
+ msgid "This key may be revoked by %s key %s"
+-msgstr ""
+-"Dieser Schlüssel könnte durch %s mit Schlüssel %s widerrufen worden sein"
++msgstr "Dieser Schlüssel kann von %s-Schlüssel %s widerrufen werden"
+
+ #: g10/keyedit.c:2727
+ msgid "(sensitive)"
diff --git a/debian/patches/0008-doc-Explain-that-gpg-preset-passphrase-can-t-be-used.patch b/debian/patches/0008-doc-Explain-that-gpg-preset-passphrase-can-t-be-used.patch
new file mode 100644
index 0000000..93d097f
--- /dev/null
+++ b/debian/patches/0008-doc-Explain-that-gpg-preset-passphrase-can-t-be-used.patch
@@ -0,0 +1,24 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Fri, 22 Apr 2016 09:57:38 +0200
+Subject: doc: Explain that gpg-preset-passphrase can't be used.
+
+--
+---
+ doc/gpg.texi | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index ae582d3..b770e0e 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -1640,7 +1640,9 @@ process. @option{--no-auto-check-trustdb} disables this option.
+ @opindex use-agent
+ Try to use the GnuPG-Agent. With this option, GnuPG first tries to
+ connect to the agent before it asks for a
+-passphrase. @option{--no-use-agent} disables this option.
++passphrase. @option{--no-use-agent} disables this option. Note, that
++the tool @command{gpg-preset-passphrase}, which comes with GnuPG-2,
++cannot be used to preset a passphrase for this version of GnuPG.
+
+ @item --gpg-agent-info
+ @opindex gpg-agent-info
diff --git a/debian/patches/0009-doc-Remove-non-implemented-option-skip-hidden-recipi.patch b/debian/patches/0009-doc-Remove-non-implemented-option-skip-hidden-recipi.patch
new file mode 100644
index 0000000..2487806
--- /dev/null
+++ b/debian/patches/0009-doc-Remove-non-implemented-option-skip-hidden-recipi.patch
@@ -0,0 +1,39 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 8 Jun 2016 18:03:43 +0200
+Subject: doc: Remove non-implemented option --skip-hidden-recipients.
+
+--
+
+GnuPG-bug-id: 1394
+
+Note that --try-secret-key was already removed with commit
+2889a70c102271a1b6ff529bafb6748c4e773014
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ doc/gpg.texi | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index b770e0e..ee756d8 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -1839,18 +1839,6 @@ behaviour as used by anonymous recipients (created by using
+ @option{--throw-keyids} or @option{--hidden-recipient}) and might come
+ handy in case where an encrypted message contains a bogus key ID.
+
+- at item --skip-hidden-recipients
+- at itemx --no-skip-hidden-recipients
+- at opindex skip-hidden-recipients
+- at opindex no-skip-hidden-recipients
+-During decryption skip all anonymous recipients. This option helps in
+-the case that people use the hidden recipients feature to hide there
+-own encrypt-to key from others. If oneself has many secret keys this
+-may lead to a major annoyance because all keys are tried in turn to
+-decrypt soemthing which was not really intended for it. The drawback
+-of this option is that it is currently not possible to decrypt a
+-message which includes real anonymous recipients.
+-
+
+ @end table
+
diff --git a/debian/patches/0010-g10-Fix-another-race-condition-for-trustdb-access.patch b/debian/patches/0010-g10-Fix-another-race-condition-for-trustdb-access.patch
new file mode 100644
index 0000000..0344478
--- /dev/null
+++ b/debian/patches/0010-g10-Fix-another-race-condition-for-trustdb-access.patch
@@ -0,0 +1,52 @@
+From: Niibe Yutaka <gniibe at fsij.org>
+Date: Wed, 15 Jun 2016 08:41:56 +0900
+Subject: g10: Fix another race condition for trustdb access.
+
+* g10/tdbio.c (create_version_record): Call create_hashtable to always
+make hashtable, together with the version record.
+(get_trusthashrec): Remove call to create_hashtable.
+
+--
+
+GnuPG-bug-id: 1675
+Thanks to Scott Moser to reproducible script and patience.
