diff --git a/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch b/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch index 4b5690f..98dda54 100644 --- a/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch +++ b/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch @@ -33,7 +33,7 @@ index 5d3162c..f9acf95 100644 } - -- if (!uidnode ) +- if (!uidnode) - { - if (!silent) - log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); @@ -43,16 +43,17 @@ index 5d3162c..f9acf95 100644 if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl, +@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl, } } -- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) ) +- /* Delete invalid parts and bail out if there are no user ids left. */ +- if (!delete_inv_parts (ctrl, keyblock, keyid, options)) - { - if (!silent) - { -- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); -- if (!opt.quiet ) +- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); +- if (!opt.quiet) - log_info(_("this may be caused by a missing self-signature\n")); - } - stats->no_user_id++; diff --git a/gnupg-2.2.20-file-is-digest.patch b/gnupg-2.2.20-file-is-digest.patch index f97ac9b..c2bf7c3 100644 --- a/gnupg-2.2.20-file-is-digest.patch +++ b/gnupg-2.2.20-file-is-digest.patch @@ -10,25 +10,25 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c oGroup, oUnGroup, @@ -831,6 +832,7 @@ static ARGPARSE_OPTS opts[] = { - ARGPARSE_s_s (oPersonalCompressPreferences, - "personal-compress-preferences", "@"), - ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"), + ARGPARSE_s_s (oTempDir, "temp-directory", "@"), + ARGPARSE_s_s (oExecPath, "exec-path", "@"), + ARGPARSE_s_n (oExpert, "expert", "@"), + ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"), - ARGPARSE_s_s (oWeakDigest, "weak-digest","@"), - ARGPARSE_s_n (oUnwrap, "unwrap", "@"), - ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"), + ARGPARSE_s_n (oNoExpert, "no-expert", "@"), + ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"), + ARGPARSE_s_n (oRequireSecmem, "require-secmem", "@"), @@ -2419,6 +2421,7 @@ main (int argc, char **argv) opt.keyid_format = KF_NONE; opt.def_sig_expire = "0"; opt.def_cert_expire = "0"; + opt.file_is_digest = 0; - gnupg_set_homedir (NULL); opt.passphrase_repeat = 1; opt.emit_version = 0; + opt.weak_digests = NULL; @@ -2997,6 +3000,7 @@ main (int argc, char **argv) - opt.verify_options&=~VERIFY_SHOW_PHOTOS; - break; case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; + + case oForceAEAD: opt.force_aead = 1; break; + case oFileIsDigest: opt.file_is_digest = 1; break; case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break; @@ -56,136 +56,157 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c #include "../common/compliance.h" @@ -834,6 +835,8 @@ write_signature_packets (ctrl_t ctrl, - if (duration || opt.sig_policy_url - || opt.sig_notations || opt.sig_keyserver_url) - sig->version = 4; -+ else if (opt.file_is_digest) + + if (pk->version >= 5) + sig->version = 5; /* Required for v5 keys. */ ++ else if (opt.file_is_digest) + sig->version = 3; else - sig->version = pk->version; + sig->version = 4; /* Required. */ -@@ -860,8 +863,11 @@ write_signature_packets (ctrl_t ctrl, - } - else - err = 0; /* Actually never reached. */ -- hash_sigversion_to_magic (md, sig); +@@ -860,14 +863,22 @@ write_signature_packets (ctrl_t ctrl, + if (gcry_md_copy (&md, hash)) + BUG (); + +- build_sig_subpkt_from_sig (sig, pk); +- mk_notation_policy_etc (ctrl, sig, NULL, pk); +- if (opt.flags.include_key_block && IS_SIG (sig)) +- err = mk_sig_subpkt_key_block (ctrl, sig, pk); +- else +- err = 0; +- hash_sigversion_to_magic (md, sig, extrahash); - gcry_md_final (md); ++ if (!opt.file_is_digest) ++ { ++ build_sig_subpkt_from_sig (sig, pk); ++ mk_notation_policy_etc (ctrl, sig, NULL, pk); ++ if (opt.flags.include_key_block && IS_SIG (sig)) ++ err = mk_sig_subpkt_key_block (ctrl, sig, pk); ++ else ++ err = 0; + -+ if (!opt.file_is_digest) { -+ hash_sigversion_to_magic (md, sig); -+ gcry_md_final (md); -+ } ++ hash_sigversion_to_magic (md, sig, extrahash); ++ gcry_md_final (md); ++ } ++ else if (sig->version >= 4) ++ { ++ log_bug("file-is-digest doesn't work with v4 sigs\n"); ++ } if (!err) err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0); @@ -924,6 +930,8 @@ sign_file (ctrl_t ctrl, strlist_t filena - SK_LIST sk_rover = NULL; - int multifile = 0; - u32 duration=0; -+ int sigclass = 0x00; -+ u32 timestamp = 0; + SK_LIST sk_rover = NULL; + int multifile = 0; + u32 duration=0; ++ int sigclass = 0x00; ++ u32 timestamp = 0; + pt_extra_hash_data_t extrahash = NULL; - pfx = new_progress_context (); - afx = new_armor_context (); + pfx = new_progress_context (); @@ -941,7 +949,16 @@ sign_file (ctrl_t ctrl, strlist_t filena - fname = NULL; + fname = NULL; - if( fname && filenames->next && (!detached || encryptflag) ) -- log_bug("multiple files can only be detached signed"); -+ log_bug("multiple files can only be detached signed\n"); + if (fname && filenames->next && (!detached || encryptflag)) +- log_bug ("multiple files can only be detached signed"); ++ log_bug ("multiple files can only be detached signed\n"); + -+ if (opt.file_is_digest && (multifile || !fname)) -+ log_bug("file-is-digest only works with one file\n"); -+ if (opt.file_is_digest && !detached) -+ log_bug("file-is-digest can only write detached signatures\n"); -+ if (opt.file_is_digest && !opt.def_digest_algo) -+ log_bug("file-is-digest needs --digest-algo\n"); -+ if (opt.file_is_digest && opt.textmode) -+ log_bug("file-is-digest doesn't work with --textmode\n"); ++ if (opt.file_is_digest && (multifile || !fname)) ++ log_bug ("file-is-digest only works with one file\n"); ++ if (opt.file_is_digest && !detached) ++ log_bug ("file-is-digest can only write detached signatures\n"); ++ if (opt.file_is_digest && !opt.def_digest_algo) ++ log_bug ("file-is-digest needs --digest-algo\n"); ++ if (opt.file_is_digest && opt.textmode) ++ log_bug ("file-is-digest doesn't work with --textmode\n"); - if(encryptflag==2 - && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) + if (encryptflag == 2 + && (rc = setup_symkey (&efx.symkey_s2k, &efx.symkey_dek))) @@ -962,7 +979,7 @@ sign_file (ctrl_t ctrl, strlist_t filena - goto leave; + goto leave; - /* prepare iobufs */ -- if( multifile ) /* have list of filenames */ -+ if( multifile || opt.file_is_digest) /* have list of filenames */ - inp = NULL; /* we do it later */ - else { - inp = iobuf_open(fname); + /* Prepare iobufs. */ +- if (multifile) /* have list of filenames */ ++ if (multifile || opt.file_is_digest) /* have list of filenames */ + inp = NULL; /* we do it later */ + else + { @@ -1100,7 +1117,7 @@ sign_file (ctrl_t ctrl, strlist_t filena - for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) - gcry_md_enable (mfx.md, hash_for (sk_rover->pk)); + for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) + gcry_md_enable (mfx.md, hash_for (sk_rover->pk)); -- if( !multifile ) -+ if( !multifile && !opt.file_is_digest ) - iobuf_push_filter( inp, md_filter, &mfx ); +- if (!multifile) ++ if (!multifile && !opt.file_is_digest) + iobuf_push_filter (inp, md_filter, &mfx); - if( detached && !encryptflag) + if (detached && !encryptflag) @@ -1155,6 +1172,8 @@ sign_file (ctrl_t ctrl, strlist_t filena - write_status_begin_signing (mfx.md); + write_status_begin_signing (mfx.md); -+ sigclass = opt.textmode && !outfile? 0x01 : 0x00; ++ sigclass = opt.textmode && !outfile? 0x01 : 0x00; + - /* Setup the inner packet. */ - if( detached ) { - if( multifile ) { -@@ -1195,6 +1214,45 @@ sign_file (ctrl_t ctrl, strlist_t filena - if( opt.verbose ) - log_printf ("\n"); + /* Setup the inner packet. */ + if (detached) + { +@@ -1195,6 +1214,49 @@ sign_file (ctrl_t ctrl, strlist_t filena + if (opt.verbose) + log_printf ("\n"); } -+ else if (opt.file_is_digest) { -+ byte *mdb, ts[5]; -+ size_t mdlen; -+ const char *fp; -+ int c, d; -+ -+ gcry_md_final(mfx.md); -+ /* this assumes gcry_md_read returns the same buffer */ -+ mdb = gcry_md_read(mfx.md, opt.def_digest_algo); -+ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo); -+ if (strlen(fname) != mdlen * 2 + 11) -+ log_bug("digests must be %zu + @ + 5 bytes\n", mdlen); -+ d = -1; -+ for (fp = fname ; *fp; ) { -+ c = *fp++; -+ if (c >= '0' && c <= '9') -+ c -= '0'; -+ else if (c >= 'a' && c <= 'f') -+ c -= 'a' - 10; -+ else if (c >= 'A' && c <= 'F') -+ c -= 'A' - 10; -+ else -+ log_bug("filename is not hex\n"); -+ if (d >= 0) { -+ *mdb++ = d << 4 | c; -+ c = -1; -+ if (--mdlen == 0) { -+ mdb = ts; -+ if (*fp++ != '@') -+ log_bug("missing time separator\n"); -+ } -+ } -+ d = c; -+ } -+ sigclass = ts[0]; -+ if (sigclass != 0x00 && sigclass != 0x01) -+ log_bug("bad cipher class\n"); -+ timestamp = buf32_to_u32(ts + 1); -+ } - else { - /* read, so that the filter can calculate the digest */ - while( iobuf_get(inp) != -1 ) ++ else if (opt.file_is_digest) ++ { ++ byte *mdb, ts[5]; ++ size_t mdlen; ++ const char *fp; ++ int c, d; ++ ++ gcry_md_final(mfx.md); ++ /* this assumes gcry_md_read returns the same buffer */ ++ mdb = gcry_md_read(mfx.md, opt.def_digest_algo); ++ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo); ++ if (strlen(fname) != mdlen * 2 + 11) ++ log_bug("digests must be %zu + @ + 5 bytes\n", mdlen); ++ d = -1; ++ for (fp = fname ; *fp; ) ++ { ++ c = *fp++; ++ if (c >= '0' && c <= '9') ++ c -= '0'; ++ else if (c >= 'a' && c <= 'f') ++ c -= 'a' - 10; ++ else if (c >= 'A' && c <= 'F') ++ c -= 'A' - 10; ++ else ++ log_bug("filename is not hex\n"); ++ if (d >= 0) ++ { ++ *mdb++ = d << 4 | c; ++ c = -1; ++ if (--mdlen == 0) ++ { ++ mdb = ts; ++ if (*fp++ != '@') ++ log_bug("missing time separator\n"); ++ } ++ } ++ d = c; ++ } ++ sigclass = ts[0]; ++ if (sigclass != 0x00 && sigclass != 0x01) ++ log_bug("bad cipher class\n"); ++ timestamp = buf32_to_u32(ts + 1); ++ } + else + { + /* Read, so that the filter can calculate the digest. */ @@ -1213,8 +1271,8 @@ sign_file (ctrl_t ctrl, strlist_t filena - /* write the signatures */ - rc = write_signature_packets (ctrl, sk_list, out, mfx.md, -- opt.textmode && !outfile? 0x01 : 0x00, -- 0, duration, detached ? 'D':'S', NULL); -+ sigclass, -+ timestamp, duration, detached ? 