[Pkg-gnupg-commit] [gnupg1] 01/03: two more fixes from upstream

Mon Aug 8 16:50:36 UTC 2016

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch experimental
in repository gnupg1.

commit 5ed457210d69f95ea253221e14e6f8a8c8da0a5f
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Mon Aug 8 11:27:08 2016 -0400

    two more fixes from upstream
---
 ...Fix-checking-key-for-signature-validation.patch | 33 ++++++++++++
 ...d-publishing-the-GnuPG-version-by-default.patch | 58 ++++++++++++++++++++++
 debian/patches/series                              |  2 +
 3 files changed, 93 insertions(+)

diff --git a/debian/patches/0016-g10-Fix-checking-key-for-signature-validation.patch b/debian/patches/0016-g10-Fix-checking-key-for-signature-validation.patch
new file mode 100644
index 0000000..aca3043
--- /dev/null
+++ b/debian/patches/0016-g10-Fix-checking-key-for-signature-validation.patch
@@ -0,0 +1,33 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Thu, 4 Aug 2016 16:21:39 +0900
+Subject: g10: Fix checking key for signature validation.
+
+* g10/sig-check.c (signature_check2): Not only subkey, but also primary
+key should have flags.valid=1.
+
+--
+
+(backport of master
+commit 6f284e6ed63f514b15fe610f490ffcefc87a2164)
+
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+---
+ g10/sig-check.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/g10/sig-check.c b/g10/sig-check.c
+index 6bac630..8dd0373 100644
+--- a/g10/sig-check.c
++++ b/g10/sig-check.c
+@@ -76,9 +76,9 @@ signature_check2( PKT_signature *sig, MD_HANDLE digest, u32 *r_expiredate,
+       }
+     else if( get_pubkey( pk, sig->keyid ) )
+ 	rc = G10ERR_NO_PUBKEY;
+-    else if(!pk->is_valid && !pk->is_primary)
++    else if(!pk->is_valid)
+         rc=G10ERR_BAD_PUBKEY; /* you cannot have a good sig from an
+-				 invalid subkey */
++				 invalid key */
+     else
+       {
+         if(r_expiredate)
diff --git a/debian/patches/0017-gpg-Avoid-publishing-the-GnuPG-version-by-default.patch b/debian/patches/0017-gpg-Avoid-publishing-the-GnuPG-version-by-default.patch
new file mode 100644
index 0000000..9484f53
--- /dev/null
+++ b/debian/patches/0017-gpg-Avoid-publishing-the-GnuPG-version-by-default.patch
@@ -0,0 +1,58 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 4 Aug 2016 16:58:13 -0400
+Subject: gpg: Avoid publishing the GnuPG version by default
+
+* g10/gpg.c (main): initialize opt.emit_version to 0
+* doc/gpg.texi: document different default for --emit-version
+
+--
+
+The version of GnuPG in use is not particularly helpful.  It is not
+cryptographically verifiable, and it doesn't distinguish between
+significant version differences like 2.0.x and 2.1.x.
+
+Additionally, it leaks metadata that can be used to distinguish users
+from one another, and can potentially be used to target specific
+attacks if there are known behaviors that differ between major
+versions.
+
+It's probably better to take the more parsimonious approach to
+metadata production by default.
+
+(backport of master commit c9387e41db7520d176edd3d6613b85875bdeb32c)
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ doc/gpg.texi | 4 ++--
+ g10/gpg.c    | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index a41ab8e..12a6d60 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -2338,9 +2338,9 @@ protected by the signature.
+ @opindex emit-version
+ Force inclusion of the version string in ASCII armored output.  If
+ given once only the name of the program and the major number is
+-emitted (default), given twice the minor is also emitted, given triple
++emitted, given twice the minor is also emitted, given triple
+ the micro is added, and given quad an operating system identification
+-is also emitted.  @option{--no-emit-version} disables the version
++is also emitted.  @option{--no-emit-version} (default) disables the version
+ line.
+ 
+ @item --sig-notation @code{name=value}
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 72d313b..236ea1e 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -1911,7 +1911,7 @@ main (int argc, char **argv )
+     opt.def_cert_expire="0";
+     set_homedir ( default_homedir () );
+     opt.passwd_repeat=1;
+-    opt.emit_version = 1; /* Limit to the major number.  */
++    opt.emit_version = 0;
+ 
+ #ifdef ENABLE_CARD_SUPPORT
+ #if defined(_WIN32) || defined(__CYGWIN__)
diff --git a/debian/patches/series b/debian/patches/series
index 6a0c4d0..e25903b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,5 @@
 0013-gpgv-Tweak-default-options-for-extra-security.patch
 0014-Fix-spelling-occured-should-be-occurred.patch
 0015-Clean-up-allow-to.patch
+0016-g10-Fix-checking-key-for-signature-validation.patch
+0017-gpg-Avoid-publishing-the-GnuPG-version-by-default.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg1.git

