From 216c7266737204af05275d0ff196cfddda083366 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sat, 9 Jun 2018 22:21:21 +0300 Subject: gnu: gnupg: Update to 2.2.8 (fixes CVE-2018-12020). * gnu/packages/gnupg.scm (gnupg): Update to 2.2.8. --- gnu/packages/gnupg.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/gnupg.scm') diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index eeac964fef..7b66ee479d 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -231,14 +231,14 @@ compatible to GNU Pth.") (define-public gnupg (package (name "gnupg") - (version "2.2.7") + (version "2.2.8") (source (origin (method url-fetch) (uri (string-append "mirror://gnupg/gnupg/gnupg-" version ".tar.bz2")) (sha256 (base32 - "0vlpis0q7gvq9mhdc43hkyn3cdriz4mwgj20my3gyzpgwqg3cnyr")))) + "1k8dnnfs9888yp713l7kg2jg110lw47s4krx0njna6fjrsw4qyvp")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) -- cgit v1.2.3 From 65956ad3526ba09e1f7a40722c96c6ef7c0936fe Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 9 Jun 2018 17:39:14 -0400 Subject: gnu: GnuPG 1.4: Fix CVE-2018-12020. * gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnupg.scm (gnupg-1)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/gnupg.scm | 1 + .../patches/gnupg-1.4-CVE-2018-12020.patch | 50 ++++++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch (limited to 'gnu/packages/gnupg.scm') diff --git a/gnu/local.mk b/gnu/local.mk index 72339735d8..07ca5e220e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -743,6 +743,7 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-todo-libical-compat.patch \ %D%/packages/patches/gnome-tweak-tool-search-paths.patch \ %D%/packages/patches/gnucash-price-quotes-perl.patch \ + %D%/packages/patches/gnupg-1.4-CVE-2018-12020.patch \ %D%/packages/patches/gnutls-skip-trust-store-test.patch \ %D%/packages/patches/gnutls-skip-pkgconfig-test.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index 7b66ee479d..42b54c1ea0 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -354,6 +354,7 @@ libskba (working with X.509 certificates and CMS data).") (method url-fetch) (uri (string-append "mirror://gnupg/gnupg/gnupg-" version ".tar.bz2")) + (patches (search-patches "gnupg-1.4-CVE-2018-12020.patch")) (sha256 (base32 "1d1hz4szh1kvwhsw7w2zxa6q5ndrk3qy6hj289l1b8k3xi5s554m")))) diff --git a/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch b/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch new file mode 100644 index 0000000000..306d4d348b --- /dev/null +++ b/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch @@ -0,0 +1,50 @@ +Fix CVE-2018-12020: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 +https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html + +Patch copied from upstream source repository: + +https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac + +From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001 +From: Werner Koch +Date: Fri, 8 Jun 2018 10:45:21 +0200 +Subject: [PATCH] gpg: Sanitize diagnostic with the original file name. + +* g10/mainproc.c (proc_plaintext): Sanitize verbose output. +-- + +This fixes a forgotten sanitation of user supplied data in a verbose +mode diagnostic. The mention CVE is about using this to inject +status-fd lines into the stderr output. Other harm good as well be +done. Note that GPGME based applications are not affected because +GPGME does not fold status output into stderr. + +CVE-id: CVE-2018-12020 +GnuPG-bug-id: 4012 +(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b) +--- + g10/mainproc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/g10/mainproc.c b/g10/mainproc.c +index 33a654b34..ffa7ef6d8 100644 +--- a/g10/mainproc.c ++++ b/g10/mainproc.c +@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt ) + if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) ) + log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n")); + else if( opt.verbose ) +- log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name); ++ { ++ char *tmp = make_printable_string (pt->name, pt->namelen, 0); ++ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp); ++ xfree (tmp); ++ } + free_md_filter_context( &c->mfx ); + c->mfx.md = md_open( 0, 0); + /* fixme: we may need to push the textfilter if we have sigclass 1 +-- +2.17.1 + -- cgit v1.2.3 From ff76a1e9cad607cb0b91f1e46c65aa1c87b131f6 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Thu, 14 Jun 2018 04:01:21 +0200 Subject: gnu: python-gnupg: Update to 0.4.3. * gnu/packages/gnupg.scm (python-gnupg): Update to 0.4.3. [arguments]: Remove obsolete substitution. --- gnu/packages/gnupg.scm | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'gnu/packages/gnupg.scm') diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index 42b54c1ea0..ff2efb759e 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -508,14 +508,14 @@ decrypt messages using the OpenPGP format by making use of GPGME.") (define-public python-gnupg (package (name "python-gnupg") - (version "0.3.8") + (version "0.4.3") (source (origin (method url-fetch) (uri (pypi-uri "python-gnupg" version)) (sha256 (base32 - "0nkbs9c8f30lra7ca39kg91x8cyxn0jb61vih4qky839gpbwwwiq")))) + "03dc8whhvk7ccspbk8vzfhkxli8cd9zfbss5p597g4jldgy8s59d")))) (build-system python-build-system) (arguments `(#:phases @@ -523,8 +523,6 @@ decrypt messages using the OpenPGP format by making use of GPGME.") (replace 'check (lambda _ (substitute* "test_gnupg.py" - ;; Exported keys don't have a version line! - (("del k1\\[1\\]") "#") ;; Unsure why this test fails. (("'test_search_keys'") "True") (("def test_search_keys") "def disabled__search_keys")) -- cgit v1.2.3 From b262aba7338b8e3aa97bccb91309848a553280e3 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Thu, 14 Jun 2018 04:02:10 +0200 Subject: gnu: python-gnupg: Return #t from phase. * gnu/packages/gnupg.scm (python-gnupg)[arguments]: Substitute INVOKE for SYSTEM*. --- gnu/packages/gnupg.