diff options
author | agc <agc@pkgsrc.org> | 2016-06-14 18:00:59 +0000 |
---|---|---|
committer | agc <agc@pkgsrc.org> | 2016-06-14 18:00:59 +0000 |
commit | 92d975bfc63a42370283a66092ebc500c785e16b (patch) | |
tree | 309604635a106b3e9179f789eff11e40c5504833 /security/netpgpverify | |
parent | f90dbeda830a03570068c84b5e314a78a605e07f (diff) | |
download | pkgsrc-92d975bfc63a42370283a66092ebc500c785e16b.tar.gz |
Update netpgpverify (and libnetpgpverify) to 20160614
+ handle signatures created by gpg with "--no-emit-version", don't assume
there will always be a version string.
+ add a test for above
Fixes security PR/51240.
Thanks to xnox@ubuntu.com for reporting the error
Diffstat (limited to 'security/netpgpverify')
-rw-r--r-- | security/netpgpverify/files/Makefile.bsd | 4 | ||||
-rw-r--r-- | security/netpgpverify/files/Makefile.in | 4 | ||||
-rw-r--r-- | security/netpgpverify/files/libverify.c | 15 | ||||
-rw-r--r-- | security/netpgpverify/files/noversion.asc | 14 | ||||
-rw-r--r-- | security/netpgpverify/files/verify.h | 4 |
5 files changed, 32 insertions, 9 deletions
diff --git a/security/netpgpverify/files/Makefile.bsd b/security/netpgpverify/files/Makefile.bsd index 495133cc7cc..5c0f0589baf 100644 --- a/security/netpgpverify/files/Makefile.bsd +++ b/security/netpgpverify/files/Makefile.bsd @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.bsd,v 1.8 2015/02/05 00:21:57 agc Exp $ +# $NetBSD: Makefile.bsd,v 1.9 2016/06/14 18:00:59 agc Exp $ PROG=netpgpverify @@ -43,3 +43,5 @@ tst: rm -f 1keytest.gpg @echo "testing signing with a subkey" ./chk.sh -k joyent-pubring.gpg digest-20121220.tgz + @echo "testing signatures with no version" + ./${PROG} -k pubring.gpg noversion.asc diff --git a/security/netpgpverify/files/Makefile.in b/security/netpgpverify/files/Makefile.in index 11055f597ae..b3c430930f1 100644 --- a/security/netpgpverify/files/Makefile.in +++ b/security/netpgpverify/files/Makefile.in @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.in,v 1.4 2015/08/17 11:37:55 jperkin Exp $ +# $NetBSD: Makefile.in,v 1.5 2016/06/14 18:00:59 agc Exp $ PROG=netpgpverify @@ -43,6 +43,8 @@ tst: rm -f 1keytest.gpg @echo "testing signing with a subkey" ./chk.sh -k joyent-pubring.gpg digest-20121220.tgz + @echo "testing signatures with no version" + ./${PROG} -k pubring.gpg noversion.asc clean: rm -rf *.core ${OBJS} ${PROG} diff --git a/security/netpgpverify/files/libverify.c b/security/netpgpverify/files/libverify.c index e749c45f921..81de971ab4e 100644 --- a/security/netpgpverify/files/libverify.c +++ b/security/netpgpverify/files/libverify.c @@ -2022,12 +2022,17 @@ read_ascii_armor(pgpv_cursor_t *cursor, pgpv_mem_t *mem, const char *filename) } litdata.u.litdata.len = litdata.s.size = (size_t)(p - datastart); p += strlen(SIGSTART); - if ((p = find_bin_string(p, mem->size, "\n\n", 2)) == NULL) { - snprintf(cursor->why, sizeof(cursor->why), - "malformed armed signature at %zu", (size_t)(p - mem->mem)); - return 0; + /* Work out whther there's a version line */ + if (memcmp(p, "Version:", 8) == 0) { + if ((p = find_bin_string(p, mem->size, "\n\n", 2)) == NULL) { + snprintf(cursor->why, sizeof(cursor->why), + "malformed armed signature at %zu", (size_t)(p - mem->mem)); + return 0; + } + p += 2; + } else { + p += 1; } - p += 2; sigend = find_bin_string(p, mem->size, SIGEND, strlen(SIGEND)); binsigsize = b64decode((char *)p, (size_t)(sigend - p), binsig, sizeof(binsig)); diff --git a/security/netpgpverify/files/noversion.asc b/security/netpgpverify/files/noversion.asc new file mode 100644 index 00000000000..d719aef811b --- /dev/null +++ b/security/netpgpverify/files/noversion.asc @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +bar +-----BEGIN PGP SIGNATURE----- + +iQEcBAEBAgAGBQJXYEJcAAoJEBto3PzAWWgjk5cH/03A4/a+ywsnzZMncQ7H7rtu +QiIWwyiJo28Xf5z3fL5WG6VKNJdPpx0TIthcxu0O1YgF6lvqqQbnNpfNbD+1h88+ +JCcqJfyVk38vsFPxdFTIOWjbEtHs9yyjUVk5tJQrxtTaSJbGtQIMHQXXfWAyKCn4 +0Zl+E2iWb6tXxxMaAkrCOipjC9knuTJJbG6oVZpujp7jOt+2bOWY+89+FhoGJ5tv +XiOvqIUUSW5Iua+wBOmhb/iuNFUVrO8rS/7BpMLQmxbnLxWtwwSWIcyyg6BwiIvm +8K5NmD3WKN97tPA1HYjk76SlLj254OVLDmTZua7ljqasl5PR9W+aUFIByDgQrGE= +=90+m +-----END PGP SIGNATURE----- diff --git a/security/netpgpverify/files/verify.h b/security/netpgpverify/files/verify.h index 29a3d5814d5..83fd14ed592 100644 --- a/security/netpgpverify/files/verify.h +++ b/security/netpgpverify/files/verify.h @@ -23,9 +23,9 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef NETPGP_VERIFY_H_ -#define NETPGP_VERIFY_H_ 20160313 +#define NETPGP_VERIFY_H_ 20160614 -#define NETPGPVERIFY_VERSION "netpgpverify portable 20160313" +#define NETPGPVERIFY_VERSION "netpgpverify portable 20160614" #include <sys/types.h> |