'D':'S', NULL); - if( rc ) - goto leave; + /* Write the signatures. */ + rc = write_signature_packets (ctrl, sk_list, out, mfx.md, extrahash, +- opt.textmode && !outfile? 0x01 : 0x00, +- 0, duration, detached ? 'D':'S', NULL); ++ sigclass, ++ timestamp, duration, detached ? 'D':'S', NULL); + if (rc) + goto leave; diff --git a/gnupg-2.2.21-coverity.patch b/gnupg-2.2.21-coverity.patch index b4e65b6..f7419ff 100644 --- a/gnupg-2.2.21-coverity.patch +++ b/gnupg-2.2.21-coverity.patch @@ -1,6 +1,6 @@ diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-help.c ---- gnupg-2.2.21/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100 -+++ gnupg-2.2.21/common/server-help.c 2020-07-20 17:09:57.416148768 +0200 +--- gnupg-2.2.21/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100 ++++ gnupg-2.2.21/common/server-help.c 2020-07-20 17:09:57.416148768 +0200 @@ -156,7 +156,7 @@ get_option_value (char *line, const char *pend = 0; *r_value = xtrystrdup (p); @@ -10,9 +10,93 @@ diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-h return my_error_from_syserror (); return 0; } -diff -up gnupg-2.2.21/dirmngr/domaininfo.c.coverity gnupg-2.2.21/dirmngr/domaininfo.c ---- gnupg-2.2.21/dirmngr/domaininfo.c.coverity 2019-07-09 11:08:45.000000000 +0200 -+++ gnupg-2.2.21/dirmngr/domaininfo.c 2020-07-20 17:09:57.418148784 +0200 + +From 7a707a3eff1c3fbe17a74337776871f408377cee Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 9 Apr 2021 16:13:07 +0200 +Subject: [PATCH GnuPG 03/19] g10: Fix memory leaks + +* g10/card-util.c (change_pin): free answer on errors + (ask_card_keyattr): free answer on error +* g10/cpr.c (do_get_from_fd): free string +* g10/gpg.c (check_permissions): free dir on weird error +* g10/import.c (append_new_uid): release knode +* g10/keyedit.c (menu_set_keyserver_url): free answer + (menu_set_keyserver_url): free user +* g10/keygen.c (print_status_key_not_created): move allocation after + sanity check + (ask_expire_interval): free answer + (card_store_key_with_backup): goto leave instaed of return +* g10/keyserver.c (parse_keyserver_uri): goto fail instead of return +* g10/revoke.c (gen_desig_revoke): release kdbhd + (gen_desig_revoke): free answer +* g10/tofu.c (ask_about_binding): free sqerr and response +* g10/trustdb.c (ask_ownertrust): free pk + +-- + +Signed-off-by: Jakub Jelen +--- + g10/card-util.c | 14 +++++++++++--- + g10/cpr.c | 6 +++++- + g10/gpg.c | 1 + + g10/import.c | 5 ++++- + g10/keyedit.c | 8 +++++++- + g10/keygen.c | 15 +++++++++++---- + g10/keyserver.c | 2 +- + g10/revoke.c | 6 +++++- + g10/tofu.c | 4 ++++ + g10/trustdb.c | 1 + + 10 files changed, 50 insertions(+), 12 deletions(-) + +diff --git a/g10/card-util.c b/g10/card-util.c +index 36f096f06..c7df8380d 100644 +--- a/g10/card-util.c ++++ b/g10/card-util.c +@@ -127,7 +127,7 @@ change_pin (int unblock_v2, int allow_admin) + else + for (;;) + { +- char *answer; ++ char *answer = NULL; + + tty_printf ("\n"); + tty_printf ("1 - change PIN\n" +diff --git a/g10/tofu.c b/g10/tofu.c +index f49083844..83786a08d 100644 +--- a/g10/tofu.c ++++ b/g10/tofu.c +@@ -1687,6 +1687,8 @@ ask_about_binding (ctrl_t ctrl, + GPGSQL_ARG_END); + if (rc) + { ++ sqlite3_free (sqerr); ++ sqerr = NULL; + rc = gpg_error (GPG_ERR_GENERAL); + break; + } +-- +2.30.2 + + +From 7c8048b686a6e811d0b24febf3c5e2528e7881f1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 13 Apr 2021 16:23:31 +0200 +Subject: [PATCH GnuPG 14/19] dirmgr: Avoid memory leaks + +* dirmngr/domaininfo.c (insert_or_update): free di_new + +-- + +Signed-off-by: Jakub Jelen +--- + dirmngr/domaininfo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/dirmngr/domaininfo.c b/dirmngr/domaininfo.c +index b41aef366..87782b4b1 100644 +--- a/dirmngr/domaininfo.c ++++ b/dirmngr/domaininfo.c @@ -193,6 +193,7 @@ insert_or_update (const char *domain, log_error ("domaininfo: error allocating helper array: %s\n", gpg_strerror (gpg_err_code_from_syserror ())); @@ -21,220 +105,93 @@ diff -up gnupg-2.2.21/dirmngr/domaininfo.c.coverity gnupg-2.2.21/dirmngr/domaini goto leave; } narray = 0; -@@ -258,6 +259,8 @@ insert_or_update (const char *domain, - * sensible strategy. */ - drop_extra = domainbuckets[hash]; - domainbuckets[hash] = keep; -+ -+ xfree (array); - } - - /* Insert */ -diff -up gnupg-2.2.21/dirmngr/http.c.coverity gnupg-2.2.21/dirmngr/http.c ---- gnupg-2.2.21/dirmngr/http.c.coverity 2019-11-18 18:44:33.000000000 +0100 -+++ gnupg-2.2.21/dirmngr/http.c 2020-07-20 17:09:57.419148793 +0200 -@@ -3656,7 +3656,6 @@ http_prepare_redirect (http_redir_info_t - if (!newurl) - { - err = gpg_error_from_syserror (); -- http_release_parsed_uri (locuri); - return err; - } - } -@@ -3675,7 +3674,6 @@ http_prepare_redirect (http_redir_info_t - if (!newurl) - { - err = gpg_error_from_syserror (); -- http_release_parsed_uri (locuri); - return err; - } - } -diff -up gnupg-2.2.21/dirmngr/ks-engine-hkp.c.coverity gnupg-2.2.21/dirmngr/ks-engine-hkp.c ---- gnupg-2.2.21/dirmngr/ks-engine-hkp.c.coverity 2019-11-18 18:44:33.000000000 +0100 -+++ gnupg-2.2.21/dirmngr/ks-engine-hkp.c 2020-07-20 17:09:57.419148793 +0200 -@@ -1426,7 +1426,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t - int reselect; - unsigned int httpflags; - char *httphost = NULL; -- unsigned int http_status; -+ unsigned int http_status = 0; - unsigned int tries = SEND_REQUEST_RETRIES; - unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES; - -diff -up gnupg-2.2.21/g10/card-util.c.coverity gnupg-2.2.21/g10/card-util.c ---- gnupg-2.2.21/g10/card-util.c.coverity 2020-04-15 15:17:48.000000000 +0200 -+++ gnupg-2.2.21/g10/card-util.c 2020-07-20 17:09:57.419148793 +0200 -@@ -667,7 +667,7 @@ card_status (ctrl_t ctrl, estream_t fp, - { - int err; - strlist_t card_list, sl; -- char *serialno0, *serialno1; -+ char *serialno0, *serialno1 = NULL; - int all_cards = 0; - int any_card = 0; - -@@ -712,6 +712,7 @@ card_status (ctrl_t ctrl, estream_t fp, - - current_card_status (ctrl, fp, NULL, 0); - xfree (serialno1); -+ serialno1 = NULL; - - if (!all_cards) - goto leave; -diff -up gnupg-2.2.21/g10/import.c.coverity gnupg-2.2.21/g10/import.c ---- gnupg-2.2.21/g10/import.c.coverity 2020-07-20 17:09:57.416148768 +0200 -+++ gnupg-2.2.21/g10/import.c 2020-07-20 17:09:57.419148793 +0200 -@@ -1888,7 +1888,7 @@ import_one_real (ctrl_t ctrl, - - if (opt.interactive && !silent) - { -- if (is_status_enabled()) -+ if (uidnode && is_status_enabled()) - print_import_check (pk, uidnode->pkt->pkt.user_id); - merge_keys_and_selfsig (ctrl, keyblock); - tty_printf ("\n"); -diff -up gnupg-2.2.21/g10/keygen.c.coverity gnupg-2.2.21/g10/keygen.c ---- gnupg-2.2.21/g10/keygen.c.coverity 2020-07-20 17:09:57.401148640 +0200 -+++ gnupg-2.2.21/g10/keygen.c 2020-07-20 17:09:57.420148801 +0200 -@@ -3075,7 +3075,7 @@ parse_key_parameter_part (ctrl_t ctrl, - char *endp; - const char *curve = NULL; - int