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/packages/gnupg.scm') diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index ff2efb759e..ecd280f6db 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -529,8 +529,8 @@ decrypt messages using the OpenPGP format by making use of GPGME.") (setenv "USERNAME" "guixbuilder") ;; The doctests are extremely slow and sometimes time out, ;; so we disable them. - (zero? (system* "python" - "test_gnupg.py" "--no-doctests"))))))) + (invoke "python" + "test_gnupg.py" "--no-doctests")))))) (native-inputs `(("gnupg" ,gnupg-1))) (home-page "https://packages.python.org/python-gnupg/index.html") -- cgit v1.2.3 From 03439df66fc2699b22e5786b33324e5432cfe8cf Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Wed, 13 Jun 2018 22:28:48 +0300 Subject: gnu: libgcrypt: Fix CVE-2018-0495. * gnu/packages/gnupg.scm (libgcrypt)[replacement]: New field. (libgcrypt/fixed): New package. --- gnu/packages/gnupg.scm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'gnu/packages/gnupg.scm') diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index ecd280f6db..6a0defb46f 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -108,6 +108,7 @@ Daemon and possibly more in the future.") (define-public libgcrypt (package + (replacement libgcrypt/fixed) (name "libgcrypt") (version "1.8.2") (source (origin @@ -142,6 +143,19 @@ generation.") (properties '((ftp-server . "ftp.gnupg.org") (ftp-directory . "/gcrypt/libgcrypt"))))) +(define libgcrypt/fixed + (package + (inherit libgcrypt) + (name "libgcrypt") + (version "1.8.3") + (source (origin + (method url-fetch) + (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-" + version ".tar.bz2")) + (sha256 + (base32 + "0z5gs1khzyknyfjr19k8gk4q148s6q987ya85cpn0iv70fz91v36")))))) + (define-public libassuan (package (name "libassuan") -- cgit v1.2.3 From b6c675c693d21345f4b0589563f914c79f957846 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 14 Jun 2018 15:34:47 -0400 Subject: gnu: GnuPG 1.4: Update to 1.4.23. * gnu/packages/gnupg.scm (gnupg-1): Update to 1.4.23. [source]: Remove patch. * gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. --- gnu/local.mk | 1 - gnu/packages/gnupg.scm | 5 +-- .../patches/gnupg-1.4-CVE-2018-12020.patch | 50 ---------------------- 3 files changed, 2 insertions(+), 54 deletions(-) delete mode 100644 gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch (limited to 'gnu/packages/gnupg.scm') diff --git a/gnu/local.mk b/gnu/local.mk index bfe8a9ee7e..01e0718723 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -744,7 +744,6 @@ dist_patch_DATA = \ %D%/packages/patches/gnome-todo-libical-compat.patch \ %D%/packages/patches/gnome-tweak-tool-search-paths.patch \ %D%/packages/patches/gnucash-price-quotes-perl.patch \ - %D%/packages/patches/gnupg-1.4-CVE-2018-12020.patch \ %D%/packages/patches/gnutls-skip-trust-store-test.patch \ %D%/packages/patches/gnutls-skip-pkgconfig-test.patch \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index 6a0defb46f..da0c33565a 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -363,15 +363,14 @@ libskba (working with X.509 certificates and CMS data).") (define-public gnupg-1 (package (inherit gnupg) - (version "1.4.22") + (version "1.4.23") (source (origin (method url-fetch) (uri (string-append "mirror://gnupg/gnupg/gnupg-" version ".tar.bz2")) - (patches (search-patches "gnupg-1.4-CVE-2018-12020.patch")) (sha256 (base32 - "1d1hz4szh1kvwhsw7w2zxa6q5ndrk3qy6hj289l1b8k3xi5s554m")))) + "1fkq4sqldvf6a25mm2qz95swv1qjg464736091w51djiwqbjyin9")))) (native-inputs '()) (inputs `(("zlib" ,zlib) diff --git a/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch b/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch deleted file mode 100644 index 306d4d348b..0000000000 --- a/gnu/packages/patches/gnupg-1.4-CVE-2018-12020.patch +++ /dev/null @@ -1,50 +0,0 @@ -Fix CVE-2018-12020: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 -https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000425.html - -Patch copied from upstream source repository: - -https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2326851c60793653069494379b16d84e4c10a0ac - -From 2326851c60793653069494379b16d84e4c10a0ac Mon Sep 17 00:00:00 2001 -From: Werner Koch -Date: Fri, 8 Jun 2018 10:45:21 +0200 -Subject: [PATCH] gpg: Sanitize diagnostic with the original file name. - -* g10/mainproc.c (proc_plaintext): Sanitize verbose output. --- - -This fixes a forgotten sanitation of user supplied data in a verbose -mode diagnostic. The mention CVE is about using this to inject -status-fd lines into the stderr output. Other harm good as well be -done. Note that GPGME based applications are not affected because -GPGME does not fold status output into stderr. - -CVE-id: CVE-2018-12020 -GnuPG-bug-id: 4012 -(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b) ---- - g10/mainproc.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/g10/mainproc.c b/g10/mainproc.c -index 33a654b34..ffa7ef6d8 100644 ---- a/g10/mainproc.c -+++ b/g10/mainproc.c -@@ -638,7 +638,11 @@ proc_plaintext( CTX c, PACKET *pkt ) - if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) ) - log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n")); - else if( opt.verbose ) -- log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name); -+ { -+ char *tmp = make_printable_string (pt->name, pt->namelen, 0); -+ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp); -+ xfree (tmp); -+ } - free_md_filter_context( &c->mfx ); - c->mfx.md = md_open( 0, 0); - /* fixme: we may need to push the textfilter if we have sigclass 1 --- -2.17.1 - -- cgit v1.2.3