Security fix for CVE-2006-3082:

"parse-packet.c in GnuPG (gpg) 1.4.3 and 1.9.20, and earlier versions,
 allows remote attackers to cause a denial of service (gpg crash) and
 possibly overwrite memory via a message packet with a large length,
 which could lead to an integer overflow, as demonstrated using the
 --no-armor option."

Patch from GnuPG CVS repository.
Bump PKGREVISION.

1 files changed, 27 insertions, 0 deletions

diff --git a/security/gnupg/patches/patch-ba b/security/gnupg/patches/patch-ba
new file mode 100644
index 00000000000..2027b44108c
--- /dev/null
+++ b/security/gnupg/patches/patch-ba
@@ -0,0 +1,27 @@
+$NetBSD: patch-ba,v 1.1 2006/06/24 14:20:29 salo Exp $
+
+Security fix for CVE-2006-3082, from GnuPG CVS repository.
+
+--- g10/parse-packet.c.orig	2005-12-06 14:22:19.000000000 +0100
++++ g10/parse-packet.c	2006-06-24 16:09:34.000000000 +0200
+@@ -1972,6 +1972,20 @@
+ {
+     byte *p;
+ 
++    /* Cap the size of a user ID at 2k: a value absurdly large enough
++       that there is no sane user ID string (which is printable text
++       as of RFC2440bis) that won't fit in it, but yet small enough to
++       avoid allocation problems.  A large pktlen may not be
++       allocatable, and a very large pktlen could actually cause our
++       allocation to wrap around in xmalloc to a small number. */
++
++    if(pktlen>2048)
++      {
++	log_error("packet(%d) too large\n", pkttype);
++	iobuf_skip_rest(inp, pktlen, 0);
++	return G10ERR_INVALID_PACKET;
++      }
++
+     packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen);
+     packet->pkt.user_id->len = pktlen;
+     packet->pkt.user_id->ref=1;