+
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+(backport from master
+ commit 35a3ce2acf78a95fecbccfd8db0560cca24232df)
+---
+ g10/tdbio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/g10/tdbio.c b/g10/tdbio.c
+index b01b550..9edf693 100644
+--- a/g10/tdbio.c
++++ b/g10/tdbio.c
+@@ -93,6 +93,7 @@ static int in_transaction;
+
+ static void open_db(void);
+ static void migrate_from_v2 (void);
++static void create_hashtable (TRUSTREC *vr, int type);
+
+ static int
+ take_write_lock (void)
+@@ -469,6 +470,10 @@ create_version_record (void)
+ rc = tdbio_write_record( &rec );
+ if( !rc )
+ tdbio_sync();
++
++ if (!rc)
++ create_hashtable (&rec, 0);
++
+ return rc;
+ }
+
+@@ -760,8 +765,6 @@ get_trusthashrec(void)
+ if( rc )
+ log_fatal( _("%s: error reading version record: %s\n"),
+ db_name, g10_errstr(rc) );
+- if( !vr.r.ver.trusthashtbl )
+- create_hashtable( &vr, 0 );
+
+ trusthashtbl = vr.r.ver.trusthashtbl;
+ }
diff --git a/debian/patches/0011-g10-Fix-list-packets.patch b/debian/patches/0011-g10-Fix-list-packets.patch
new file mode 100644
index 0000000..89c5e1d
--- /dev/null
+++ b/debian/patches/0011-g10-Fix-list-packets.patch
@@ -0,0 +1,87 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Tue, 28 Jun 2016 15:56:48 +0900
+Subject: g10: Fix --list-packets.
+
+* g10/gpg.c (main): Call set_packet_list_mode after assignment of
+opt.list_packets.
+* g10/mainproc.c (do_proc_packets): Don't stop processing with
+--list-packets as the comment says.
+* g10/options.h (list_packets): Fix the comment.
+* g10/parse-packet.c: Fix the condition for opt.list_packets.
+
+--
+
+(backport from 2.0 commit 4f336ed780cc2783395f3ff2b12b3ebb8e097f7b
+which is backport of master
+commit 52f65281f9743c42a48bf5a3354c9ab0ecdb681a)
+
+Debian-bug-id: 828109
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+---
+ g10/gpg.c | 3 +--
+ g10/mainproc.c | 2 +-
+ g10/options.h | 2 +-
+ g10/parse-packet.c | 2 +-
+ 4 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 0095d34..72d313b 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -3953,7 +3953,6 @@ main (int argc, char **argv )
+ break;
+
+ case aListPackets:
+- opt.list_packets=2;
+ default:
+ if( argc > 1 )
+ wrong_args(_("[filename]"));
+@@ -3980,8 +3979,8 @@ main (int argc, char **argv )
+ }
+ }
+ if( cmd == aListPackets ) {
+- set_packet_list_mode(1);
+ opt.list_packets=1;
++ set_packet_list_mode(1);
+ }
+ rc = proc_packets(NULL, a );
+ if( rc )
+diff --git a/g10/mainproc.c b/g10/mainproc.c
+index a773fde..33a654b 100644
+--- a/g10/mainproc.c
++++ b/g10/mainproc.c
+@@ -1264,7 +1264,7 @@ do_proc_packets( CTX c, IOBUF a )
+ free_packet(pkt);
+ /* stop processing when an invalid packet has been encountered
+ * but don't do so when we are doing a --list-packets. */
+- if( rc == G10ERR_INVALID_PACKET && opt.list_packets != 2 )
++ if( rc == G10ERR_INVALID_PACKET && opt.list_packets == 0 )
+ break;
+ continue;
+ }
+diff --git a/g10/options.h b/g10/options.h
+index 5aa3a04..0ac6e77 100644
+--- a/g10/options.h
++++ b/g10/options.h
+@@ -61,7 +61,7 @@ struct
+ int fingerprint; /* list fingerprints */
+ int list_sigs; /* list signatures */
+ int no_armor;
+- int list_packets; /* list-packets mode: 1=normal, 2=invoked by command*/
++ int list_packets; /* Option --list-packets active. */
+ int def_cipher_algo;
+ int force_v3_sigs;
+ int force_v4_certs;
+diff --git a/g10/parse-packet.c b/g10/parse-packet.c
+index beee77e..b5d19b1 100644
+--- a/g10/parse-packet.c
++++ b/g10/parse-packet.c
+@@ -134,7 +134,7 @@ set_packet_list_mode( int mode )
+ whether using log_stream() would be better. Perhaps we should
+ enable the list mdoe only with a special option. */
+ if (!listfp)
+- listfp = opt.list_packets == 2 ? stdout : stderr;
++ listfp = opt.list_packets ? stdout : stderr;
+ return old;
+ }
+
diff --git a/debian/patches/0012-g10-Fix-keysize-with-expert.patch b/debian/patches/0012-g10-Fix-keysize-with-expert.patch
new file mode 100644
index 0000000..438d822
--- /dev/null
+++ b/debian/patches/0012-g10-Fix-keysize-with-expert.patch
@@ -0,0 +1,29 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Wed, 6 Jul 2016 11:45:05 +0900
+Subject: g10: Fix keysize with --expert.