ecdh_or_ecdsa = 0; -- unsigned int size; -+ unsigned int size = 0; - int keyuse; - int i; - const char *s; -@@ -5719,12 +5719,20 @@ gen_card_key (int keyno, int algo, int i - the self-signatures. */ - err = agent_readkey (NULL, 1, keyid, &public); +-- +2.30.2 + + +From ab3b8c53993b3305088efde756a44bac6e6492d4 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 13 Apr 2021 16:34:40 +0200 +Subject: [PATCH GnuPG 15/19] scd: Avoid memory leaks and uninitialized memory + +* scd/app-piv.c (do_decipher): goto leave, initialize outdatalen + +-- + +Signed-off-by: Jakub Jelen +--- + scd/app-piv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scd/app-piv.c b/scd/app-piv.c +index 143cc047a..94257f0ee 100644 +--- a/scd/app-piv.c ++++ b/scd/app-piv.c +@@ -2483,7 +2483,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, + gpg_error_t err; + data_object_t dobj; + unsigned char *outdata = NULL; +- size_t outdatalen; ++ size_t outdatalen = 0; + const unsigned char *s; + size_t n; + int keyref, mechanism; +@@ -2582,7 +2582,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, + /* Now verify the Application PIN. */ + err = verify_chv (app, ctrl, 0x80, 0, pincb, pincb_arg); if (err) - return err; -+ { -+ xfree (pkt); -+ xfree (pk); -+ return err; -+ } - err = gcry_sexp_sscan (&s_key, NULL, public, - gcry_sexp_canon_len (public, 0, NULL, NULL)); - xfree (public); - if (err) -- return err; -+ { -+ xfree (pkt); -+ xfree (pk); -+ return err; -+ } ++ goto leave; - if (algo == PUBKEY_ALGO_RSA) - err = key_from_sexp (pk->pkey, s_key, "public-key", "ne"); -@@ -5739,6 +5747,7 @@ gen_card_key (int keyno, int algo, int i - if (err) - { - log_error ("key_from_sexp failed: %s\n", gpg_strerror (err) ); -+ xfree (pkt); - free_public_key (pk); - return err; - } -diff -up gnupg-2.2.21/g10/sig-check.c.coverity gnupg-2.2.21/g10/sig-check.c ---- gnupg-2.2.21/g10/sig-check.c.coverity 2020-07-03 16:17:05.000000000 +0200 -+++ gnupg-2.2.21/g10/sig-check.c 2020-07-20 17:09:57.420148801 +0200 -@@ -902,6 +902,7 @@ check_signature_over_key_or_uid (ctrl_t - { - /* Issued by a subkey. */ - signer = subk; -+ *is_selfsig = 1; - break; - } - } -diff -up gnupg-2.2.21/g10/sign.c.coverity gnupg-2.2.21/g10/sign.c ---- gnupg-2.2.21/g10/sign.c.coverity 2020-07-20 17:09:57.399148624 +0200 -+++ gnupg-2.2.21/g10/sign.c 2020-07-20 17:09:57.420148801 +0200 -@@ -824,7 +824,7 @@ write_signature_packets (ctrl_t ctrl, - PKT_public_key *pk; - PKT_signature *sig; - gcry_md_hd_t md; -- gpg_error_t err; -+ gpg_error_t err = 0; - - pk = sk_rover->pk; - -diff -up gnupg-2.2.21/kbx/keybox-dump.c.coverity gnupg-2.2.21/kbx/keybox-dump.c ---- gnupg-2.2.21/kbx/keybox-dump.c.coverity 2019-08-23 15:59:06.000000000 +0200 -+++ gnupg-2.2.21/kbx/keybox-dump.c 2020-07-20 17:09:57.420148801 +0200 -@@ -786,11 +786,15 @@ _keybox_dump_cut_records (const char *fi - while ( !(rc = _keybox_read_blob (&blob, fp, NULL)) ) - { - if (recno > to) -- break; /* Ready. */ -+ { -+ _keybox_release_blob (blob); -+ break; /* Ready. */ -+ } - if (recno >= from) - { - if ((rc = _keybox_write_blob (blob, NULL, outfp))) - { -+ _keybox_release_blob (blob); - fprintf (stderr, "error writing output: %s\n", - gpg_strerror (rc)); - goto leave; -diff -up gnupg-2.2.21/tools/gpg-wks-server.c.coverity gnupg-2.2.21/tools/gpg-wks-server.c ---- gnupg-2.2.21/tools/gpg-wks-server.c.coverity 2020-02-10 16:12:13.000000000 +0100 -+++ gnupg-2.2.21/tools/gpg-wks-server.c 