[Pkg-gnupg-commit] [gnupg2] 01/02: three more fixes from upstream
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Aug 8 17:11:28 UTC 2016
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg2.
commit 5819eecbfe06ad18744739026d8f805856dd4622
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Aug 5 12:09:13 2016 -0400
three more fixes from upstream
---
...Fix-checking-key-for-signature-validation.patch | 33 ++++++
...d-publishing-the-GnuPG-version-by-default.patch | 56 +++++++++++
...ong-standing-regression-tracking-the-conn.patch | 112 +++++++++++++++++++++
debian/patches/series | 3 +
4 files changed, 204 insertions(+)
diff --git a/debian/patches/0025-g10-Fix-checking-key-for-signature-validation.patch b/debian/patches/0025-g10-Fix-checking-key-for-signature-validation.patch
new file mode 100644
index 0000000..a172e73
--- /dev/null
+++ b/debian/patches/0025-g10-Fix-checking-key-for-signature-validation.patch
@@ -0,0 +1,33 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Thu, 4 Aug 2016 16:21:39 +0900
+Subject: g10: Fix checking key for signature validation.
+
+* g10/sig-check.c (check_signature2): Not only subkey, but also primary
+key should have flags.valid=1.
+
+--
+
+The tweak of gpgv in e32c575e0f3704e7563048eea6d26844bdfc494b only makes
+sense with this change.
+
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+---
+ g10/sig-check.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/g10/sig-check.c b/g10/sig-check.c
+index 7000b48..334add7 100644
+--- a/g10/sig-check.c
++++ b/g10/sig-check.c
+@@ -118,9 +118,9 @@ check_signature2 (PKT_signature *sig, gcry_md_hd_t digest, u32 *r_expiredate,
+ }
+ else if( get_pubkey( pk, sig->keyid ) )
+ rc = GPG_ERR_NO_PUBKEY;
+- else if(!pk->flags.valid && !pk->flags.primary)
++ else if(!pk->flags.valid)
+ {
+- /* You cannot have a good sig from an invalid subkey. */
++ /* You cannot have a good sig from an invalid key. */
+ rc = GPG_ERR_BAD_PUBKEY;
+ }
+ else
diff --git a/debian/patches/0026-gpg-Avoid-publishing-the-GnuPG-version-by-default.patch b/debian/patches/0026-gpg-Avoid-publishing-the-GnuPG-version-by-default.patch
new file mode 100644
index 0000000..824281b
--- /dev/null
+++ b/debian/patches/0026-gpg-Avoid-publishing-the-GnuPG-version-by-default.patch
@@ -0,0 +1,56 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Thu, 4 Aug 2016 16:58:13 -0400
+Subject: gpg: Avoid publishing the GnuPG version by default
+
+* g10/gpg.c (main): initialize opt.emit_version to 0
+* doc/gpg.texi: document different default for --emit-version
+
+--
+
+The version of GnuPG in use is not particularly helpful. It is not
+cryptographically verifiable, and it doesn't distinguish between
+significant version differences like 2.0.x and 2.1.x.
+
+Additionally, it leaks metadata that can be used to distinguish users
+from one another, and can potentially be used to target specific
+attacks if there are known behaviors that differ between major
+versions.
+
+It's probably better to take the more parsimonious approach to
+metadata production by default.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+---
+ doc/gpg.texi | 4 ++--
+ g10/gpg.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index 4d6a261..0578a4a 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -2712,9 +2712,9 @@ protected by the signature.
+ @opindex emit-version
+ Force inclusion of the version string in ASCII armored output. If
+ given once only the name of the program and the major number is
+-emitted (default), given twice the minor is also emitted, given triple
++emitted, given twice the minor is also emitted, given triple
+ the micro is added, and given quad an operating system identification
+-is also emitted. @option{--no-emit-version} disables the version
++is also emitted. @option{--no-emit-version} (default) disables the version
+ line.
+
+ @item --sig-notation @code{name=value}
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 35d350e..b33b61b 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -2269,7 +2269,7 @@ main (int argc, char **argv)
+ opt.def_cert_expire = "0";
+ gnupg_set_homedir (NULL);
+ opt.passphrase_repeat = 1;
+- opt.emit_version = 1; /* Limit to the major number. */
++ opt.emit_version = 0;
+ opt.weak_digests = NULL;
+ additional_weak_digest("MD5");
+
diff --git a/debian/patches/0027-agent-Fix-long-standing-regression-tracking-the-conn.patch b/debian/patches/0027-agent-Fix-long-standing-regression-tracking-the-conn.patch
new file mode 100644
index 0000000..beb69a6
--- /dev/null
+++ b/debian/patches/0027-agent-Fix-long-standing-regression-tracking-the-conn.patch
@@ -0,0 +1,112 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Sat, 6 Aug 2016 10:14:17 +0200
+Subject: agent: Fix long standing regression tracking the connection count.
