diff options
author | agc <agc> | 2003-12-08 11:36:12 +0000 |
---|---|---|
committer | agc <agc> | 2003-12-08 11:36:12 +0000 |
commit | 94dc0521d50b2a787a3114bfb7ab4c2ad7c59fe6 (patch) | |
tree | fe92cd1c7a582c9d2bda6ee914389579fd7f93cc | |
parent | 969851e3d495b64164eb0e7f0e993c9af6866573 (diff) | |
download | pkgsrc-94dc0521d50b2a787a3114bfb7ab4c2ad7c59fe6.tar.gz |
Pull up security fixes to the pkgsrc-2003Q4 branch, requested by
Alistair Crooks.
---------------------
PatchSet 73
Date: 2003/11/27 09:50:12
Author: tron
Log:
Apply security patch which disables ElGamal signature keys because they
are vulnerable. Bump package revision to reflect this change.
Members:
Makefile:1.53->1.54
distinfo:1.21->1.22
---------------------
PatchSet 74
Date: 2003/11/27 23:46:36
Author: heinz
Log:
Add improved patch for compromised ElGamal signing keys from
gnupg-devel at gnupg org. The old patch didn't completely disable usage
of the compromised keys.
Move the old and new fix to the patches/ directory.
Members:
Makefile:1.54->1.55
distinfo:1.22->1.23
patches/patch-ai:INITIAL->1.1
patches/patch-aj:INITIAL->1.1
-rw-r--r-- | security/gnupg/Makefile | 4 | ||||
-rw-r--r-- | security/gnupg/distinfo | 4 | ||||
-rw-r--r-- | security/gnupg/patches/patch-ai | 35 | ||||
-rw-r--r-- | security/gnupg/patches/patch-aj | 43 |
4 files changed, 83 insertions, 3 deletions
diff --git a/security/gnupg/Makefile b/security/gnupg/Makefile index 87ed153326e..5afb7cbac2b 100644 --- a/security/gnupg/Makefile +++ b/security/gnupg/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.53 2003/10/11 07:18:50 grant Exp $ +# $NetBSD: Makefile,v 1.53.2.1 2003/12/08 11:36:12 agc Exp $ DISTNAME= gnupg-1.2.3 +PKGREVISION= 2 CATEGORIES= security MASTER_SITES= ftp://ftp.gnupg.org/gcrypt/gnupg/ \ ftp://ftp.planetmirror.com/pub/gnupg/gnupg/ \ @@ -16,7 +17,6 @@ HOMEPAGE= http://www.gnupg.org/ COMMENT= Privacy Guard, public-Key encryption and digital signatures BUILD_USES_MSGFMT= yes - CRYPTO= yes GNU_CONFIGURE= yes USE_BUILDLINK2= yes diff --git a/security/gnupg/distinfo b/security/gnupg/distinfo index 4dd131fbde9..23b7829c56a 100644 --- a/security/gnupg/distinfo +++ b/security/gnupg/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.21 2003/08/25 21:25:24 itojun Exp $ +$NetBSD: distinfo,v 1.21.2.1 2003/12/08 11:36:12 agc Exp $ SHA1 (gnupg-1.2.3.tar.bz2) = 1a5f68b52aa04f7370a80c2dfa708accfc64d854 Size (gnupg-1.2.3.tar.bz2) = 2294773 bytes @@ -9,3 +9,5 @@ SHA1 (patch-ac) = ce5bbc1bb648f782ffc93704532fc8ca7f8a9524 SHA1 (patch-ad) = 2783ded1fa83c755b4fe8a544066da631b88db8e SHA1 (patch-ae) = fdcda5736583ba3c5807928d1b958e10e1d8fc06 SHA1 (patch-af) = 0ddc5ad0692b365236e6bf643b44d8f70c5b6dd0 +SHA1 (patch-ai) = d590234e1fd272a0f7e7b30d7b885ca2f979daf4 +SHA1 (patch-aj) = 6e682cb89eb8ca185a6e0cc82ea9466b16f598b0 diff --git a/security/gnupg/patches/patch-ai