2020-07-20 17:09:57.420148801 +0200 -@@ -890,15 +890,18 @@ store_key_as_pending (const char *dir, e - } - - leave: -- if (err) -+ if (fname) - { -- es_fclose (outfp); -- gnupg_remove (fname); -- } -- else if (es_fclose (outfp)) -- { -- err = gpg_error_from_syserror (); -- log_error ("error closing '%s': %s\n", fname, gpg_strerror (err)); -+ if (err) -+ { -+ es_fclose (outfp); -+ gnupg_remove (fname); -+ } -+ else if (es_fclose (outfp)) -+ { -+ err = gpg_error_from_syserror (); -+ log_error ("error closing '%s': %s\n", fname, gpg_strerror (err)); -+ } - } - - if (!err) -diff -up gnupg-2.2.21/tools/wks-util.c.coverity gnupg-2.2.21/tools/wks-util.c ---- gnupg-2.2.21/tools/wks-util.c.coverity 2019-11-23 13:50:21.000000000 +0100 -+++ gnupg-2.2.21/tools/wks-util.c 2020-07-20 17:09:57.421148810 +0200 -@@ -948,7 +948,7 @@ ensure_policy_file (const char *addrspec - static gpg_error_t - install_key_from_spec_file (const char *fname) + /* Build the Dynamic Authentication Template. */ + err = concat_tlv_list (0, &apdudata, &apdudatalen, +-- +2.30.2 + + +From f182bf91443618323e34261039045a6bde269be5 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 13 Apr 2021 16:44:48 +0200 +Subject: [PATCH GnuPG 16/19] tools: Avoid memory leaks + +* tools/wks-util.c (wks_cmd_print_wkd_url): Free addrspec on error + (wks_cmd_print_wkd_hash): Free addrspec on error + +-- + +Signed-off-by: Jakub Jelen +--- + tools/wks-util.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/tools/wks-util.c b/tools/wks-util.c +index 516c7fe00..38dd194ff 100644 +--- a/tools/wks-util.c ++++ b/tools/wks-util.c +@@ -1192,11 +1192,14 @@ gpg_error_t + wks_cmd_print_wkd_hash (const char *userid) { -- gpg_error_t err; -+ gpg_error_t err = 0; - estream_t fp; - char *line = NULL; - size_t linelen = 0; -@@ -1195,10 +1195,8 @@ wks_cmd_print_wkd_hash (const char *user - char *addrspec, *fname; + gpg_error_t err; +- char *addrspec, *fname; ++ char *addrspec = NULL, *fname; err = wks_fname_from_userid (userid, 1, &fname, &addrspec); -- if (err) + if (err) - return err; -- -- es_printf ("%s %s\n", fname, addrspec); -+ if (!err) -+ es_printf ("%s %s\n", fname, addrspec); ++ { ++ xfree (addrspec); ++ return err; ++ } - xfree (fname); - xfree (addrspec); -@@ -1216,7 +1214,10 @@ wks_cmd_print_wkd_url (const char *useri + es_printf ("%s %s\n", fname, addrspec); + +@@ -1211,12 +1214,15 @@ gpg_error_t + wks_cmd_print_wkd_url (const char *userid) + { + gpg_error_t err; +- char *addrspec, *fname; ++ char *addrspec = NULL, *fname; + char *domain; err = wks_fname_from_userid (userid, 1, &fname, &addrspec); if (err) @@ -246,3 +203,38 @@ diff -up gnupg-2.2.21/tools/wks-util.c.coverity gnupg-2.2.21/tools/wks-util.c domain = strchr (addrspec, '@'); if (domain) +-- +2.30.2 + + +From 600fabd8268c765d45d48873e7a8610e6dae0966 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 14 Apr 2021 15:59:12 +0200 +Subject: [PATCH GnuPG 17/19] scd: Use the same allocator to free memory + +* scd/command.c (cmd_getinfo): Use free instead of gcry_free to match + the original allocator + +-- + +Signed-off-by: Jakub Jelen +--- + scd/command.