+
+* agent/gpg-agent.c (get_agent_active_connection_count): New.
+(do_start_connection_thread, start_connection_thread_ssh): Bump
+ACTIVE_CONNECTIONS up and down.
+* agent/command.c (cmd_getinfo): Add subcommand "connections".
+--
+
+The variable ACTIVE_CONNECTIONS is used to shutdown gpg-agent in a
+friendly way. Before we switched to nPth a Pth provided count of
+threads was used for this. During the migration to nPth
+ACTIVE_CONNECTIONS was introduced and checked but never set.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+---
+ agent/agent.h | 1 +
+ agent/command.c | 9 +++++++++
+ agent/gpg-agent.c | 12 ++++++++++++
+ 3 files changed, 22 insertions(+)
+
+diff --git a/agent/agent.h b/agent/agent.h
+index 42a580c..fe5ffba 100644
+--- a/agent/agent.h
++++ b/agent/agent.h
+@@ -341,6 +341,7 @@ void agent_set_progress_cb (void (*cb)(ctrl_t ctrl, const char *what,
+ gpg_error_t agent_copy_startup_env (ctrl_t ctrl);
+ const char *get_agent_socket_name (void);
+ const char *get_agent_ssh_socket_name (void);
++int get_agent_active_connection_count (void);
+ #ifdef HAVE_W32_SYSTEM
+ void *get_agent_scd_notify_event (void);
+ #endif
+diff --git a/agent/command.c b/agent/command.c
+index 1803b5f..7fc28ad 100644
+--- a/agent/command.c
++++ b/agent/command.c
+@@ -2775,6 +2775,7 @@ static const char hlp_getinfo[] =
+ " std_startup_env - List the standard startup environment.\n"
+ " cmd_has_option\n"
+ " - Returns OK if the command CMD implements the option OPT.\n"
++ " connections - Return number of active connections.\n"
+ " restricted - Returns OK if the connection is in restricted mode.\n";
+ static gpg_error_t
+ cmd_getinfo (assuan_context_t ctx, char *line)
+@@ -2907,6 +2908,14 @@ cmd_getinfo (assuan_context_t ctx, char *line)
+ }
+ }
+ }
++ else if (!strcmp (line, "connections"))
++ {
++ char numbuf[20];
++
++ snprintf (numbuf, sizeof numbuf, "%d",
++ get_agent_active_connection_count ());
++ rc = assuan_send_data (ctx, numbuf, strlen (numbuf));
++ }
+ else
+ rc = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");
+ return rc;
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index d7f1684..26e4d31 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -1702,6 +1702,14 @@ get_agent_ssh_socket_name (void)
+ }
+
+
++/* Return the number of active connections. */
++int
++get_agent_active_connection_count (void)
++{
++ return active_connections;
++}
++
++
+ /* Under W32, this function returns the handle of the scdaemon
+ notification event. Calling it the first time creates that
+ event. */
+@@ -2310,6 +2318,7 @@ putty_message_thread (void *arg)
+ static void *
+ do_start_connection_thread (ctrl_t ctrl)
+ {
++ active_connections++;
+ agent_init_default_ctrl (ctrl);
+ if (opt.verbose)
+ log_info (_("handler 0x%lx for fd %d started\n"),
+@@ -2322,6 +2331,7 @@ do_start_connection_thread (ctrl_t ctrl)
+
+ agent_deinit_default_ctrl (ctrl);
+ xfree (ctrl);
++ active_connections--;
+ return NULL;
+ }
+
+@@ -2388,6 +2398,7 @@ start_connection_thread_ssh (void *arg)
+ if (check_nonce (ctrl, &socket_nonce_ssh))
+ return NULL;
+
++ active_connections++;
+ agent_init_default_ctrl (ctrl);
+ if (opt.verbose)
+ log_info (_("ssh handler 0x%lx for fd %d started\n"),
+@@ -2400,6 +2411,7 @@ start_connection_thread_ssh (void *arg)
+
+ agent_deinit_default_ctrl (ctrl);
+ xfree (ctrl);
++ active_connections--;
+ return NULL;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 593526d..baacf3b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,6 @@
0022-Fix-spelling-grammar.patch
0023-dirmngr-emit-correct-spelling-of-superseded.patch
0024-more-cleanup-of-allow-to.patch
+0025-g10-Fix-checking-key-for-signature-validation.patch
+0026-gpg-Avoid-publishing-the-GnuPG-version-by-default.patch
+0027-agent-Fix-long-standing-regression-tracking-the-conn.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list