b/security/gnupg/patches/patch-ai new file mode 100644 index 00000000000..c7a241003f8 --- /dev/null +++ b/security/gnupg/patches/patch-ai @@ -0,0 +1,35 @@ +$NetBSD: patch-ai,v 1.1.2.2 2003/12/08 11:36:12 agc Exp $ + +--- g10/keygen.c.orig Mon Jul 28 20:34:41 2003 ++++ g10/keygen.c +@@ -958,8 +958,6 @@ ask_algo (int addmode, unsigned int *r_u + tty_printf( _(" (%d) DSA (sign only)\n"), 2 ); + if( addmode ) + tty_printf( _(" (%d) ElGamal (encrypt only)\n"), 3 ); +- if (opt.expert) +- tty_printf( _(" (%d) ElGamal (sign and encrypt)\n"), 4 ); + tty_printf( _(" (%d) RSA (sign only)\n"), 5 ); + if (addmode) + tty_printf( _(" (%d) RSA (encrypt only)\n"), 6 ); +@@ -989,21 +987,6 @@ ask_algo (int addmode, unsigned int *r_u + algo = PUBKEY_ALGO_RSA; + *r_usage = PUBKEY_USAGE_SIG; + break; +- } +- else if( algo == 4 && opt.expert) +- { +- tty_printf(_( +-"The use of this algorithm is only supported by GnuPG. You will not be\n" +-"able to use this key to communicate with PGP users. This algorithm is also\n" +-"very slow, and may not be as secure as the other choices.\n")); +- +- if( cpr_get_answer_is_yes("keygen.algo.elg_se", +- _("Create anyway? "))) +- { +- algo = PUBKEY_ALGO_ELGAMAL; +- *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG; +- break; +- } + } + else if( algo == 3 && addmode ) { + algo = PUBKEY_ALGO_ELGAMAL_E; diff --git a/security/gnupg/patches/patch-aj b/security/gnupg/patches/patch-aj new file mode 100644 index 00000000000..3e1c8c1c51f --- /dev/null +++ b/security/gnupg/patches/patch-aj @@ -0,0 +1,43 @@ +$NetBSD: patch-aj,v 1.1.2.2 2003/12/08 11:36:12 agc Exp $ + +--- g10/getkey.c.orig Mon Jul 28 20:34:41 2003 ++++ g10/getkey.c +@@ -1049,7 +1049,11 @@ get_seckey_byname2( GETKEY_CTX *retctx, + ctx.items[0].mode = KEYDB_SEARCH_MODE_FIRST; + rc = lookup( &ctx, &kb, 1 ); + if (!rc && sk ) +- sk_from_block ( &ctx, sk, kb ); ++ { ++ sk_from_block ( &ctx, sk, kb ); ++ if(sk->pubkey_algo==PUBKEY_ALGO_ELGAMAL) ++ rc=G10ERR_UNU_SECKEY; ++ } + release_kbnode ( kb ); + get_seckey_end( &ctx ); + } +@@ -1655,6 +1659,11 @@ merge_selfsigs_main( KBNODE keyblock, in + if ( x ) /* mask it down to the actual allowed usage */ + key_usage &= x; + } ++ ++ /* Type 20 Elgamal keys are not usable. */ ++ if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL) ++ key_usage=0; ++ + pk->pubkey_usage = key_usage; + + if ( !key_expire_seen ) { +@@ -1869,6 +1878,13 @@ merge_selfsigs_subkey( KBNODE keyblock, + if ( x ) /* mask it down to the actual allowed usage */ + key_usage &= x; + } ++ ++ /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are ++ not usable. */ ++ if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL ++ || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL) ++ key_usage=0; ++ + subpk->pubkey_usage = key_usage; + + p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL); |