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scd/command.c b/scd/command.c +index cb0dd379a..9d85c5a41 100644 +--- a/scd/command.c ++++ b/scd/command.c +@@ -1832,7 +1832,8 @@ cmd_getinfo (assuan_context_t ctx, char *line) + rc = assuan_send_data (ctx, p, strlen (p)); + else + rc = gpg_error (GPG_ERR_NO_DATA); +- xfree (p); ++ /* allocated by scd/ccid-driver.c which is not using x*alloc/gcry_* */ ++ free (p); + } + else if (!strcmp (line, "deny_admin")) + rc = opt.allow_admin? gpg_error (GPG_ERR_GENERAL) : 0; +-- +2.30.2 diff --git a/gnupg-2.2.27.tar.bz2 b/gnupg-2.2.27.tar.bz2 deleted file mode 100644 index b289317..0000000 Binary files a/gnupg-2.2.27.tar.bz2 and /dev/null differ diff --git a/gnupg-2.2.27.tar.bz2.sig b/gnupg-2.2.27.tar.bz2.sig deleted file mode 100644 index c993854..0000000 Binary files a/gnupg-2.2.27.tar.bz2.sig and /dev/null differ diff --git a/gnupg-2.3.4.tar.bz2 b/gnupg-2.3.4.tar.bz2 new file mode 100644 index 0000000..b638cf8 Binary files /dev/null and b/gnupg-2.3.4.tar.bz2 differ diff --git a/gnupg-2.3.4.tar.bz2.sig b/gnupg-2.3.4.tar.bz2.sig new file mode 100644 index 0000000..a669b52 Binary files /dev/null and b/gnupg-2.3.4.tar.bz2.sig differ diff --git a/gnupg2.spec b/gnupg2.spec index 8cc859b..dc4aba0 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -1,6 +1,6 @@ Name: gnupg2 -Version: 2.2.27 -Release: 4 +Version: 2.3.4 +Release: 1 Summary: Utility for secure communication and data storage License: GPLv3+ @@ -8,28 +8,27 @@ URL: https://gnupg.org/ Source0: https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2 Source1: https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig -Patch0: fix-a-memory-leak-in-g10.patch -Patch1: gnupg-2.1.10-secmem.patch -Patch2: gnupg-2.1.1-fips-algo.patch -Patch3: gnupg-2.2.23-insttools.patch -Patch4: gnupg-2.2.23-large-rsa.patch -Patch5: gnupg-2.2.16-ocsp-keyusage.patch -Patch6: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch -Patch7: gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch -Patch8: gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch -Patch9: gnupg-2.2.20-file-is-digest.patch -Patch10: gnupg-2.2.21-coverity.patch -Patch11: common-Avoid-undefined-behavior-of-left-shift-operat.patch +Patch0: gnupg-2.1.10-secmem.patch +Patch1: gnupg-2.1.1-fips-algo.patch +Patch2: gnupg-2.2.23-large-rsa.patch +Patch3: gnupg-2.2.16-ocsp-keyusage.patch +Patch4: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch +Patch5: gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch +Patch6: gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch +Patch7: gnupg-2.2.20-file-is-digest.patch +Patch8: gnupg-2.2.21-coverity.patch BuildRequires: gcc BuildRequires: zlib-devel, npth-devel, texinfo -BuildRequires: libgpg-error-devel >= 1.31 -BuildRequires: libgcrypt-devel >= 1.7.0 +BuildRequires: libgpg-error-devel >= 1.38 +BuildRequires: libgcrypt-devel >= 1.9.1 BuildRequires: libksba-devel >= 1.3.0 BuildRequires: libassuan-devel >= 2.1.0 +# compile dirmngr module, need gnutls +BuildRequires: gnutls-devel -Requires: libgcrypt >= 1.7.0 -Requires: libgpg-error >= 1.31 +Requires: libgcrypt >= 1.9.1 +Requires: libgpg-error >= 1.38 Recommends: pinentry Recommends: gnupg2-smime @@ -63,10 +62,14 @@ signing to the base GnuPG package. sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c %build +# add --disable-ccid-driver to solve #2005714 +# disable tpm2 module %configure \ --disable-gpgtar \ --disable-rpath \ --enable-g13 \ + --disable-ccid-driver \ + --disable-tpm2d \ --enable-large-secmem %make_build @@ -115,6 +118,9 @@ make check %changelog +* Mon Jan 10 2022 yixiangzhike - 2.3.4-1 +- update to 2.3.4 + * Mon Aug 2 2021 yixiangzhike - 2.2.27-4 - fix the insttools patch