+
+* g10/keygen.c (ask_keysize): It's 768 only for DSA.
+
+--
+
+GnuPG-bug-id: 2238
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+---
+ g10/keygen.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 76ee74e..268fce5 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -1582,8 +1582,8 @@ ask_keysize (int algo, unsigned int primary_keysize)
+ int for_subkey = !!primary_keysize;
+ int autocomp = 0;
+
+- if(opt.expert)
+- min=512;
++ if(opt.expert && algo == PUBKEY_ALGO_DSA)
++ min=768;
+ else
+ min=1024;
+
diff --git a/debian/patches/0013-gpgv-Tweak-default-options-for-extra-security.patch b/debian/patches/0013-gpgv-Tweak-default-options-for-extra-security.patch
new file mode 100644
index 0000000..12b428b
--- /dev/null
+++ b/debian/patches/0013-gpgv-Tweak-default-options-for-extra-security.patch
@@ -0,0 +1,40 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Sat, 9 Jul 2016 10:20:02 +0900
+Subject: gpgv: Tweak default options for extra security.
+
+* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
+cached status. Similarly, set opt.flags.require_cross_cert for backsig
+validation for subkey signature.
+
+--
+
+(backport of master
+commit e32c575e0f3704e7563048eea6d26844bdfc494b)
+
+It is common that an organization distributes binary keyrings with
+signature cache (Tag 12, Trust Packet) and people use gpgv to validate
+signature with such keyrings. In such a use case, it is possible that
+the key validation itself is skipped.
+
+For the purpose of gpgv validation of signatures, we should not depend
+on signature cache in keyrings (if any), but we should validate the key
+by its self signature for primary key, and back signature for subkey.
+
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+---
+ g10/gpgv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index b2721ba..f2899bf 100644
+--- a/g10/gpgv.c
++++ b/g10/gpgv.c
+@@ -144,6 +144,8 @@ main( int argc, char **argv )
+ opt.pgp2_workarounds = 1;
+ opt.keyserver_options.options|=KEYSERVER_AUTO_KEY_RETRIEVE;
+ opt.trust_model = TM_ALWAYS;
++ opt.no_sig_cache = 1;
++ opt.flags.require_cross_cert = 1;
+ opt.batch = 1;
+ opt.weak_digests = NULL;
+
diff --git a/debian/patches/series b/debian/patches/series
index a277928..f9a2d7c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,13 @@
0001-avoid-looking-for-git-info-during-autoreconf.patch
0002-Update-Danish-translation.patch
0003-change-package-name-to-gnupg1.patch
+0004-g10-Fix-iobuf-API-of-filter-function-for-alignment.patch
+0005-Fix-possible-sign-extension-problem-with-newer-compi.patch
+0006-g10-Make-sure-to-have-the-directory-for-trustdb.patch
+0007-po-Fix-misleading-german-translation.patch
+0008-doc-Explain-that-gpg-preset-passphrase-can-t-be-used.patch
+0009-doc-Remove-non-implemented-option-skip-hidden-recipi.patch
+0010-g10-Fix-another-race-condition-for-trustdb-access.patch
+0011-g10-Fix-list-packets.patch
+0012-g10-Fix-keysize-with-expert.patch
+0013-gpgv-Tweak-default-options-for-extra-security.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg1.git
More information about the Pkg-gnupg-commit
mailing list